darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #113 from makikvues/master

Browse Source 
Introduced PermissionTypes enum, added AllowUnsafeBlocks for all configurations
This commit is contained in:
Carlos Polop 2021-03-05 00:18:01 +00:00 committed by GitHub
commit bcfd7a8bc3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 59 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -201,7 +201,7 @@ namespace winPEAS.Checks
List<string> sam_files = InterestingFiles.InterestingFiles.GetSAMBackups(); List<string> sam_files = InterestingFiles.InterestingFiles.GetSAMBackups();
foreach (string path in sam_files) foreach (string path in sam_files)
{ {
var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs); var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs, PermissionType.READABLE_OR_WRITABLE);
if (permissions.Any()) if (permissions.Any())
{ {
@ -593,7 +593,7 @@ namespace winPEAS.Checks
FileAttributes attr = File.GetAttributes(file.FullPath); FileAttributes attr = File.GetAttributes(file.FullPath);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory) if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{ {
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); List<string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (dirRights.Count > 0) if (dirRights.Count > 0)
{ {
@ -602,7 +602,7 @@ namespace winPEAS.Checks
} }
else else
{ {
List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (fileRights.Count > 0) if (fileRights.Count > 0)
{ {
@ -761,7 +761,7 @@ namespace winPEAS.Checks
if (file.Extension != null && allowedExtensions.Contains(file.Extension.ToLower())) if (file.Extension != null && allowedExtensions.Contains(file.Extension.ToLower()))
{ {
// check the file permissions // check the file permissions
List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (fileRights.Count > 0) if (fileRights.Count > 0)
{ {

8
winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs
View File

@ -200,7 +200,7 @@ namespace winPEAS.Helpers.AppLocker
if (Directory.Exists(normalizedPath)) if (Directory.Exists(normalizedPath))
{ {
// can we write to the directory ? // can we write to the directory ?
var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
// we can write // we can write
if (folderPermissions.Count > 0) if (folderPermissions.Count > 0)
@ -216,7 +216,7 @@ namespace winPEAS.Helpers.AppLocker
// iterate over applocker bypass directories and check them // iterate over applocker bypass directories and check them
foreach (var subfolders in _appLockerByPassDirectoriesByPath[normalizedPath]) foreach (var subfolders in _appLockerByPassDirectoriesByPath[normalizedPath])
{ {
var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
// we can write // we can write
if (subfolderPermissions.Count > 0) if (subfolderPermissions.Count > 0)
@ -373,7 +373,7 @@ namespace winPEAS.Helpers.AppLocker
if (File.Exists(path)) if (File.Exists(path))
{ {
var filePermissions = PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); var filePermissions = PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (filePermissions.Count > 0) if (filePermissions.Count > 0)
{ {
@ -425,7 +425,7 @@ namespace winPEAS.Helpers.AppLocker
} }
else else
{ {
var folderPermissions = PermissionsHelper.GetPermissionsFolder(directory, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); var folderPermissions = PermissionsHelper.GetPermissionsFolder(directory, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (folderPermissions.Count > 0) if (folderPermissions.Count > 0)
{ {

58
winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
View File

@ -9,13 +9,21 @@ using Microsoft.Win32;
namespace winPEAS.Helpers namespace winPEAS.Helpers
{ {
internal enum PermissionType
{
DEFAULT,
READABLE_OR_WRITABLE,
WRITEABLE_OR_EQUIVALENT
}
/////////////////////////////////// ///////////////////////////////////
//////// Check Permissions //////// //////// Check Permissions ////////
/////////////////////////////////// ///////////////////////////////////
/// Get interesting permissions from Files, Folders and Registry /// Get interesting permissions from Files, Folders and Registry
internal static class PermissionsHelper internal static class PermissionsHelper
{ {
public static List<string> GetPermissionsFile(string path, Dictionary<string, string> SIDs, bool isOnlyWriteOrEquivalentCheck = false) public static List<string> GetPermissionsFile(string path, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT)
{ {
/*Permisos especiales para carpetas /*Permisos especiales para carpetas
*https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN *https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN
@ -36,7 +44,7 @@ namespace winPEAS.Helpers
try try
{ {
FileSecurity fSecurity = File.GetAccessControl(path); FileSecurity fSecurity = File.GetAccessControl(path);
results = GetMyPermissionsF(fSecurity, SIDs, isOnlyWriteOrEquivalentCheck); results = GetMyPermissionsF(fSecurity, SIDs, permissionType);
} }
catch catch
{ {
@ -45,7 +53,7 @@ namespace winPEAS.Helpers
return results; return results;
} }
public static List<string> GetPermissionsFolder(string path, Dictionary<string, string> SIDs, bool isOnlyWriteOrEquivalentCheck = false) public static List<string> GetPermissionsFolder(string path, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT)
{ {
List<string> results = new List<string>(); List<string> results = new List<string>();
@ -65,7 +73,7 @@ namespace winPEAS.Helpers
} }
FileSecurity fSecurity = File.GetAccessControl(path); FileSecurity fSecurity = File.GetAccessControl(path);
results = GetMyPermissionsF(fSecurity, SIDs, isOnlyWriteOrEquivalentCheck); results = GetMyPermissionsF(fSecurity, SIDs, permissionType);
} }
catch catch
{ {
@ -74,7 +82,7 @@ namespace winPEAS.Helpers
return results; return results;
} }
public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs, bool isOnlyWriteOrEquivalentCheck = false) public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT)
{ {
// Get interesting permissions in fSecurity (Only files and folders) // Get interesting permissions in fSecurity (Only files and folders)
List<string> results = new List<string>(); List<string> results = new List<string>();
@ -84,7 +92,7 @@ namespace winPEAS.Helpers
{ {
//First, check if the rule to check is interesting //First, check if the rule to check is interesting
int current_perm = (int)rule.FileSystemRights; int current_perm = (int)rule.FileSystemRights;
string current_perm_str = PermInt2Str(current_perm, isOnlyWriteOrEquivalentCheck); string current_perm_str = PermInt2Str(current_perm, permissionType);
if (current_perm_str == "") if (current_perm_str == "")
{ {
continue; continue;
@ -133,7 +141,7 @@ namespace winPEAS.Helpers
foreach (RegistryAccessRule rule in rSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier))) foreach (RegistryAccessRule rule in rSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{ {
int current_perm = (int)rule.RegistryRights; int current_perm = (int)rule.RegistryRights;
string current_perm_str = PermInt2Str(current_perm, true); string current_perm_str = PermInt2Str(current_perm, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (current_perm_str == "") if (current_perm_str == "")
continue; continue;
@ -169,9 +177,38 @@ namespace winPEAS.Helpers
return results; return results;
} }
public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false, bool is_service = false) public static string PermInt2Str(int current_perm, PermissionType permissionType = PermissionType.DEFAULT, bool is_service = false)
{ {
Dictionary<string, int> interesting_perms = new Dictionary<string, int>() Dictionary<string, int> interesting_perms = new Dictionary<string, int>();
if (permissionType == PermissionType.DEFAULT)
{
interesting_perms = new Dictionary<string, int>()
{
// This isn't an exhaustive list of possible permissions. Just the interesting ones.
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
{ "Delete", (int)FileSystemRights.Delete },
{ "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
{ "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes },
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
};
}
else if (permissionType == PermissionType.READABLE_OR_WRITABLE)
{
interesting_perms = new Dictionary<string, int>()
{ {
// This isn't an exhaustive list of possible permissions. Just the interesting ones. // This isn't an exhaustive list of possible permissions. Just the interesting ones.
{ "AllAccess", 0xf01ff}, { "AllAccess", 0xf01ff},
@ -195,8 +232,9 @@ namespace winPEAS.Helpers
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes }, { "WriteAttributes", (int)FileSystemRights.WriteAttributes },
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes }, { "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
}; };
}
if (only_write_or_equivalent) else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT)
{ {
interesting_perms = new Dictionary<string, int>() interesting_perms = new Dictionary<string, int>()
{ {

2
winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs
View File

@ -219,7 +219,7 @@ namespace winPEAS.Info.ServicesInfo
{ {
int serviceRights = ace.AccessMask; int serviceRights = ace.AccessMask;
string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, true, true); string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, PermissionType.WRITEABLE_OR_EQUIVALENT, true);
if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str)) if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
permissions.Add(current_perm_str); permissions.Add(current_perm_str);
} }

2
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -40,6 +40,7 @@
<LangVersion>8.0</LangVersion> <LangVersion>8.0</LangVersion>
<RunCodeAnalysis>false</RunCodeAnalysis> <RunCodeAnalysis>false</RunCodeAnalysis>
<CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup> </PropertyGroup>
<PropertyGroup> <PropertyGroup>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects> <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
@ -91,6 +92,7 @@
<ErrorReport>prompt</ErrorReport> <ErrorReport>prompt</ErrorReport>
<CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
<Prefer32Bit>false</Prefer32Bit> <Prefer32Bit>false</Prefer32Bit>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup> </PropertyGroup>
<PropertyGroup> <PropertyGroup>
<StartupObject>winPEAS.Program</StartupObject> <StartupObject>winPEAS.Program</StartupObject>