darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- implemented quicker search with pre-caching search files/directories

Browse Source
This commit is contained in:
makikvues 2021-01-13 22:36:53 +01:00
parent c8683a9a48
commit bf10cd7c0c
12 changed files with 662 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -5,6 +5,7 @@ using System.Linq;
using System.Management;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.Helpers.Search;
using winPEAS.Info.UserInfo;
namespace winPEAS.Checks
@ -128,7 +129,7 @@ namespace winPEAS.Checks
CheckRegANSI();
}
CreateDynamicLists();
CheckRunner.Run(CreateDynamicLists, IsDebug);
Beaprint.PrintInit(IsDebug);
@ -234,6 +235,17 @@ namespace winPEAS.Checks
{
Beaprint.GrayPrint("Error while creating admin users groups list: " + ex);
}
// create the file lists
try
{
Beaprint.GrayPrint(" - Files/directories list for search...");
SearchHelper.CreateSearchDirectoriesList();
}
catch (Exception ex)
{
Beaprint.GrayPrint("Error while creating directory list: " + ex);
}
}
private static void CheckRegANSI()

70
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -3,6 +3,7 @@ using System.Collections.Generic;
using System.IO;
using System.Text.RegularExpressions;
using winPEAS.Helpers;
using winPEAS.Helpers.Search;
using winPEAS.InterestingFiles;
using winPEAS.KnownFileCreds;
@ -278,31 +279,56 @@ namespace winPEAS.Checks
{
string patterns = "*credential*;*password*";
string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";
List<string> valid_extensions = new List<string>() { ".txt", ".conf", ".cnf", ".yml", ".yaml", ".doc", ".docx", ".xlsx", ".json", ".xml" };
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
{ pattern_color, Beaprint.ansi_color_bad },
};
var valid_extensions = new List<string>() { ".txt", ".conf", ".cnf", ".yml", ".yaml", ".doc", ".docx", ".xlsx", ".json", ".xml" };
var validExtensions = new HashSet<string>
{
".cnf",
".conf",
".doc",
".docx",
".json",
".xlsx",
".xml",
".yaml",
".yml",
".txt",
};
var colorF = new Dictionary<string, string>()
{
{ pattern_color, Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Looking for possible password files in users homes");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
string searchPath = string.Format("{0}\\", Environment.GetEnvironmentVariable("SystemDrive") + "\\Users");
List<string> files_paths = SearchHelper.FindFiles(searchPath, patterns);
foreach (string file_path in files_paths)
string searchPath = $"{Environment.GetEnvironmentVariable("SystemDrive") + "\\Users"}\\";
List<CustomFileInfo> fileInfos = SearchHelper.SearchUserCredsFiles();
foreach (var fileInfo in fileInfos)
{
if (!Path.GetFileName(file_path).Contains("."))
// if (!Path.GetFileName(file_path).Contains("."))
if (!fileInfo.Filename.Contains("."))
{
Beaprint.AnsiPrint(" " + file_path, colorF);
Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF);
}
else
{
foreach (string ext in valid_extensions)
string extLower = fileInfo.Extension.ToLower();
if (validExtensions.Contains(extLower))
{
if (file_path.Contains(ext))
{
Beaprint.AnsiPrint(" " + file_path, colorF);
}
Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF);
}
//foreach (string ext in valid_extensions)
//{
// if (file_path.Contains(ext))
// {
// Beaprint.AnsiPrint(" " + file_path, colorF);
// }
//}
}
}
}
@ -356,19 +382,17 @@ namespace winPEAS.Checks
{
try
{
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
{ _patternsFileCredsColor, Beaprint.ansi_color_bad },
};
var colorF = new Dictionary<string, string>
{
{ _patternsFileCredsColor, Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Searching known files that can contain creds in home");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
string searchPath = Environment.GetEnvironmentVariable("USERPROFILE");
//SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
string patterns = string.Join(";", patternsFileCreds);
SearchHelper.FindFiles(searchPath, patterns, colorF);
var files = SearchHelper.SearchUsersInterestingFiles();
Beaprint.AnsiPrint(" " + string.Join("\n ", files), colorF);
}
catch (Exception ex)
{

220
winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs
View File

@ -1,220 +0,0 @@
using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
using System.Threading;
namespace winPEAS.FastSearch.FileSearcher
{
/// <summary>
/// Represents a class for fast file search.
/// </summary>
public class FileSearcher
{
public static List<FileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
{
ConcurrentBag<FileInfo> files = new ConcurrentBag<FileInfo>();
// ConcurrentBag<string> files = new ConcurrentBag<string>();
//Beaprint.InfoPrint($"[*] folder 1: '{folder}'");
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
IList<DirectoryInfo> startDirsExcluded = startDirs.ToList();
if (excludedDirs != null)
{
startDirsExcluded =
(from startDir in startDirs
from excludedDir in excludedDirs
where !startDir.FullName.Contains(excludedDir)
select startDir).ToList();
}
//Beaprint.InfoPrint($"[*] folder 2: '{folder}' pattern: '{pattern}'");
//Beaprint.InfoPrint($"[*] folder 2: '{folder}' GetStartDirectories: '{string.Join("\n", startDirs.Select(d => d.FullName))}'");
//Beaprint.InfoPrint($"[*] folder 2: '{folder}' startDirsExcluded: '{string.Join("\n", startDirsExcluded.Select(d => d.FullName))}'");
//Beaprint.InfoPrint($"[*] folder 3: '{folder}' excludedDirs: '{string.Join("\n", excludedDirs ?? Enumerable.Empty<string>()) }'");
startDirsExcluded.AsParallel().ForAll((d) =>
{
GetStartDirectories(d.FullName, files, pattern).AsParallel().ForAll((dir) =>
{
GetFiles(dir.FullName, pattern).ForEach((f) => files.Add(f));
// FindFiles(dir.FullName, pattern, SearchOption.TopDirectoryOnly).ForEach((f) => files.Add(f));
});
});
// !!!! TODO
// probably we need to exclude the excluded dirs here - not in parallel processing
//Parallel.ForEach(startDirsExcluded, (d) =>
//{
// Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) =>
// {
// GetFiles(dir.FullName, pattern).ForEach((f) => files.Add(f));
// });
//});
return files.ToList();
}
private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<FileInfo> files, string pattern)
{
DirectoryInfo dirInfo = null;
DirectoryInfo[] directories = null;
try
{
dirInfo = new DirectoryInfo(folder);
directories = dirInfo.GetDirectories();
foreach (var f in dirInfo.GetFiles(pattern))
{
files.Add(f);
}
if (directories.Length > 1)
return new List<DirectoryInfo>(directories);
if (directories.Length == 0)
return new List<DirectoryInfo>();
}
catch (UnauthorizedAccessException ex)
{
return new List<DirectoryInfo>();
}
catch (PathTooLongException ex)
{
return new List<DirectoryInfo>();
}
catch (DirectoryNotFoundException ex)
{
return new List<DirectoryInfo>();
}
return GetStartDirectories(directories[0].FullName, files, pattern);
}
public static List<FileInfo> GetFiles(string folder, string pattern = "*")
{
DirectoryInfo dirInfo;
DirectoryInfo[] directories;
try
{
dirInfo = new DirectoryInfo(folder);
directories = dirInfo.GetDirectories();
if (directories.Length == 0)
{
return new List<FileInfo>(dirInfo.GetFiles(pattern));
}
}
catch (UnauthorizedAccessException)
{
return new List<FileInfo>();
}
catch (PathTooLongException)
{
return new List<FileInfo>();
}
catch (DirectoryNotFoundException)
{
return new List<FileInfo>();
}
List<FileInfo> result = new List<FileInfo>();
foreach (var d in directories)
{
result.AddRange(GetFiles(d.FullName, pattern));
}
try
{
result.AddRange(dirInfo.GetFiles(pattern));
}
catch (UnauthorizedAccessException)
{
}
catch (PathTooLongException)
{
}
catch (DirectoryNotFoundException)
{
}
return result;
}
public static List<string> FindFiles(string directory, string filters, SearchOption searchOption)
{
if (!Directory.Exists(directory)) return new List<string>();
var include = (from filter in filters.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries) where !string.IsNullOrEmpty(filter.Trim()) select filter.Trim());
var exclude = (from filter in include where filter.Contains(@"!") select filter);
include = include.Except(exclude);
if (include.Count() == 0) include = new string[] { "*" };
var rxfilters = from filter in exclude select string.Format("^{0}$", filter.Replace("!", "").Replace(".", @"\.").Replace("*", ".*").Replace("?", "."));
Regex regex = new Regex(string.Join("|", rxfilters.ToArray()));
List<Thread> workers = new List<Thread>();
List<string> files = new List<string>();
foreach (string filter in include)
{
Thread worker = new Thread(
new ThreadStart(
delegate
{
try
{
//string[] allfiles = Directory.GetFiles(directory, filter, searchOption);
string[] allfiles = Directory.GetFiles(directory, filter, SearchOption.TopDirectoryOnly);
if (exclude.Count() > 0)
{
lock (files)
{
files.AddRange(allfiles.Where(p => !regex.Match(p).Success));
}
}
else
{
lock (files)
{
files.AddRange(allfiles);
}
}
}
catch (UnauthorizedAccessException)
{
}
catch (PathTooLongException)
{
}
catch (DirectoryNotFoundException)
{
}
}
));
workers.Add(worker);
worker.Start();
}
foreach (Thread worker in workers)
{
worker.Join();
}
return files;
}
}
}

16
winPEAS/winPEASexe/winPEAS/Helpers/CustomFileInfo.cs Normal file
View File

@ -0,0 +1,16 @@
namespace winPEAS.Helpers
{
internal class CustomFileInfo
{
public string Filename { get; set; }
public string Extension { get; set; }
public string FullPath { get; set; }
public CustomFileInfo(string filename, string extension, string fullPath)
{
Filename = filename;
Extension = extension;
FullPath = fullPath;
}
}
}

100
winPEAS/winPEASexe/winPEAS/Helpers/Search/Patterns.cs Normal file
View File

@ -0,0 +1,100 @@
using System.Collections.Generic;
namespace winPEAS.Helpers.Search
{
static class Patterns
{
public static readonly HashSet<string> WhitelistExtensions = new HashSet<string>()
{
".cer",
".csr",
".der",
".ftpconfig",
".gpg",
".kdbx",
".ovpn",
".p12",
".pgp",
".rdg",
".git-credentials",
".gitconfig",
".htpasswd",
};
public static readonly HashSet<string> WhiteListExactfilenamesWithExtensions = new HashSet<string>()
{
"id_dsa",
"id_rsa",
"access.log",
"access_tokens.db",
"accesstokens.json",
"appcmd.exe",
"appevent.evt",
"azureprofile.json",
"bash.exe",
"datasources.xml",
"default.sav",
"docker-compose.yml",
"dockerfile",
"drives.xml",
"error.log",
"ffftp.ini",
"filezilla.xml",
"freesshdservice.ini",
"groups.xml",
"httpd.conf",
"https-xampp.conf",
"https.conf",
"iis6.log",
"index.dat",
"keepass.config",
"my.cnf",
"my.ini",
"netsetup.log",
"ntds.dit",
"ntuser.dat",
"pagefile.sys",
"php.ini",
"printers.xml",
"rdcman.settings",
"recentservers.xml",
"sam",
"scclient.exe",
"scheduledtasks.xml",
"secevent.evt",
"security",
"security.sav",
"server.xml",
"services.xml",
"setupinfo",
"setupinfo.bak",
"sitemanager.xml",
"sites.ini",
"software",
"software.sav",
"sysprep.inf",
"sysprep.xml",
"system",
"system.sav",
"tomcat-users.xml",
"unattend.txt",
"unattend.xml",
"unattended.xml",
"wcx_ftp.ini",
"winscp.ini",
"ws_ftp.ini",
"wsl.exe",
"known_hosts",
};
public static readonly IList<string> WhiteListRegexp = new List<string>()
{
".*_history\\.*",
"config.*\\.php$",
"vnc\\.*",
"elasticsearch\\.y*ml$",
"kibana\\.y*ml$",
"web.*\\.config$",
};
}
}

454
winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs Normal file
View File

@ -0,0 +1,454 @@
using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
namespace winPEAS.Helpers.Search
{
static class SearchHelper
{
private static List<CustomFileInfo> RootDirUsers;
private static List<CustomFileInfo> RootDirCurrentUser;
private static List<CustomFileInfo> ProgramFiles;
private static List<CustomFileInfo> ProgramFilesX86;
private static List<CustomFileInfo> DocumentsAndSettings;
private static List<CustomFileInfo> GroupPolicyHistory;
// private static List<CustomFileInfo> GroupPolicyHistoryLegacy;
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
{
ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
// ConcurrentBag<string> files = new ConcurrentBag<string>();
//Beaprint.InfoPrint($"[*] folder 1: '{folder}'");
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>();
if (excludedDirs != null)
{
foreach (var startDir in startDirs)
{
bool shouldAdd = true;
string startDirLower = startDir.FullName.ToLower();
foreach (var excludedDirPattern in excludedDirs)
{
if (Regex.IsMatch(startDirLower, excludedDirPattern, RegexOptions.IgnoreCase))
{
//files2.Add(file + $" [pattern: '{pattern}']");
shouldAdd = false;
break;
}
//if (startDirLower.StartsWith(excludedDir))
//{
// shouldAdd = false;
// break;
//}
}
if (shouldAdd)
{
startDirsExcluded.Add(startDir);
}
}
//startDirsExcluded =
// (from startDir in startDirs
// from excludedDir in excludedDirs
// where !startDir.FullName.Contains(excludedDir)
// select startDir).ToList();
}
else
{
startDirsExcluded = startDirs.ToList();
}
// !!!! TODO
// probably we need to exclude the excluded dirs here - not in parallel processing
Parallel.ForEach(startDirsExcluded, (d) =>
{
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) =>
{
GetFiles(dir.FullName, pattern).ForEach(
(f) =>
//files.Add(f.FullName)
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName))
);
});
});
return files.ToList();
}
public static List<FileInfo> GetFiles(string folder, string pattern = "*")
{
DirectoryInfo dirInfo;
DirectoryInfo[] directories;
try
{
dirInfo = new DirectoryInfo(folder);
directories = dirInfo.GetDirectories();
if (directories.Length == 0)
{
return new List<FileInfo>(dirInfo.GetFiles(pattern));
}
}
catch (UnauthorizedAccessException)
{
return new List<FileInfo>();
}
catch (PathTooLongException)
{
return new List<FileInfo>();
}
catch (DirectoryNotFoundException)
{
return new List<FileInfo>();
}
List<FileInfo> result = new List<FileInfo>();
foreach (var d in directories)
{
result.AddRange(GetFiles(d.FullName, pattern));
}
try
{
result.AddRange(dirInfo.GetFiles(pattern));
}
catch (UnauthorizedAccessException)
{
}
catch (PathTooLongException)
{
}
catch (DirectoryNotFoundException)
{
}
return result;
}
private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern)
{
DirectoryInfo dirInfo = null;
DirectoryInfo[] directories = null;
try
{
dirInfo = new DirectoryInfo(folder);
directories = dirInfo.GetDirectories();
foreach (var f in dirInfo.GetFiles(pattern))
{
//files.Add(f.FullName);
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName));
}
if (directories.Length > 1)
return new List<DirectoryInfo>(directories);
if (directories.Length == 0)
return new List<DirectoryInfo>();
}
catch (UnauthorizedAccessException ex)
{
return new List<DirectoryInfo>();
}
catch (PathTooLongException ex)
{
return new List<DirectoryInfo>();
}
catch (DirectoryNotFoundException ex)
{
return new List<DirectoryInfo>();
}
return GetStartDirectories(directories[0].FullName, files, pattern);
}
internal static void CreateSearchDirectoriesList()
{
string globalPattern = "*";
string systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
// c:\users
string rootUsersSearchPath = $"{systemDrive}\\Users\\";
SearchHelper.RootDirUsers = SearchHelper.GetFilesFast(rootUsersSearchPath, globalPattern);
// c:\users\current_user
string rootCurrentUserSearchPath = Environment.GetEnvironmentVariable("USERPROFILE");
SearchHelper.RootDirCurrentUser = SearchHelper.GetFilesFast(rootCurrentUserSearchPath, globalPattern);
// c:\Program Files\
string rootProgramFiles = $"{systemDrive}\\Program Files\\";
SearchHelper.ProgramFiles = SearchHelper.GetFilesFast(rootProgramFiles, globalPattern);
// c:\Program Files (x86)\
string rootProgramFilesX86 = $"{systemDrive}\\Program Files (x86)\\";
SearchHelper.ProgramFilesX86 = SearchHelper.GetFilesFast(rootProgramFilesX86, globalPattern);
// c:\Documents and Settings\
string documentsAndSettings = $"{systemDrive}\\Documents and Settings\\";
SearchHelper.DocumentsAndSettings = SearchHelper.GetFilesFast(documentsAndSettings, globalPattern);
// c:\ProgramData\Microsoft\Group Policy\History
string groupPolicyHistory = $"{systemDrive}\\ProgramData\\Microsoft\\Group Policy\\History";
SearchHelper.GroupPolicyHistory = SearchHelper.GetFilesFast(groupPolicyHistory, globalPattern);
// c:\Documents and Settings\All Users\Application Data\\Microsoft\\Group Policy\\History
string groupPolicyHistoryLegacy = $"{documentsAndSettings}\\All Users\\Application Data\\Microsoft\\Group Policy\\History";
//SearchHelper.GroupPolicyHistoryLegacy = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, globalPattern);
var groupPolicyHistoryLegacyFiles = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, globalPattern);
SearchHelper.GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
}
internal static List<CustomFileInfo> SearchUserCredsFiles()
{
var result = new List<CustomFileInfo>();
var patterns = new List<string>
{
".*credential.*",
".*password.*"
};
foreach (var file in SearchHelper.RootDirUsers)
{
//string extLower = file.Extension.ToLower();
string nameLower = file.Filename.ToLower();
// string nameExtLower = nameLower + "." + extLower;
foreach (var pattern in patterns)
{
if (Regex.IsMatch(nameLower, pattern, RegexOptions.IgnoreCase))
{
result.Add(new CustomFileInfo(file.Filename, file.Extension, file.FullPath));
break;
}
}
}
return result;
}
internal static List<string> SearchUsersInterestingFiles()
{
//SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
//string patterns = string.Join(";", patternsFileCreds);
var result = new List<string>();
foreach (var file in SearchHelper.RootDirCurrentUser)
{
// !!! too slow - regexp
//foreach (var pattern in Patterns.PatternsFileCreds2)
//{
// if (Regex.IsMatch(file, pattern, RegexOptions.IgnoreCase))
// {
// //files2.Add(file + $" [pattern: '{pattern}']");
// files2.Add(file);
// break;
// }
//}
string extLower = file.Extension.ToLower();
string nameLower = file.Filename.ToLower();
// string nameExtLower = nameLower + "." + extLower;
if (Patterns.WhitelistExtensions.Contains(extLower) ||
// Patterns.WhiteListFilenames.Contains(nameLower) ||
Patterns.WhiteListExactfilenamesWithExtensions.Contains(nameLower))
{
result.Add(file.FullPath);
}
else
{
foreach (var pattern in Patterns.WhiteListRegexp)
{
if (Regex.IsMatch(nameLower, pattern, RegexOptions.IgnoreCase))
{
result.Add(file.FullPath);
break;
}
}
}
}
return result;
}
internal static List<string> FindCachedGPPPassword()
{
//SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
//string patterns = string.Join(";", patternsFileCreds);
var result = new List<string>();
var allowedExtensions = new HashSet<string>
{
".xml"
};
foreach (var file in SearchHelper.GroupPolicyHistory)
{
string extLower = file.Extension.ToLower();
if (allowedExtensions.Contains(extLower))
{
result.Add(file.FullPath);
}
}
return result;
}
internal static List<string> SearchMcAfeeSitelistFiles()
{
var result = new List<string>();
HashSet<string> allowedFilenames = new HashSet<string>()
{
"sitelist.xml"
};
//string[] searchLocations =
//{
// $"{drive}\\Program Files\\",
// $"{drive}\\Program Files (x86)\\",
// $"{drive}\\Documents and Settings\\",
// $"{drive}\\Users\\",
//};
var searchFiles = new List<CustomFileInfo>();
searchFiles.AddRange(SearchHelper.ProgramFiles);
searchFiles.AddRange(SearchHelper.ProgramFilesX86);
searchFiles.AddRange(SearchHelper.DocumentsAndSettings);
searchFiles.AddRange(SearchHelper.RootDirUsers);
foreach (var file in searchFiles)
{
string filenameToLower = file.Filename.ToLower();
if (allowedFilenames.Contains(filenameToLower))
{
result.Add(file.FullPath);
}
}
return result;
}
internal static List<string> SearchCurrentUserDocs()
{
var result = new List<string>();
string patterns = "*diagram*;*.pdf;*.vsd;*.doc;*docx;*.xls;*.xlsx";
var allowedRegexp = new List<string>
{
".*diagram.*",
};
var allowedExtensions = new HashSet<string>()
{
".doc",
".docx",
".vsd",
".xls",
".xlsx",
".pdf",
};
foreach (var file in SearchHelper.RootDirCurrentUser)
{
string extLower = file.Extension.ToLower();
string nameLower = file.Filename.ToLower();
// string nameExtLower = nameLower + "." + extLower;
if (allowedExtensions.Contains(extLower))
{
result.Add(file.FullPath);
}
else
{
foreach (var pattern in allowedRegexp)
{
if (Regex.IsMatch(nameLower, pattern, RegexOptions.IgnoreCase))
{
result.Add(file.FullPath);
break;
}
}
}
}
return result;
}
internal static List<string> SearchUsersDocs()
{
var result = new List<string>();
string patterns = "*diagram*;*.pdf;*.vsd;*.doc;*docx;*.xls;*.xlsx";
var allowedRegexp = new List<string>
{
".*diagram.*",
};
var allowedExtensions = new HashSet<string>()
{
".doc",
".docx",
".vsd",
".xls",
".xlsx",
".pdf",
};
foreach (var file in SearchHelper.RootDirUsers)
{
string extLower = file.Extension.ToLower();
string nameLower = file.Filename.ToLower();
// string nameExtLower = nameLower + "." + extLower;
if (allowedExtensions.Contains(extLower))
{
result.Add(file.FullPath);
}
else
{
foreach (var pattern in allowedRegexp)
{
if (Regex.IsMatch(nameLower, pattern, RegexOptions.IgnoreCase))
{
result.Add(file.FullPath);
break;
}
}
}
}
return result;
}
}
}

77
winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs
View File

@ -1,77 +0,0 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading;
namespace winPEAS.Helpers
{
internal static class SearchHelper
{
public static List<string> FindFiles(string path, string patterns)
{
// finds files matching one or more patterns under a given path, recursive
// adapted from http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/
// pattern: "*pass*;*.png;"
var files = new List<string>();
if (!Directory.Exists(path))
{
return files;
}
try
{
// search every pattern in this directory's files
foreach (string pattern in patterns.Split(';'))
{
files.AddRange(Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly));
}
// go recurse in all sub-directories
foreach (var directory in Directory.GetDirectories(path))
files.AddRange(FindFiles(directory, patterns));
}
catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { }
catch (DirectoryNotFoundException) { }
return files;
}
public static void FindFiles(string path, string patterns, Dictionary<string, string> color)
{
try
{
if (!Directory.Exists(path))
{
return;
}
// search every pattern in this directory's files
foreach (string pattern in patterns.Split(';'))
{
Beaprint.AnsiPrint(" " + String.Join("\n ", Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly).Where(filepath => !filepath.Contains(".dll"))), color);
}
if (!Checks.Checks.IsSearchFast)
{
Thread.Sleep(Checks.Checks.SearchTime);
}
// go recurse in all sub-directories
foreach (string directory in Directory.GetDirectories(path))
{
if (!directory.Contains("AppData"))
{
FindFiles(directory, patterns, color);
}
}
}
catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { }
catch (DirectoryNotFoundException) { }
}
}
}

4
winPEAS/winPEASexe/winPEAS/InterestingFiles/GPP.cs
View File

@ -3,6 +3,7 @@ using System.Collections.Generic;
using System.Security.Cryptography;
using System.Xml;
using winPEAS.Helpers;
using winPEAS.Helpers.Search;
namespace winPEAS.InterestingFiles
{
@ -24,7 +25,8 @@ namespace winPEAS.InterestingFiles
}
allUsers += "\\Microsoft\\Group Policy\\History"; // look only in the GPO cache folder
List<string> files = SearchHelper.FindFiles(allUsers, "*.xml");
//List<string> files = SearchHelper.FindFiles(allUsers, "*.xml");
List<string> files = SearchHelper.FindCachedGPPPassword();
// files will contain all XML files
foreach (string file in files)

48
winPEAS/winPEASexe/winPEAS/InterestingFiles/InterestingFiles.cs
View File

@ -4,6 +4,7 @@ using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using winPEAS.Helpers;
using winPEAS.Helpers.Search;
namespace winPEAS.InterestingFiles
{
@ -43,19 +44,13 @@ namespace winPEAS.InterestingFiles
try
{
string drive = System.Environment.GetEnvironmentVariable("SystemDrive");
string[] searchLocations =
{
$"{drive}\\Program Files\\",
$"{drive}\\Program Files (x86)\\",
$"{drive}\\Documents and Settings\\",
$"{drive}\\Users\\",
};
results.AddRange(
searchLocations.SelectMany(
searchLocation => SearchHelper.FindFiles(searchLocation, "SiteList.xml")));
results = SearchHelper.SearchMcAfeeSitelistFiles();
//results.AddRange(
// searchLocations.SelectMany(
// searchLocation => SearchHelper.FindFiles(searchLocation, "SiteList.xml")));
}
catch (Exception ex)
{
@ -110,28 +105,31 @@ namespace winPEAS.InterestingFiles
{
string searchPath = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\Users\\";
List<string> files = SearchHelper.FindFiles(searchPath, patterns);
//List<string> files = SearchHelper.FindFiles(searchPath, patterns);
foreach (string file in files)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
results.Add(file);
}
//foreach (string file in files)
//{
// //DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
// //DateTime lastModified = System.IO.File.GetLastWriteTime(file);
// results.Add(file);
//}
results = SearchHelper.SearchUsersDocs();
}
else
{
string searchPath = Environment.GetEnvironmentVariable("USERPROFILE");
List<string> files = SearchHelper.FindFiles(searchPath, patterns);
//List<string> files = SearchHelper.FindFiles(searchPath, patterns);
foreach (string file in files)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
results.Add(file);
}
//foreach (string file in files)
//{
// //DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
// //DateTime lastModified = System.IO.File.GetLastWriteTime(file);
// results.Add(file);
//}
results = SearchHelper.SearchCurrentUserDocs();
}
}
catch (Exception ex)

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/KnownFileCredsInfo.cs
View File

@ -22,7 +22,9 @@ namespace winPEAS.KnownFileCreds
foreach (string SID in SIDs)
{
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
{
results = RegistryHelper.GetRegValues("HKU", String.Format("{0}\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU", SID));
}
}
}
else

2
winPEAS/winPEASexe/winPEAS/Program.cs
View File

@ -14,5 +14,3 @@ namespace winPEAS
}
}
}

5
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -116,14 +116,15 @@
<Compile Include="Checks\SystemInfo.cs" />
<Compile Include="Checks\UserInfo.cs" />
<Compile Include="Checks\WindowsCreds.cs" />
<Compile Include="Helpers\CustomFileInfo.cs" />
<Compile Include="Helpers\MemoryHelper.cs" />
<Compile Include="Helpers\PermissionsHelper.cs" />
<Compile Include="Helpers\Search\Patterns.cs" />
<Compile Include="Info\ApplicationInfo\ApplicationInfoHelper.cs" />
<Compile Include="Info\ApplicationInfo\AutoRuns.cs" />
<Compile Include="Info\ApplicationInfo\DeviceDrivers.cs" />
<Compile Include="Info\ApplicationInfo\InstalledApps.cs" />
<Compile Include="Helpers\Beaprint.cs" />
<Compile Include="FastSearch\FileSearcher\FileSearcher.cs" />
<Compile Include="InterestingFiles\GPP.cs" />
<Compile Include="InterestingFiles\InterestingFiles.cs" />
<Compile Include="InterestingFiles\Unattended.cs" />
@ -211,7 +212,7 @@
<Compile Include="Helpers\CheckRunner.cs" />
<Compile Include="Helpers\ReflectionHelper.cs" />
<Compile Include="Helpers\RegistryHelper.cs" />
<Compile Include="Helpers\SearchHelper.cs" />
<Compile Include="Helpers\Search\SearchHelper.cs" />
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-0836.cs" />
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-0841.cs" />
<Compile Include="3rdParty\Watson\Msrc\CVE-2019-1064.cs" />