From d6d7b4e0e02145bfa83fe20d6dbd2a6256b7efa3 Mon Sep 17 00:00:00 2001 From: makikvues Date: Sat, 13 Feb 2021 11:13:26 +0100 Subject: [PATCH] - removed CMD checks - small cleanup - updated PrintAppCmd - updated AutoRuns checks --- .../winPEAS/Checks/ApplicationsInfo.cs | 4 +- winPEAS/winPEASexe/winPEAS/Checks/Checks.cs | 6 - .../winPEASexe/winPEAS/Checks/SystemInfo.cs | 4 +- winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs | 15 +- .../winPEASexe/winPEAS/Checks/WindowsCreds.cs | 194 +++++++++--------- .../winPEASexe/winPEAS/Helpers/Beaprint.cs | 3 +- .../winPEAS/Info/ApplicationInfo/AutoRuns.cs | 6 +- .../Info/WindowsCreds/AppCmd/AppCmd.cs | 82 ++++++++ winPEAS/winPEASexe/winPEAS/winPEAS.csproj | 1 + 9 files changed, 193 insertions(+), 122 deletions(-) create mode 100644 winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/AppCmd/AppCmd.cs diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index 21ba4b9..77d34a6 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -97,7 +97,7 @@ namespace winPEAS.Checks } } - void PrintAutoRuns() + private static void PrintAutoRuns() { try { @@ -107,7 +107,7 @@ namespace winPEAS.Checks foreach (Dictionary app in apps) { - var colorsA = new Dictionary() + var colorsA = new Dictionary { { "FolderPerms:.*", Beaprint.ansi_color_bad }, { "FilePerms:.*", Beaprint.ansi_color_bad }, diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 2f8f3b4..be5630a 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -15,7 +15,6 @@ namespace winPEAS.Checks public static class Checks { public static bool IsNoColor = false; - public static bool ExecCmd = false; public static bool Banner = true; public static bool IsDebug = false; @@ -108,11 +107,6 @@ namespace winPEAS.Checks Console.SetOut(fileWriter); } - if (string.Equals(arg, "cmd", StringComparison.CurrentCultureIgnoreCase)) - { - ExecCmd = true; - } - if (string.Equals(arg, "notcolor", StringComparison.CurrentCultureIgnoreCase)) { IsNoColor = true; diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index 959a815..4bdc053 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -692,7 +692,7 @@ namespace winPEAS.Checks } } - private void PrintPrintersWMIInfo() + private static void PrintPrintersWMIInfo() { Beaprint.MainPrint("Enumerating Printers (WMI)"); @@ -714,7 +714,7 @@ namespace winPEAS.Checks } } - private void PrintNamedPipes() + private static void PrintNamedPipes() { Beaprint.MainPrint("Enumerating Named Pipes"); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs index 63201a9..730e82a 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs @@ -126,24 +126,11 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Clipboard text"); - string clipboard = Info.UserInfo.UserInfoHelper.GetClipboardText(); + string clipboard = UserInfoHelper.GetClipboardText(); if (!string.IsNullOrEmpty(clipboard)) { Beaprint.BadPrint(clipboard); } - else - { - if (Checks.ExecCmd) - { - Beaprint.BadPrint(" " + MyUtils.ExecCMD("-command Get-Clipboard", "powershell.exe")); - } - else - { - Beaprint.NotFoundPrint(); - Beaprint.InfoPrint(" This C# implementation to capture the clipboard is not trustable in every Windows version"); - Beaprint.InfoPrint(" If you want to see what is inside the clipboard execute 'powershell -command \"Get - Clipboard\"'"); - } - } } catch (Exception ex) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs index d439cf0..628b581 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs @@ -1,11 +1,14 @@ using System; using System.Collections.Generic; +using System.Diagnostics; using System.IO; using System.Linq; +using System.Text; using System.Xml; using winPEAS.Helpers; using winPEAS.Helpers.CredentialManager; using winPEAS.Helpers.Registry; +using winPEAS.Info.WindowsCreds.AppCmd; using winPEAS.KnownFileCreds; using winPEAS.KnownFileCreds.Kerberos; using winPEAS.KnownFileCreds.SecurityPackages; @@ -66,49 +69,38 @@ namespace winPEAS.Checks { Beaprint.MainPrint("Checking Credential manager"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); - if (Checks.ExecCmd) + + var colorsC = new Dictionary() { - Dictionary colorsC = new Dictionary() - { - { "User:.*", Beaprint.ansi_color_bad }, - }; - Beaprint.AnsiPrint(MyUtils.ExecCMD("/list", "cmdkey.exe"), colorsC); - Beaprint.InfoPrint("If any cred was found, you can use it with 'runas /savecred'"); + { "Warning:", Beaprint.YELLOW }, + }; + Beaprint.AnsiPrint(" [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string\n\n", colorsC); + + var keywords = new HashSet + { + nameof(Credential.Password), + nameof(Credential.Username), + nameof(Credential.Target), + nameof(Credential.PersistenceType), + nameof(Credential.LastWriteTime), + }; + + colorsC = new Dictionary() + { + { CredentialManager.UnicodeInfoText, Beaprint.LBLUE } + }; + + foreach (var keyword in keywords) + { + colorsC.Add($"{keyword}:", Beaprint.ansi_color_bad); } - else + + var credentials = CredentialManager.GetCredentials(); + + foreach (var credential in credentials) { - var colorsC = new Dictionary() - { - { "Warning:", Beaprint.YELLOW }, - }; - Beaprint.AnsiPrint(" [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string\n\n", colorsC); - - var keywords = new HashSet - { - nameof(Credential.Password), - nameof(Credential.Username), - nameof(Credential.Target), - nameof(Credential.PersistenceType), - nameof(Credential.LastWriteTime), - }; - - colorsC = new Dictionary() - { - { CredentialManager.UnicodeInfoText, Beaprint.LBLUE } - }; - - foreach (var keyword in keywords) - { - colorsC.Add($"{keyword}:", Beaprint.ansi_color_bad); - } - - var credentials = CredentialManager.GetCredentials(); - - foreach (var credential in credentials) - { - Beaprint.AnsiPrint(credential, colorsC); - Beaprint.PrintLineSeparator(); - } + Beaprint.AnsiPrint(credential, colorsC); + Beaprint.PrintLineSeparator(); } } catch (Exception ex) @@ -260,37 +252,23 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Looking for saved Wifi credentials"); - if (Checks.ExecCmd) + foreach (var @interface in new WlanClient().Interfaces) { - Dictionary networkConnections = Wifi.Wifi.Retrieve(); - Dictionary ansi_colors_regexp = new Dictionary(); + foreach (var profile in @interface.GetProfiles()) + { + var xml = @interface.GetProfileXml(profile.profileName); - //Make sure the passwords are all flagged as ansi_color_bad. - foreach (var connection in networkConnections) - { - ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad); - } - Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false); - } - else - { - foreach (var @interface in new WlanClient().Interfaces) - { - foreach (var profile in @interface.GetProfiles()) + XmlDocument xDoc = new XmlDocument(); + xDoc.LoadXml(xml); + + var keyMaterial = xDoc.GetElementsByTagName("keyMaterial"); + + if (keyMaterial.Count > 0) { - var xml = @interface.GetProfileXml(profile.profileName); + string password = keyMaterial[0].InnerText; - XmlDocument xDoc = new XmlDocument(); - xDoc.LoadXml(xml); - - var keyMaterial = xDoc.GetElementsByTagName("keyMaterial"); - - if (keyMaterial.Count > 0) - { - string password = keyMaterial[0].InnerText; - - Beaprint.BadPrint($" found Wifi password for SSID: '{profile.profileName}', password: '{password}' "); - } + Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" + + $" password : '{password}' \n\n"); } } } @@ -307,16 +285,54 @@ namespace winPEAS.Checks { Beaprint.MainPrint("Looking AppCmd.exe"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe"); - - if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"))) + + var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); + + if (File.Exists(appCmdPath)) { - Beaprint.BadPrint(" AppCmd.exe was found in " + - Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe You should try to search for credentials")); + Beaprint.BadPrint($" AppCmd.exe was found in {appCmdPath}"); } else { Beaprint.NotFoundPrint(); } + + if (!MyUtils.IsHighIntegrity()) + { + Beaprint.NoColorPrint(" You must be an administrator to run this check"); + return; + } + + var script = AppCmd.GetExtractAppCmdCredsPowerShellScript(); + + string args = @$" {script}"; + + var processStartInfo = new ProcessStartInfo + { + UseShellExecute = false, + CreateNoWindow = true, + FileName = "powershell.exe", + Arguments = args, + RedirectStandardOutput = true, + RedirectStandardError = true, + StandardOutputEncoding = Encoding.UTF8 + }; + + using (var process = Process.Start(processStartInfo)) + { + if (process != null) + { + while (!process.StandardOutput.EndOfStream) + { + Beaprint.BadPrint($" {process.StandardOutput.ReadLine()}"); + } + + while (!process.StandardError.EndOfStream) + { + Console.WriteLine(process.StandardError.ReadLine()); + } + } + } } catch (Exception ex) { @@ -412,33 +428,25 @@ namespace winPEAS.Checks var server = info.ServerSettings; Beaprint.ColorPrint(" RDP Server Settings", Beaprint.LBLUE); - Beaprint.NoColorPrint($" NetworkLevelAuthentication : {server.NetworkLevelAuthentication}"); - Beaprint.NoColorPrint($" BlockClipboardRedirection : {server.BlockClipboardRedirection}"); - Beaprint.NoColorPrint($" BlockComPortRedirection : {server.BlockComPortRedirection}"); - Beaprint.NoColorPrint($" BlockDriveRedirection : {server.BlockDriveRedirection}"); - Beaprint.NoColorPrint($" BlockLptPortRedirection : {server.BlockLptPortRedirection}"); - Beaprint.NoColorPrint($" BlockPnPDeviceRedirection : {server.BlockPnPDeviceRedirection}"); - Beaprint.NoColorPrint($" BlockPrinterRedirection : {server.BlockPrinterRedirection}"); - Beaprint.NoColorPrint($" AllowSmartCardRedirection : {server.AllowSmartCardRedirection}"); + Beaprint.NoColorPrint($" Network Level Authentication : {server.NetworkLevelAuthentication}\n" + + $" Block Clipboard Redirection : {server.BlockClipboardRedirection}\n" + + $" Block COM Port Redirection : {server.BlockComPortRedirection}\n" + + $" Block Drive Redirection : {server.BlockDriveRedirection}\n" + + $" Block LPT Port Redirection : {server.BlockLptPortRedirection}\n" + + $" Block PnP Device Redirection : {server.BlockPnPDeviceRedirection}\n" + + $" Block Printer Redirection : {server.BlockPrinterRedirection}\n" + + $" Allow Smart Card Redirection : {server.AllowSmartCardRedirection}"); Beaprint.ColorPrint("\n RDP Client Settings", Beaprint.LBLUE); - Beaprint.NoColorPrint($" DisablePasswordSaving : {info.ClientSettings.DisablePasswordSaving}"); - Beaprint.NoColorPrint($" RestrictedRemoteAdministration : {info.ClientSettings.RestrictedRemoteAdministration}"); + Beaprint.NoColorPrint($" Disable Password Saving : {info.ClientSettings.DisablePasswordSaving}\n" + + $" Restricted Remote Administration : {info.ClientSettings.RestrictedRemoteAdministration}"); var type = info.ClientSettings.RestrictedRemoteAdministrationType; - - var types = new Dictionary() - { - { 1, "Require Restricted Admin Mode" }, - { 2, "Require Remote Credential Guard" }, - { 3, "Require Restricted Admin or Remote Credential Guard" }, - }; - if (type != null) { var str = GetDescriptionByType(type); - Beaprint.NoColorPrint($" RestrictedRemoteAdministrationType: {str}"); + Beaprint.NoColorPrint($" Restricted Remote Administration Type: {str}"); } var level = info.ClientSettings.ServerAuthLevel; @@ -446,7 +454,7 @@ namespace winPEAS.Checks { var str = GetDescriptionByType(level); - Beaprint.NoColorPrint($" ServerAuthenticationLevel: {level} - {str}"); + Beaprint.NoColorPrint($" Server Authentication Level: {level} - {str}"); } } catch (Exception ex) @@ -456,14 +464,14 @@ namespace winPEAS.Checks private static string GetDescriptionByType(uint? type) { - var types = new Dictionary() + var types = new Dictionary { { 1, "Require Restricted Admin Mode" }, { 2, "Require Remote Credential Guard" }, { 3, "Require Restricted Admin or Remote Credential Guard" }, }; - string str = $"{type} - Unknown"; + var str = $"{type} - Unknown"; if (types.ContainsKey(type.Value)) { diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index 828f7a8..115a434 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -84,7 +84,7 @@ namespace winPEAS.Helpers PrintBanner(); } - Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop, makikvues(sergi[dot]chamila[at]gmail[dot]com)" + NOCOLOR); + Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop, makikvues(makikvues2[at]gmail[dot]com)" + NOCOLOR); Console.WriteLine(); PrintLegend(); @@ -107,7 +107,6 @@ namespace winPEAS.Helpers { Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR); Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR); - Console.WriteLine(LBLUE + " cmd" + GRAY + " Obtain wifi, cred manager and clipboard information executing CMD commands" + NOCOLOR); Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR); Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR); diff --git a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs index 665bf20..c6b8a3a 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs @@ -378,7 +378,7 @@ namespace winPEAS.Info.ApplicationInfo { "isWritableReg", ""}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))}, - { "isUnquotedSpaced", "" } + { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() } }); } } @@ -406,7 +406,7 @@ namespace winPEAS.Info.ApplicationInfo { "isWritableReg", ""}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", ""}, - { "isUnquotedSpaced", "" } + { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() } }); } catch (Exception) @@ -510,7 +510,7 @@ namespace winPEAS.Info.ApplicationInfo { "isWritableReg", ""}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))}, - { "isUnquotedSpaced", "" } + { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() } }); } } diff --git a/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/AppCmd/AppCmd.cs b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/AppCmd/AppCmd.cs new file mode 100644 index 0000000..5ed26b8 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/AppCmd/AppCmd.cs @@ -0,0 +1,82 @@ +using System; + +namespace winPEAS.Info.WindowsCreds.AppCmd +{ + class AppCmd + { + const string ExtractAppCmdCredsScript = @" + # Check if appcmd.exe exists + if (Test-Path ('%APPCMD%')) { + # Create data table to house results + $DataTable = New-Object System.Data.DataTable + + # Create and name columns in the data table + $Null = $DataTable.Columns.Add('user') + $Null = $DataTable.Columns.Add('pass') + $Null = $DataTable.Columns.Add('type') + $Null = $DataTable.Columns.Add('vdir') + $Null = $DataTable.Columns.Add('apppool') + + # Get list of application pools + Invoke-Expression '%APPCMD% list apppools /text:name' | ForEach-Object { + + # Get application pool name + $PoolName = $_ + + # Get username + $PoolUserCmd = '%APPCMD% list apppool ' + $PoolName + ' /text:processmodel.username' + $PoolUser = Invoke-Expression $PoolUserCmd + + # Get password + $PoolPasswordCmd = '%APPCMD% list apppool ' + $PoolName + ' /text:processmodel.password' + $PoolPassword = Invoke-Expression $PoolPasswordCmd + + # Check if credentials exists + if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { + # Add credentials to database + $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) + } + } + + # Get list of virtual directories + Invoke-Expression '%APPCMD% list vdir /text:vdir.name' | ForEach-Object { + + # Get Virtual Directory Name + $VdirName = $_ + + # Get username + $VdirUserCmd = '%APPCMD% list vdir ' + $VdirName + ' /text:userName' + $VdirUser = Invoke-Expression $VdirUserCmd + + # Get password + $VdirPasswordCmd = '%APPCMD% list vdir ' + $VdirName + ' /text:password' + $VdirPassword = Invoke-Expression $VdirPasswordCmd + + # Check if credentials exists + if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { + # Add credentials to database + $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') + } + } + + # Check if any passwords were found + if( $DataTable.rows.Count -gt 0 ) { + # Display results in list view that can feed into the pipeline + #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique + $DataTable | Select-Object user,pass,type,vdir,apppool + } + else { + # Status user + Write-host 'No application pool or virtual directory passwords were found.' + } + } + "; + + public static string GetExtractAppCmdCredsPowerShellScript() + { + var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); + + return ExtractAppCmdCredsScript.Replace("%APPCMD%", appCmdPath); + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj index e8dab46..c93f4e6 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj @@ -476,6 +476,7 @@ +