darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- removed CMD checks

Browse Source 
- small cleanup
- updated PrintAppCmd
- updated AutoRuns checks
This commit is contained in:
makikvues 2021-02-13 11:13:26 +01:00
parent f3c7e92735
commit d6d7b4e0e0
9 changed files with 193 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -97,7 +97,7 @@ namespace winPEAS.Checks
} }
} }
void PrintAutoRuns() private static void PrintAutoRuns()
{ {
try try
{ {
@ -107,7 +107,7 @@ namespace winPEAS.Checks
foreach (Dictionary<string, string> app in apps) foreach (Dictionary<string, string> app in apps)
{ {
var colorsA = new Dictionary<string, string>() var colorsA = new Dictionary<string, string>
{ {
{ "FolderPerms:.*", Beaprint.ansi_color_bad }, { "FolderPerms:.*", Beaprint.ansi_color_bad },
{ "FilePerms:.*", Beaprint.ansi_color_bad }, { "FilePerms:.*", Beaprint.ansi_color_bad },

6
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -15,7 +15,6 @@ namespace winPEAS.Checks
public static class Checks public static class Checks
{ {
public static bool IsNoColor = false; public static bool IsNoColor = false;
public static bool ExecCmd = false;
public static bool Banner = true; public static bool Banner = true;
public static bool IsDebug = false; public static bool IsDebug = false;
@ -108,11 +107,6 @@ namespace winPEAS.Checks
Console.SetOut(fileWriter); Console.SetOut(fileWriter);
} }
if (string.Equals(arg, "cmd", StringComparison.CurrentCultureIgnoreCase))
{
ExecCmd = true;
}
if (string.Equals(arg, "notcolor", StringComparison.CurrentCultureIgnoreCase)) if (string.Equals(arg, "notcolor", StringComparison.CurrentCultureIgnoreCase))
{ {
IsNoColor = true; IsNoColor = true;

4
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -692,7 +692,7 @@ namespace winPEAS.Checks
} }
} }
private void PrintPrintersWMIInfo() private static void PrintPrintersWMIInfo()
{ {
Beaprint.MainPrint("Enumerating Printers (WMI)"); Beaprint.MainPrint("Enumerating Printers (WMI)");
@ -714,7 +714,7 @@ namespace winPEAS.Checks
} }
} }
private void PrintNamedPipes() private static void PrintNamedPipes()
{ {
Beaprint.MainPrint("Enumerating Named Pipes"); Beaprint.MainPrint("Enumerating Named Pipes");

15
winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
View File

@ -126,24 +126,11 @@ namespace winPEAS.Checks
try try
{ {
Beaprint.MainPrint("Clipboard text"); Beaprint.MainPrint("Clipboard text");
string clipboard = Info.UserInfo.UserInfoHelper.GetClipboardText(); string clipboard = UserInfoHelper.GetClipboardText();
if (!string.IsNullOrEmpty(clipboard)) if (!string.IsNullOrEmpty(clipboard))
{ {
Beaprint.BadPrint(clipboard); Beaprint.BadPrint(clipboard);
} }
else
{
if (Checks.ExecCmd)
{
Beaprint.BadPrint(" " + MyUtils.ExecCMD("-command Get-Clipboard", "powershell.exe"));
}
else
{
Beaprint.NotFoundPrint();
Beaprint.InfoPrint(" This C# implementation to capture the clipboard is not trustable in every Windows version");
Beaprint.InfoPrint(" If you want to see what is inside the clipboard execute 'powershell -command \"Get - Clipboard\"'");
}
}
} }
catch (Exception ex) catch (Exception ex)
{ {

114
winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
View File

@ -1,11 +1,14 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Diagnostics;
using System.IO; using System.IO;
using System.Linq; using System.Linq;
using System.Text;
using System.Xml; using System.Xml;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.Helpers.CredentialManager; using winPEAS.Helpers.CredentialManager;
using winPEAS.Helpers.Registry; using winPEAS.Helpers.Registry;
using winPEAS.Info.WindowsCreds.AppCmd;
using winPEAS.KnownFileCreds; using winPEAS.KnownFileCreds;
using winPEAS.KnownFileCreds.Kerberos; using winPEAS.KnownFileCreds.Kerberos;
using winPEAS.KnownFileCreds.SecurityPackages; using winPEAS.KnownFileCreds.SecurityPackages;
@ -66,17 +69,7 @@ namespace winPEAS.Checks
{ {
Beaprint.MainPrint("Checking Credential manager"); Beaprint.MainPrint("Checking Credential manager");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault");
if (Checks.ExecCmd)
{
Dictionary<string, string> colorsC = new Dictionary<string, string>()
{
{ "User:.*", Beaprint.ansi_color_bad },
};
Beaprint.AnsiPrint(MyUtils.ExecCMD("/list", "cmdkey.exe"), colorsC);
Beaprint.InfoPrint("If any cred was found, you can use it with 'runas /savecred'");
}
else
{
var colorsC = new Dictionary<string, string>() var colorsC = new Dictionary<string, string>()
{ {
{ "Warning:", Beaprint.YELLOW }, { "Warning:", Beaprint.YELLOW },
@ -110,7 +103,6 @@ namespace winPEAS.Checks
Beaprint.PrintLineSeparator(); Beaprint.PrintLineSeparator();
} }
} }
}
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
@ -260,20 +252,6 @@ namespace winPEAS.Checks
try try
{ {
Beaprint.MainPrint("Looking for saved Wifi credentials"); Beaprint.MainPrint("Looking for saved Wifi credentials");
if (Checks.ExecCmd)
{
Dictionary<string, string> networkConnections = Wifi.Wifi.Retrieve();
Dictionary<string, string> ansi_colors_regexp = new Dictionary<string, string>();
//Make sure the passwords are all flagged as ansi_color_bad.
foreach (var connection in networkConnections)
{
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
}
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
}
else
{
foreach (var @interface in new WlanClient().Interfaces) foreach (var @interface in new WlanClient().Interfaces)
{ {
foreach (var profile in @interface.GetProfiles()) foreach (var profile in @interface.GetProfiles())
@ -289,8 +267,8 @@ namespace winPEAS.Checks
{ {
string password = keyMaterial[0].InnerText; string password = keyMaterial[0].InnerText;
Beaprint.BadPrint($" found Wifi password for SSID: '{profile.profileName}', password: '{password}' "); Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" +
} $" password : '{password}' \n\n");
} }
} }
} }
@ -308,15 +286,53 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Looking AppCmd.exe"); Beaprint.MainPrint("Looking AppCmd.exe");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe");
if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"))) var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
if (File.Exists(appCmdPath))
{ {
Beaprint.BadPrint(" AppCmd.exe was found in " + Beaprint.BadPrint($" AppCmd.exe was found in {appCmdPath}");
Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe You should try to search for credentials"));
} }
else else
{ {
Beaprint.NotFoundPrint(); Beaprint.NotFoundPrint();
} }
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var script = AppCmd.GetExtractAppCmdCredsPowerShellScript();
string args = @$" {script}";
var processStartInfo = new ProcessStartInfo
{
UseShellExecute = false,
CreateNoWindow = true,
FileName = "powershell.exe",
Arguments = args,
RedirectStandardOutput = true,
RedirectStandardError = true,
StandardOutputEncoding = Encoding.UTF8
};
using (var process = Process.Start(processStartInfo))
{
if (process != null)
{
while (!process.StandardOutput.EndOfStream)
{
Beaprint.BadPrint($" {process.StandardOutput.ReadLine()}");
}
while (!process.StandardError.EndOfStream)
{
Console.WriteLine(process.StandardError.ReadLine());
}
}
}
} }
catch (Exception ex) catch (Exception ex)
{ {
@ -412,33 +428,25 @@ namespace winPEAS.Checks
var server = info.ServerSettings; var server = info.ServerSettings;
Beaprint.ColorPrint(" RDP Server Settings", Beaprint.LBLUE); Beaprint.ColorPrint(" RDP Server Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" NetworkLevelAuthentication : {server.NetworkLevelAuthentication}"); Beaprint.NoColorPrint($" Network Level Authentication : {server.NetworkLevelAuthentication}\n" +
Beaprint.NoColorPrint($" BlockClipboardRedirection : {server.BlockClipboardRedirection}"); $" Block Clipboard Redirection : {server.BlockClipboardRedirection}\n" +
Beaprint.NoColorPrint($" BlockComPortRedirection : {server.BlockComPortRedirection}"); $" Block COM Port Redirection : {server.BlockComPortRedirection}\n" +
Beaprint.NoColorPrint($" BlockDriveRedirection : {server.BlockDriveRedirection}"); $" Block Drive Redirection : {server.BlockDriveRedirection}\n" +
Beaprint.NoColorPrint($" BlockLptPortRedirection : {server.BlockLptPortRedirection}"); $" Block LPT Port Redirection : {server.BlockLptPortRedirection}\n" +
Beaprint.NoColorPrint($" BlockPnPDeviceRedirection : {server.BlockPnPDeviceRedirection}"); $" Block PnP Device Redirection : {server.BlockPnPDeviceRedirection}\n" +
Beaprint.NoColorPrint($" BlockPrinterRedirection : {server.BlockPrinterRedirection}"); $" Block Printer Redirection : {server.BlockPrinterRedirection}\n" +
Beaprint.NoColorPrint($" AllowSmartCardRedirection : {server.AllowSmartCardRedirection}"); $" Allow Smart Card Redirection : {server.AllowSmartCardRedirection}");
Beaprint.ColorPrint("\n RDP Client Settings", Beaprint.LBLUE); Beaprint.ColorPrint("\n RDP Client Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" DisablePasswordSaving : {info.ClientSettings.DisablePasswordSaving}"); Beaprint.NoColorPrint($" Disable Password Saving : {info.ClientSettings.DisablePasswordSaving}\n" +
Beaprint.NoColorPrint($" RestrictedRemoteAdministration : {info.ClientSettings.RestrictedRemoteAdministration}"); $" Restricted Remote Administration : {info.ClientSettings.RestrictedRemoteAdministration}");
var type = info.ClientSettings.RestrictedRemoteAdministrationType; var type = info.ClientSettings.RestrictedRemoteAdministrationType;
var types = new Dictionary<uint, string>()
{
{ 1, "Require Restricted Admin Mode" },
{ 2, "Require Remote Credential Guard" },
{ 3, "Require Restricted Admin or Remote Credential Guard" },
};
if (type != null) if (type != null)
{ {
var str = GetDescriptionByType(type); var str = GetDescriptionByType(type);
Beaprint.NoColorPrint($" RestrictedRemoteAdministrationType: {str}"); Beaprint.NoColorPrint($" Restricted Remote Administration Type: {str}");
} }
var level = info.ClientSettings.ServerAuthLevel; var level = info.ClientSettings.ServerAuthLevel;
@ -446,7 +454,7 @@ namespace winPEAS.Checks
{ {
var str = GetDescriptionByType(level); var str = GetDescriptionByType(level);
Beaprint.NoColorPrint($" ServerAuthenticationLevel: {level} - {str}"); Beaprint.NoColorPrint($" Server Authentication Level: {level} - {str}");
} }
} }
catch (Exception ex) catch (Exception ex)
@ -456,14 +464,14 @@ namespace winPEAS.Checks
private static string GetDescriptionByType(uint? type) private static string GetDescriptionByType(uint? type)
{ {
var types = new Dictionary<uint, string>() var types = new Dictionary<uint, string>
{ {
{ 1, "Require Restricted Admin Mode" }, { 1, "Require Restricted Admin Mode" },
{ 2, "Require Remote Credential Guard" }, { 2, "Require Remote Credential Guard" },
{ 3, "Require Restricted Admin or Remote Credential Guard" }, { 3, "Require Restricted Admin or Remote Credential Guard" },
}; };
string str = $"{type} - Unknown"; var str = $"{type} - Unknown";
if (types.ContainsKey(type.Value)) if (types.ContainsKey(type.Value))
{ {

3
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -84,7 +84,7 @@ namespace winPEAS.Helpers
PrintBanner(); PrintBanner();
} }
Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop, makikvues(sergi[dot]chamila[at]gmail[dot]com)" + NOCOLOR); Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop, makikvues(makikvues2[at]gmail[dot]com)" + NOCOLOR);
Console.WriteLine(); Console.WriteLine();
PrintLegend(); PrintLegend();
@ -107,7 +107,6 @@ namespace winPEAS.Helpers
{ {
Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR); Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR); Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
Console.WriteLine(LBLUE + " cmd" + GRAY + " Obtain wifi, cred manager and clipboard information executing CMD commands" + NOCOLOR);
Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR); Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR);
Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR); Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR);

6
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
View File

@ -378,7 +378,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""}, { "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", "" } { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
}); });
} }
} }
@ -406,7 +406,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""}, { "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", ""}, { "interestingFileRights", ""},
{ "isUnquotedSpaced", "" } { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
}); });
} }
catch (Exception) catch (Exception)
@ -510,7 +510,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""}, { "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", "" } { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
}); });
} }
} }

82
winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/AppCmd/AppCmd.cs Normal file
View File

@ -0,0 +1,82 @@
using System;
namespace winPEAS.Info.WindowsCreds.AppCmd
{
class AppCmd
{
const string ExtractAppCmdCredsScript = @"
# Check if appcmd.exe exists
if (Test-Path ('%APPCMD%')) {
# Create data table to house results
$DataTable = New-Object System.Data.DataTable
# Create and name columns in the data table
$Null = $DataTable.Columns.Add('user')
$Null = $DataTable.Columns.Add('pass')
$Null = $DataTable.Columns.Add('type')
$Null = $DataTable.Columns.Add('vdir')
$Null = $DataTable.Columns.Add('apppool')
# Get list of application pools
Invoke-Expression '%APPCMD% list apppools /text:name' | ForEach-Object {
# Get application pool name
$PoolName = $_
# Get username
$PoolUserCmd = '%APPCMD% list apppool ' + $PoolName + ' /text:processmodel.username'
$PoolUser = Invoke-Expression $PoolUserCmd
# Get password
$PoolPasswordCmd = '%APPCMD% list apppool ' + $PoolName + ' /text:processmodel.password'
$PoolPassword = Invoke-Expression $PoolPasswordCmd
# Check if credentials exists
if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
}
}
# Get list of virtual directories
Invoke-Expression '%APPCMD% list vdir /text:vdir.name' | ForEach-Object {
# Get Virtual Directory Name
$VdirName = $_
# Get username
$VdirUserCmd = '%APPCMD% list vdir ' + $VdirName + ' /text:userName'
$VdirUser = Invoke-Expression $VdirUserCmd
# Get password
$VdirPasswordCmd = '%APPCMD% list vdir ' + $VdirName + ' /text:password'
$VdirPassword = Invoke-Expression $VdirPasswordCmd
# Check if credentials exists
if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) {
# Add credentials to database
$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
}
}
# Check if any passwords were found
if( $DataTable.rows.Count -gt 0 ) {
# Display results in list view that can feed into the pipeline
#$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
$DataTable | Select-Object user,pass,type,vdir,apppool
}
else {
# Status user
Write-host 'No application pool or virtual directory passwords were found.'
}
}
";
public static string GetExtractAppCmdCredsPowerShellScript()
{
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
return ExtractAppCmdCredsScript.Replace("%APPCMD%", appCmdPath);
}
}
}

1
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -476,6 +476,7 @@
<Compile Include="Info\UserInfo\Tenant\JoinType.cs" /> <Compile Include="Info\UserInfo\Tenant\JoinType.cs" />
<Compile Include="Info\UserInfo\Tenant\Tenant.cs" /> <Compile Include="Info\UserInfo\Tenant\Tenant.cs" />
<Compile Include="Info\UserInfo\Tenant\TenantInfo.cs" /> <Compile Include="Info\UserInfo\Tenant\TenantInfo.cs" />
<Compile Include="Info\WindowsCreds\AppCmd\AppCmd.cs" />
<Compile Include="Info\WindowsCreds\RDPClientSettings.cs" /> <Compile Include="Info\WindowsCreds\RDPClientSettings.cs" />
<Compile Include="Info\WindowsCreds\RDPServerSettings.cs" /> <Compile Include="Info\WindowsCreds\RDPServerSettings.cs" />
<Compile Include="Info\WindowsCreds\RDPSettingsInfo.cs" /> <Compile Include="Info\WindowsCreds\RDPSettingsInfo.cs" />