darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix IE Bug, Browser Consistency.

Browse Source
This commit is contained in:
godylockz 2022-12-23 00:45:05 -05:00
parent e29c9e88d5
commit e5b9b67786
3 changed files with 80 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs
View File

@ -1,6 +1,7 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
using System.Web.Script.Serialization;
using winPEAS.Checks;
@ -27,7 +28,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
{
Beaprint.MainPrint("Looking for Chrome DBs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary<string, string> chromeDBs = Chrome.GetChromeDbs();
Dictionary<string, string> chromeDBs = GetChromeDbs();
if (chromeDBs.ContainsKey("userChromeCookiesPath"))
{
@ -59,7 +60,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
{
Beaprint.MainPrint("Looking for GET credentials in Chrome history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary<string, List<string>> chromeHistBook = Chrome.GetChromeHistBook();
Dictionary<string, List<string>> chromeHistBook = GetChromeHistBook();
List<string> history = chromeHistBook["history"];
List<string> bookmarks = chromeHistBook["bookmarks"];
@ -77,8 +78,11 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
int limit = 50;
Beaprint.MainPrint($"Chrome history -- limit {limit}\n");
Beaprint.ListPrint(history.Take(limit).ToList());
}
else
{
@ -130,14 +134,14 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
else
{
string userChromeCookiesPath =
$"{System.Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
$"{Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
if (File.Exists(userChromeCookiesPath))
{
results["userChromeCookiesPath"] = userChromeCookiesPath;
}
string userChromeLoginDataPath =
$"{System.Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
$"{Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
if (File.Exists(userChromeLoginDataPath))
{
results["userChromeLoginDataPath"] = userChromeLoginDataPath;
@ -156,7 +160,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
List<string> results = new List<string>();
// parses a Chrome history file via regex
if (System.IO.File.Exists(path))
if (File.Exists(path))
{
Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?");
@ -217,10 +221,10 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
}
else
{
string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", System.Environment.GetEnvironmentVariable("USERPROFILE"));
string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", Environment.GetEnvironmentVariable("USERPROFILE"));
results["history"] = ParseChromeHistory(userChromeHistoryPath);
string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", System.Environment.GetEnvironmentVariable("USERPROFILE"));
string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", Environment.GetEnvironmentVariable("USERPROFILE"));
results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath);
}
@ -241,7 +245,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
{
try
{
string contents = System.IO.File.ReadAllText(path);
string contents = File.ReadAllText(path);
// reference: http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/
JavaScriptSerializer json = new JavaScriptSerializer();

58
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
View File

@ -4,11 +4,11 @@ using System.Data;
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
using System.Web.Script.Serialization;
using winPEAS._3rdParty.SQLite;
using winPEAS.Checks;
using winPEAS.Helpers;
using winPEAS.KnownFileCreds.Browsers.Models;
using winPEAS._3rdParty.SQLite;
using System.Web.Script.Serialization;
namespace winPEAS.KnownFileCreds.Browsers.Firefox
{
@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
{
Beaprint.MainPrint("Looking for Firefox DBs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List<string> firefoxDBs = Firefox.GetFirefoxDbs();
List<string> firefoxDBs = GetFirefoxDbs();
if (firefoxDBs.Count > 0)
{
foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red
@ -56,21 +56,26 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
{
Beaprint.MainPrint("Looking for GET credentials in Firefox history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List<string> firefoxHist = Firefox.GetFirefoxHistory();
if (firefoxHist.Count > 0)
List<string> history = GetFirefoxHistory();
if (history.Count > 0)
{
Dictionary<string, string> colorsB = new Dictionary<string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in firefoxHist)
foreach (string url in history)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
int limit = 50;
Beaprint.MainPrint($"Firefox history -- limit {limit}\n");
Beaprint.ListPrint(history.Take(limit).ToList());
}
else
{
@ -101,7 +106,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{
string userFirefoxBasePath = $"{dir}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\";
if (System.IO.Directory.Exists(userFirefoxBasePath))
if (Directory.Exists(userFirefoxBasePath))
{
var directories = Directory.EnumerateDirectories(userFirefoxBasePath);
foreach (string directory in directories)
@ -249,25 +254,28 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
foreach (string dir in dirs)
{
string[] files = Directory.EnumerateFiles(dir, "signons.sqlite").ToArray();
if (files.Length > 0)
if (Directory.Exists(dir))
{
signonsFile = files[0];
signonsFound = true;
}
string[] files = Directory.EnumerateFiles(dir, "signons.sqlite").ToArray();
if (files.Length > 0)
{
signonsFile = files[0];
signonsFound = true;
}
// find &quot;logins.json"file
files = Directory.EnumerateFiles(dir, "logins.json").ToArray();
if (files.Length > 0)
{
loginsFile = files[0];
loginsFound = true;
}
// find &quot;logins.json"file
files = Directory.EnumerateFiles(dir, "logins.json").ToArray();
if (files.Length > 0)
{
loginsFile = files[0];
loginsFound = true;
}
if (loginsFound || signonsFound)
{
FFDecryptor.NSS_Init(dir);
break;
if (loginsFound || signonsFound)
{
FFDecryptor.NSS_Init(dir);
break;
}
}
}
@ -313,8 +321,8 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
foreach (Browsers.Firefox.LoginData loginData in ffLoginData.logins)
{
string username = Browsers.Firefox.FFDecryptor.Decrypt(loginData.encryptedUsername);
string password = Browsers.Firefox.FFDecryptor.Decrypt(loginData.encryptedPassword);
string username = FFDecryptor.Decrypt(loginData.encryptedUsername);
string password = FFDecryptor.Decrypt(loginData.encryptedPassword);
logins.Add(new CredentialModel
{
Username = username,

63
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs
View File

@ -1,11 +1,11 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;
using Microsoft.Win32;
using winPEAS.Checks;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
@ -30,7 +30,7 @@ namespace winPEAS.KnownFileCreds.Browsers
{
Beaprint.MainPrint("Current IE tabs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List<string> urls = InternetExplorer.GetCurrentIETabs();
List<string> urls = GetCurrentIETabs();
Dictionary<string, string> colorsB = new Dictionary<string, string>()
{
@ -51,9 +51,9 @@ namespace winPEAS.KnownFileCreds.Browsers
{
Beaprint.MainPrint("Looking for GET credentials in IE history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary<string, List<string>> chromeHistBook = InternetExplorer.GetIEHistFav();
List<string> history = chromeHistBook["history"];
List<string> favorites = chromeHistBook["favorites"];
Dictionary<string, List<string>> ieHistoryBook = GetIEHistFav();
List<string> history = ieHistoryBook["history"];
List<string> favorites = ieHistoryBook["favorites"];
if (history.Count > 0)
{
@ -69,8 +69,15 @@ namespace winPEAS.KnownFileCreds.Browsers
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
int limit = 50;
Beaprint.MainPrint($"IE history -- limit {limit}\n");
Beaprint.ListPrint(history.Take(limit).ToList());
}
else
{
Beaprint.NotFoundPrint();
}
Beaprint.MainPrint("IE favorites");
@ -91,7 +98,7 @@ namespace winPEAS.KnownFileCreds.Browsers
{ "favorites", new List<string>() },
};
DateTime startTime = System.DateTime.Now.AddDays(-lastDays);
DateTime startTime = DateTime.Now.AddDays(-lastDays);
try
{
@ -167,39 +174,31 @@ namespace winPEAS.KnownFileCreds.Browsers
{
foreach (KeyValuePair<string, object> kvp in settings)
{
byte[] timeBytes = RegistryHelper.GetRegValueBytes("HKCU", "SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime", kvp.Key.ToString().Trim());
if (timeBytes != null)
{
long timeLong = (long)(BitConverter.ToInt64(timeBytes, 0));
DateTime urlTime = DateTime.FromFileTime(timeLong);
if (urlTime > startTime)
{
results["history"].Add(kvp.Value.ToString().Trim());
}
}
results["history"].Add(kvp.Value.ToString().Trim());
}
}
string userIEBookmarkPath = string.Format("{0}\\Favorites\\", System.Environment.GetEnvironmentVariable("USERPROFILE"));
string[] bookmarkPaths = Directory.EnumerateFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories).ToArray();
foreach (string bookmarkPath in bookmarkPaths)
string userIEBookmarkPath = string.Format("{0}\\Favorites\\", Environment.GetEnvironmentVariable("USERPROFILE"));
if (Directory.Exists(userIEBookmarkPath))
{
using (StreamReader rdr = new StreamReader(bookmarkPath))
string[] bookmarkPaths = Directory.EnumerateFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories).ToArray();
foreach (string bookmarkPath in bookmarkPaths)
{
string line;
string url = "";
while ((line = rdr.ReadLine()) != null)
using (StreamReader rdr = new StreamReader(bookmarkPath))
{
if (line.StartsWith("URL=", StringComparison.InvariantCultureIgnoreCase))
string line;
string url = "";
while ((line = rdr.ReadLine()) != null)
{
if (line.Length > 4)
url = line.Substring(4);
break;
if (line.StartsWith("URL=", StringComparison.InvariantCultureIgnoreCase))
{
if (line.Length > 4)
url = line.Substring(4);
break;
}
}
results["favorites"].Add(url.ToString().Trim());
}
results["favorites"].Add(url.ToString().Trim());
}
}
}