Merge branch 'master' of https://github.com/RandolphConley/PEASS-ng

linPEAS/README.md

@@ -95,7 +95,7 @@ By default linpeas takes around **4 mins** to complete, but It could take from *
 **Interesting parameters:**
 - **-a** (all checks except regex) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
 - **-e** (extra enumeration) - This will execute **enumeration checkes that are avoided by default**
-- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the silesystem**
+- **-r** (regex checks) - This will search for **hundreds of API keys of different platforms in the Filesystem**
 - **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
 - **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users
 - **-D** (Debug) - Print information about the checks that haven't discovered anything and about the time each check took

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -99,3 +99,145 @@ if [ "$(command -v smbutil)" ] || [ "$DEBUG" ]; then
     warn_exec smbutil statshares -a
     echo ""
 fi
+
+#-- SY) Environment vars
+print_2title "Environment"
+print_info "Any private information inside environment variables?"
+(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_KUBERNETES" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
+echo ""
+
+#-- SY) Dmesg
+if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then
+    print_2title "Searching Signature verification failed in dmesg"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
+    (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
+    echo ""
+fi
+
+#-- SY) Kernel extensions
+if [ "$MACPEAS" ]; then
+    print_2title "Kernel Extensions not belonging to apple"
+    kextstat 2>/dev/null | grep -Ev " com.apple."
+
+    print_2title "Unsigned Kernel Extensions"
+    macosNotSigned /Library/Extensions
+    macosNotSigned /System/Library/Extensions
+fi
+
+if [ "$(command -v bash 2>/dev/null)" ]; then
+    print_2title "Executing Linux Exploit Suggester"
+    print_info "https://github.com/mzet-/linux-exploit-suggester"
+    les_b64="peass{LES}"
+    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,\[CVE-[0-9]+-[0-9]+\].*,${SED_RED},g"
+    echo ""
+fi
+
+if [ "$(command -v perl 2>/dev/null)" ]; then
+    print_2title "Executing Linux Exploit Suggester 2"
+    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
+    les2_b64="peass{LES2}"
+    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
+    echo ""
+fi
+
+if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null)" ]; then
+    print_2title "Brew Doctor Suggestions"
+    brew doctor
+    echo ""
+fi
+
+
+
+#-- SY) AppArmor
+print_2title "Protections"
+print_list "AppArmor enabled? .............. "$NC
+if [ "$(command -v aa-status 2>/dev/null)" ]; then
+    aa-status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(command -v apparmor_status 2>/dev/null)" ]; then
+    apparmor_status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(ls -d /etc/apparmor* 2>/dev/null)" ]; then
+    ls -d /etc/apparmor*
+else
+    echo_not_found "AppArmor"
+fi
+
+#-- SY) AppArmor2
+print_list "AppArmor profile? .............. "$NC
+(cat /proc/self/attr/current 2>/dev/null || echo "unconfined") | sed "s,unconfined,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
+
+#-- SY) LinuxONE
+print_list "is linuxONE? ................... "$NC
+( (uname -a | grep "s390x" >/dev/null 2>&1) && echo "Yes" || echo_not_found "s390x")
+
+#-- SY) grsecurity
+print_list "grsecurity present? ............ "$NC
+( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity")
+
+#-- SY) PaX
+print_list "PaX bins present? .............. "$NC
+(command -v paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX")
+
+#-- SY) Execshield
+print_list "Execshield enabled? ............ "$NC
+(grep "exec-shield" /etc/sysctl.conf 2>/dev/null || echo_not_found "Execshield") | sed "s,=0,${SED_RED},"
+
+#-- SY) SElinux
+print_list "SELinux enabled? ............... "$NC
+(sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+#-- SY) Seccomp
+print_list "Seccomp enabled? ............... "$NC
+([ "$(grep Seccomp /proc/self/status 2>/dev/null | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) AppArmor
+print_list "User namespace? ................ "$NC
+if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+
+#-- SY) cgroup2
+print_list "Cgroup2 enabled? ............... "$NC
+([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) Gatekeeper
+if [ "$MACPEAS" ]; then
+    print_list "Gatekeeper enabled? .......... "$NC
+    (spctl --status 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+    print_list "sleepimage encrypted? ........ "$NC
+    (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
+
+    print_list "XProtect? .................... "$NC
+    (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
+
+    print_list "SIP enabled? ................. "$NC
+    csrutil status | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
+
+    print_list "Connected to JAMF? ........... "$NC
+    warn_exec jamf checkJSSConnection
+
+    print_list "Connected to AD? ............. "$NC
+    dsconfigad -show && echo "" || echo_no
+fi
+
+#-- SY) ASLR
+print_list "Is ASLR enabled? ............... "$NC
+ASLR=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null)
+if [ -z "$ASLR" ]; then
+    echo_not_found "/proc/sys/kernel/randomize_va_space";
+else
+    if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi
+    echo ""
+fi
+
+#-- SY) Printer
+print_list "Printer? ....................... "$NC
+(lpstat -a || system_profiler SPPrintersDataType || echo_no) 2>/dev/null
+
+#-- SY) Running in a virtual environment
+print_list "Is this a virtual machine? ..... "$NC
+hypervisorflag=$(grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor)
+if [ "$(command -v systemd-detect-virt 2>/dev/null)" ]; then
+    detectedvirt=$(systemd-detect-virt)
+    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
+else
+    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
+fi

winPEAS/winPEASexe/Tests/SmokeTests.cs

@@ -12,7 +12,7 @@ namespace winPEAS.Tests
             try
             {
                 string[] args = new string[] {
-                    "systeminfo", "servicesinfo", "processinfo", "applicationsinfo", "browserinfo", "debug"
+                    "systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "debug"
                 };
                 Program.Main(args);
             }

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -68,6 +68,8 @@ namespace winPEAS.Checks
         {
             //Check parameters
             bool isAllChecks = true;
+            bool isFileSearchEnabled = false;
+            var searchEnabledChecks = new HashSet<string>() { "fileanalysis, filesinfo" };
             bool wait = false;
             FileStream fileStream = null;
             StreamWriter fileWriter = null;
@@ -202,9 +204,19 @@ namespace winPEAS.Checks
                 {
                     _systemCheckSelectedKeysHashSet.Add(argToLower);
                     isAllChecks = false;
+
+                    if (searchEnabledChecks.Contains(argToLower))
+                    {
+                        isFileSearchEnabled = true;
+                    }
                 }
             }
 
+            if (isAllChecks)
+            {
+                isFileSearchEnabled = true;
+            }
+
             try
             {
                 CheckRunner.Run(() =>
@@ -223,7 +235,7 @@ namespace winPEAS.Checks
 
                     Beaprint.PrintInit();
 
-                    CheckRunner.Run(CreateDynamicLists, IsDebug);
+                    CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug);
 
                     RunChecks(isAllChecks, wait);
 
@@ -264,7 +276,7 @@ namespace winPEAS.Checks
             }
         }
 
-        private static void CreateDynamicLists()
+        private static void CreateDynamicLists(bool isFileSearchEnabled)
         {
             Beaprint.GrayPrint("   Creating Dynamic lists, this could take a while, please wait...");
 
@@ -395,14 +407,22 @@ namespace winPEAS.Checks
             }
 
             //create the file lists
-            try
+            // only if we are running all checks or systeminfo / fileanalysis
+            Beaprint.GrayPrint("   - Creating files/directories list for search...");
+            if (isFileSearchEnabled)
             {
-                Beaprint.GrayPrint("   - Creating files/directories list for search...");
+                try
-                SearchHelper.CreateSearchDirectoriesList();
+                {
+                    SearchHelper.CreateSearchDirectoriesList();
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.GrayPrint("Error while creating directory list: " + ex);
+                }
             }
-            catch (Exception ex)
+            else
             {
-                Beaprint.GrayPrint("Error while creating directory list: " + ex);
+                Beaprint.GrayPrint("        [skipped, file search is disabled]");
             }
         }
 

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -82,7 +82,7 @@ namespace winPEAS.Helpers
        |                             {1}Do you like PEASS?{0}                                  |
        |---------------------------------------------------------------------------------| 
        |         {3}Get the latest version{0}    :     {2}https://github.com/sponsors/carlospolop{0} |
-       |         {3}Follow on Twitter{0}         :     {2}@hacktricks_live{0}                           |
+       |         {3}Follow on Twitter{0}         :     {2}@hacktricks_live{0}                        |
        |         {3}Respect on HTB{0}            :     {2}SirBroccoli            {0}                 |
        |---------------------------------------------------------------------------------|
        |                                 {1}Thank you!{0}                                      |