darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feature Add, Bug fix

Browse Source 
Added 203 regex password options (from yaml regex search).
Updated entry for %userprofile% to $env:UserName
This commit is contained in:
StevenLtheThird 2023-08-07 15:20:01 -04:00
parent b617756f80
commit f296c89300
1 changed files with 343 additions and 340 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
winPEAS/winPEASps1/winPEAS.ps1
View File

@ -120,7 +120,7 @@ Function Get-ClipBoardText {
} }
} }
function h {Write-host "##" -ForegroundColor Green} function h { Write-Host "##" -ForegroundColor Green }
" "
((,.,/((((((((((((((((((((/, */ ((,.,/((((((((((((((((((((/, */
@ -608,7 +608,7 @@ Write-Host -ForegroundColor Blue "=========|| RDCMan Settings Check"
if (Test-Path "$env:USERPROFILE\appdata\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings") { if (Test-Path "$env:USERPROFILE\appdata\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings") {
Write-Host "RDCMan Settings Found at: $($env:USERPROFILE)\appdata\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" -ForegroundColor Red Write-Host "RDCMan Settings Found at: $($env:USERPROFILE)\appdata\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" -ForegroundColor Red
} }
else { write-host "No RCDMan.Settings found." } else { Write-Host "No RCDMan.Settings found." }
Write-Host "" Write-Host ""
@ -620,15 +620,15 @@ New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
Get-ChildItem HKU:\ -ErrorAction SilentlyContinue | ForEach-Object { Get-ChildItem HKU:\ -ErrorAction SilentlyContinue | ForEach-Object {
# get the SID from output # get the SID from output
$HKUSID = $_.Name.Replace('HKEY_USERS\', "") $HKUSID = $_.Name.Replace('HKEY_USERS\', "")
if (test-path "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default") { if (Test-Path "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default") {
Write-Host "Server Found: $((Get-ItemProperty "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default" -name MRU0).MRU0)" Write-Host "Server Found: $((Get-ItemProperty "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default" -Name MRU0).MRU0)"
} }
else { Write-Host "Not found for $($_.Name)" } else { Write-Host "Not found for $($_.Name)" }
} }
Write-Host "HKCU" Write-Host "HKCU"
if (test-path "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default") { if (Test-Path "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default") {
write-host "Server Found: $((Get-ItemProperty "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" -name MRU0).MRU0)" Write-Host "Server Found: $((Get-ItemProperty "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" -Name MRU0).MRU0)"
} }
else { Write-Host "Terminal Server Client not found in HCKU" } else { Write-Host "Terminal Server Client not found in HCKU" }
@ -641,12 +641,12 @@ if (Test-Path HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions) {
$RegKeyName = Split-Path $_.Name -Leaf $RegKeyName = Split-Path $_.Name -Leaf
Write-Host "Key: $RegKeyName" Write-Host "Key: $RegKeyName"
@("HostName", "PortNumber", "UserName", "PublicKeyFile", "PortForwardings", "ConnectionSharing", "ProxyUsername", "ProxyPassword") | ForEach-Object { @("HostName", "PortNumber", "UserName", "PublicKeyFile", "PortForwardings", "ConnectionSharing", "ProxyUsername", "ProxyPassword") | ForEach-Object {
write-host "$_ :" Write-Host "$_ :"
write-host "$((Get-ItemProperty HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions\$RegKeyName).$_)" Write-Host "$((Get-ItemProperty HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions\$RegKeyName).$_)"
} }
} }
} }
else { write-host "No putty credentials found in HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions" } else { Write-Host "No putty credentials found in HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions" }
Write-Host "" Write-Host ""
@ -655,14 +655,14 @@ Write-Host -ForegroundColor Blue "=========|| SSH Key Checks"
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| If found:" Write-Host -ForegroundColor Blue "=========|| If found:"
Write-host "https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/" -ForegroundColor Yellow Write-Host "https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/" -ForegroundColor Yellow
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Checking Putty SSH KNOWN HOSTS" Write-Host -ForegroundColor Blue "=========|| Checking Putty SSH KNOWN HOSTS"
if (Test-Path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys) { if (Test-Path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys) {
write-host "$((Get-Item -path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys).Property)" Write-Host "$((Get-Item -Path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys).Property)"
} }
else { Write-host "No putty ssh keys found" } else { Write-Host "No putty ssh keys found" }
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
@ -674,19 +674,19 @@ else { Write-Host "No OpenSSH Keys found." }
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Checking for WinVNC Passwords" Write-Host -ForegroundColor Blue "=========|| Checking for WinVNC Passwords"
if ( Test-Path "HKCU:\Software\ORL\WinVNC3\Password") { Write-host " WinVNC found at HKCU:\Software\ORL\WinVNC3\Password" }else { Write-Host "No WinVNC found." } if ( Test-Path "HKCU:\Software\ORL\WinVNC3\Password") { Write-Host " WinVNC found at HKCU:\Software\ORL\WinVNC3\Password" }else { Write-Host "No WinVNC found." }
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Checking for SNMP Passwords" Write-Host -ForegroundColor Blue "=========|| Checking for SNMP Passwords"
if ( Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" ) { Write-host "SNPM Key found at HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" }else { Write-host "No SNPM found." } if ( Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" ) { Write-Host "SNPM Key found at HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" }else { Write-Host "No SNPM found." }
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Checking for TightVNC Passwords" Write-Host -ForegroundColor Blue "=========|| Checking for TightVNC Passwords"
if ( Test-Path "HKCU:\Software\TightVNC\Server") { write-host "TightVNC key found at HKCU:\Software\TightVNC\Server" }else { write-host "No TightVNC found." } if ( Test-Path "HKCU:\Software\TightVNC\Server") { Write-Host "TightVNC key found at HKCU:\Software\TightVNC\Server" }else { Write-Host "No TightVNC found." }
Write-Host "" Write-Host ""
@ -708,7 +708,7 @@ Get-ChildItem HKU:\ -ErrorAction SilentlyContinue | ForEach-Object {
$HKUSID = $_.Name.Replace('HKEY_USERS\', "") $HKUSID = $_.Name.Replace('HKEY_USERS\', "")
$property = (Get-Item "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).Property $property = (Get-Item "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).Property
$HKUSID | ForEach-Object { $HKUSID | ForEach-Object {
if (test-path "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU") { if (Test-Path "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU") {
Write-Host -ForegroundColor Blue "=========||HKU Recently Run Commands" Write-Host -ForegroundColor Blue "=========||HKU Recently Run Commands"
foreach ($p in $property) { foreach ($p in $property) {
Write-Host "$((Get-Item "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"-ErrorAction SilentlyContinue).getValue($p))" Write-Host "$((Get-Item "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"-ErrorAction SilentlyContinue).getValue($p))"
@ -852,7 +852,7 @@ Get-Process | Select-Object Path -Unique | ForEach-Object { Start-ACLCheck -Targ
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| System processes" Write-Host -ForegroundColor Blue "=========|| System processes"
Start-process tasklist -argumentList '/v /fi "username eq system"' -wait -NoNewWindow Start-Process tasklist -ArgumentList '/v /fi "username eq system"' -Wait -NoNewWindow
######################## SERVICES ######################## ######################## SERVICES ########################
@ -885,7 +885,7 @@ UnquotedServicePathCheck
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Checking Service Registry Permissions" Write-Host -ForegroundColor Blue "=========|| Checking Service Registry Permissions"
Write-host "This will take some time." Write-Host "This will take some time."
Get-ChildItem 'HKLM:\System\CurrentControlSet\services\' | ForEach-Object { Get-ChildItem 'HKLM:\System\CurrentControlSet\services\' | ForEach-Object {
$target = $_.Name.Replace("HKEY_LOCAL_MACHINE", "hklm:") $target = $_.Name.Replace("HKEY_LOCAL_MACHINE", "hklm:")
@ -918,7 +918,7 @@ else {
elseif ($a -like "%appdata%*") { $a = $a.replace("%localappdata%", $env:Appdata) } elseif ($a -like "%appdata%*") { $a = $a.replace("%localappdata%", $env:Appdata) }
$a = $a.Replace('"', '') $a = $a.Replace('"', '')
Start-ACLCheck -Target $a Start-ACLCheck -Target $a
Write-host "`n" Write-Host "`n"
Write-Host "TaskName: $($_.TaskName)" Write-Host "TaskName: $($_.TaskName)"
Write-Host "-------------" Write-Host "-------------"
[pscustomobject]@{ [pscustomobject]@{
@ -927,7 +927,7 @@ else {
Status = $_.State Status = $_.State
Command = $_.Actions.execute Command = $_.Actions.execute
Arguments = $_.Actions.Arguments Arguments = $_.Actions.Arguments
} | write-host } | Write-Host
} }
} }
} }
@ -950,7 +950,7 @@ Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privileg
Start-ACLCheck $_ Start-ACLCheck $_
Get-ChildItem -Recurse -Force -Path $_ | ForEach-Object { Get-ChildItem -Recurse -Force -Path $_ | ForEach-Object {
$SubItem = $_.FullName $SubItem = $_.FullName
if (test-path $SubItem) { if (Test-Path $SubItem) {
Start-ACLCheck -Target $SubItem Start-ACLCheck -Target $SubItem
} }
} }
@ -1027,20 +1027,20 @@ Write-Host -ForegroundColor Blue "=========|| IP INFORMATION"
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Ipconfig ALL" Write-Host -ForegroundColor Blue "=========|| Ipconfig ALL"
start-process ipconfig.exe -ArgumentList "/all" -Wait -NoNewWindow Start-Process ipconfig.exe -ArgumentList "/all" -Wait -NoNewWindow
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| DNS Cache" Write-Host -ForegroundColor Blue "=========|| DNS Cache"
ipconfig /displaydns | select-string "Record" | ForEach-Object { Write-Host $('{0}' -f $_) } ipconfig /displaydns | Select-String "Record" | ForEach-Object { Write-Host $('{0}' -f $_) }
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| LISTENING PORTS" Write-Host -ForegroundColor Blue "=========|| LISTENING PORTS"
# running netstat as powershell is too slow to print to console # running netstat as powershell is too slow to print to console
start-process NETSTAT.EXE -argumentList "-ano" -Wait -NoNewWindow Start-Process NETSTAT.EXE -ArgumentList "-ano" -Wait -NoNewWindow
Write-Host "" Write-Host ""
@ -1048,14 +1048,14 @@ if($debug){TimeElapsed}
Write-Host -ForegroundColor Blue "=========|| ARP Table" Write-Host -ForegroundColor Blue "=========|| ARP Table"
# Arp table info # Arp table info
Start-process arp -argumentList "-A" -Wait -NoNewWindow Start-Process arp -ArgumentList "-A" -Wait -NoNewWindow
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Routes" Write-Host -ForegroundColor Blue "=========|| Routes"
# Route info # Route info
start-process route -argumentList "print" -Wait -NoNewWindow Start-Process route -ArgumentList "print" -Wait -NoNewWindow
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
@ -1063,13 +1063,13 @@ Write-Host -ForegroundColor Blue "=========|| Network Adapter info"
# Network Adapter info # Network Adapter info
Get-NetAdapter | ForEach-Object { Get-NetAdapter | ForEach-Object {
write-host "----------" Write-Host "----------"
write-host $_.Name Write-Host $_.Name
write-host $_.InterfaceDescription Write-Host $_.InterfaceDescription
write-host $_.ifIndex Write-Host $_.ifIndex
write-host $_.Status Write-Host $_.Status
write-host $_.MacAddress Write-Host $_.MacAddress
write-host "----------" Write-Host "----------"
} }
@ -1113,11 +1113,11 @@ Write-Host "== || Generating List of all Administrators, Users and Backup Operat
@("ADMINISTRATORS", "USERS") | ForEach-Object { @("ADMINISTRATORS", "USERS") | ForEach-Object {
Write-Host $_ Write-Host $_
Write-Host "-------" Write-Host "-------"
Start-process net -ArgumentList "localgroup $_" -Wait -NoNewWindow Start-Process net -ArgumentList "localgroup $_" -Wait -NoNewWindow
} }
Write-Host "BACKUP OPERATORS" Write-Host "BACKUP OPERATORS"
Write-Host "-------" Write-Host "-------"
start-process net -ArgumentList 'localgroup "Backup Operators"' -wait -NoNewWindow Start-Process net -ArgumentList 'localgroup "Backup Operators"' -Wait -NoNewWindow
Write-Host "" Write-Host ""
@ -1138,7 +1138,7 @@ if($debug){TimeElapsed}
Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens" -ForegroundColor yellow Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens" -ForegroundColor yellow
Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege" Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege"
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups" -ForegroundColor Yellow Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups" -ForegroundColor Yellow
start-process whoami.exe -ArgumentList "/all" -wait -NoNewWindow Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow
Write-Host "" Write-Host ""
@ -1245,14 +1245,14 @@ $appdataRoaming = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\"
$appdataLocal = "C:\Users\$env:USERNAME\AppData\Local\Microsoft\" $appdataLocal = "C:\Users\$env:USERNAME\AppData\Local\Microsoft\"
if ( Test-Path "$appdataRoaming\Protect\") { if ( Test-Path "$appdataRoaming\Protect\") {
Write-Host "found: $appdataRoaming\Protect\" Write-Host "found: $appdataRoaming\Protect\"
Get-ChildItem -Path "$appdataRoaming\Protect\" -Force | foreach-object { Get-ChildItem -Path "$appdataRoaming\Protect\" -Force | ForEach-Object {
Write-Host $_.FullName Write-Host $_.FullName
} }
} }
if ( Test-Path "$appdataLocal\Protect\") { if ( Test-Path "$appdataLocal\Protect\") {
Write-Host "found: $appdataLocal\Protect\" Write-Host "found: $appdataLocal\Protect\"
Get-ChildItem -Path "$appdataLocal\Protect\" -Force | foreach-object { Get-ChildItem -Path "$appdataLocal\Protect\" -Force | ForEach-Object {
write-host $_.FullName Write-Host $_.FullName
} }
} }
@ -1354,7 +1354,8 @@ Write-Host "if credentials are found in the recycle bin, tool from nirsoft may a
Write-Host -ForegroundColor Blue "=========|| Registry Password Check" Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
# Looking through the entire registry for passwords # Looking through the entire registry for passwords
Write-host "This will take some time. Won't you have a pepsi?" Write-Host "Checking over 200 different password regex types."
Write-Host "This will take some time. Won't you have a pepsi?"
$regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\") $regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
# Search for the string in registry values and properties # Search for the string in registry values and properties
foreach ($r in $regPath) { foreach ($r in $regPath) {
@ -1363,14 +1364,16 @@ foreach ($r in $regPath) {
$Name = $_.Name $Name = $_.Name
$property | ForEach-Object { $property | ForEach-Object {
$Prop = $_ $Prop = $_
foreach ($r in $regexSearch) { $regexSearch.keys | ForEach-Object {
if ($Prop | Where-Object { $_ -like $r }) { $value = $regexSearch[$_]
"Found: $Name\$Prop" if ($Prop | Where-Object { $_ -like $value }) {
Write-Host "Possible Password Found: $Name\$Prop"
Write-Host "Key: $_" -ForegroundColor Red
} }
$Prop | ForEach-Object { $Prop | ForEach-Object {
$Value = (Get-ItemProperty "registry::$Name").$_ $propValue = (Get-ItemProperty "registry::$Name").$_
if ($Value | Where-Object { $_ -like $r }) { if ($propValue | Where-Object { $_ -like $Value }) {
Write-Host "Found: $name\$_ $Value" Write-Host "Possible Password Found: $name\$_ $propValue"
} }
} }
} }
@ -1382,10 +1385,10 @@ foreach ($r in $regPath) {
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check" Write-Host -ForegroundColor Blue "=========|| Password Check in Files"
# Looking through the entire computer for passwords # Looking through the entire computer for passwords
$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" } $Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
$fileExtensions = @("*.xml", "*.txt", "*.conf*", "*.ini", ".y*ml", "*.log", "*.bak") $fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
Write-Host "" Write-Host ""
if ($debug) { TimeElapsed } if ($debug) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea." Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
@ -1399,12 +1402,12 @@ $Drives.Root | ForEach-Object {
Write-Host "Possible MCaffee Site List Found: $($_.FullName)" Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
} }
foreach ($r in $regexSearch) { $regexSearch.keys | ForEach-Object {
$password = Get-Content $_.FullName -ErrorAction SilentlyContinue | Select-String $r $password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
if ($password) { if ($password) {
Write-Host "Possible Password found: " Write-Host "Possible Password found: $_" -ForegroundColor Yellow
Write-Host $Path.FullName Write-Host $Path.FullName
Write-Host $password Write-Host $password -ForegroundColor Red
} }
} }
} }