diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index dbab372..c539963 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -131,6 +131,7 @@ namespace winPEAS.Checks PrintUserCredsFiles, PrintOracleSQLDeveloperConfigFiles, Slack.PrintInfo, + PrintLOLBAS, PrintOutlookDownloads, PrintMachineAndUserCertificateFiles, PrintUsersInterestingFiles, @@ -976,5 +977,50 @@ namespace winPEAS.Checks { } } + + private static void PrintLOLBAS() + { + try + { + Beaprint.MainPrint("Looking for LOL Binaries and Scripts (can be slow)"); + Beaprint.LinkPrint("https://lolbas-project.github.io/"); + + var systemDrive = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\"; + + string rootUsersSearchPath = $"{systemDrive}\\users"; + string documentsAndSettings = $"{systemDrive}\\documents and settings"; + + var excludedDirs = new HashSet() + { + @"c:\esupport", + @"c:\perflogs", + @"c:\programdata", + @"c:\program files (x86)", + @"c:\program files", + //@"c:\windows", + //@"c:\windows.old", + rootUsersSearchPath, + documentsAndSettings + }; + + var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs); + + files.AddRange(SearchHelper.RootDirUsers); + files.AddRange(SearchHelper.DocumentsAndSettings); + files.AddRange(SearchHelper.ProgramFiles); + files.AddRange(SearchHelper.ProgramFilesX86); + + foreach (var file in files) + { + if (LOLBAS.FileWithExtension.Contains(file.Filename.ToLower())) + { + Beaprint.BadPrint($" {file.FullPath}"); + } + } + } + catch (Exception ex) + { + } + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs index e981d10..7e3710c 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs @@ -8,6 +8,7 @@ using winPEAS.Helpers; using winPEAS.Helpers.Extensions; using winPEAS.Info.NetworkInfo; using winPEAS.Info.NetworkInfo.Enums; +using winPEAS.Info.NetworkInfo.InternetSettings; namespace winPEAS.Checks { @@ -35,6 +36,7 @@ namespace winPEAS.Checks PrintListeningPorts, PrintFirewallRules, PrintDNSCache, + PrintInternetSettings, }.ForEach(action => CheckRunner.Run(action, isDebug)); } @@ -366,5 +368,55 @@ namespace winPEAS.Checks { } } + + private static void PrintInternetSettings() + { + try + { + Beaprint.MainPrint("Enumerating Internet settings, zone and proxy configuration"); + + var info = InternetSettings.GetInternetSettingsInfo(); + + Beaprint.ColorPrint(" General Settings", Beaprint.LBLUE); + Beaprint.NoColorPrint($" {"Hive",-10} {"Key",-40} {"Value"}"); + + foreach (var i in info.GeneralSettings) + { + Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Value}"); + } + + Beaprint.ColorPrint("\n Zone Maps", Beaprint.LBLUE); + + if (info.ZoneMaps.Count == 0) + { + Beaprint.NoColorPrint(" No URLs configured"); + } + else + { + Beaprint.NoColorPrint($" {"Hive",-10} {"Value Name",-40} {"Interpretation"}"); + + foreach (var i in info.ZoneMaps) + { + Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Interpretation}"); + } + } + + Beaprint.ColorPrint("\n Zone Auth Settings", Beaprint.LBLUE); + if (info.ZoneAuthSettings.Count == 0) + { + Beaprint.NoColorPrint(" No Zone Auth Settings"); + } + else + { + foreach (var i in info.ZoneAuthSettings) + { + Beaprint.NoColorPrint($" {i.Interpretation}"); + } + } + } + catch (Exception ex) + { + } + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index d5ada44..959a815 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -18,6 +18,9 @@ using winPEAS.Info.SystemInfo.AuditPolicies; using winPEAS.Info.SystemInfo.DotNet; using winPEAS.Info.SystemInfo.GroupPolicy; using winPEAS.Info.SystemInfo.WindowsDefender; +using winPEAS.Info.SystemInfo.PowerShell; +using winPEAS.Info.SystemInfo.Ntlm; +using winPEAS.Native.Enums; namespace winPEAS.Checks { @@ -70,13 +73,14 @@ namespace winPEAS.Checks PrintWindowsDefenderInfo, PrintUACInfo, PrintPSInfo, + PrintPowerShellSessionSettings, PrintTranscriptPS, PrintInetInfo, PrintDrivesInfo, PrintWSUS, PrintAlwaysInstallElevated, PrintLSAInfo, - PrintLsaCompatiblityLevel, + PrintNtlmSettings, PrintLocalGroupPolicy, AppLockerHelper.PrintAppLockerPolicy, PrintPrintersWMIInfo, @@ -612,51 +616,75 @@ namespace winPEAS.Checks } } - private void PrintLsaCompatiblityLevel() + private static void PrintNtlmSettings() { - string hive = "HKLM"; - string path = "SYSTEM\\CurrentControlSet\\Control\\Lsa\\"; - string key = "LmCompatibilityLevel"; - - Beaprint.MainPrint($"Checking {hive}\\{path}{key}"); + Beaprint.MainPrint($"Enumerating NTLM Settings"); try { - string lmCompatibilityLevelValue = RegistryHelper.GetRegValue(hive, path, key); - Dictionary dict = new Dictionary() + var info = Ntlm.GetNtlmSettingsInfo(); + + string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel == 5 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; + Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor); + + var ntlmSettingsColors = new Dictionary { - { 0, "Send LM & NTLM responses" }, - { 1, "Send LM & NTLM responses, use NTLMv2 session security if negotiated" }, - { 2, "Send NTLM response only" }, - { 3, "Send NTLMv2 response only" }, - { 4, "Send NTLMv2 response only, refuse LM" }, - { 5, "Send NTLMv2 response only, refuse LM & NTLM" }, + { "True", Beaprint.ansi_color_good }, + { "False", Beaprint.ansi_color_bad }, + { "No signing", Beaprint.ansi_color_bad}, + { "null", Beaprint.ansi_color_bad}, + { "Require Signing", Beaprint.ansi_color_good}, + { "Negotiate signing", Beaprint.ansi_color_yellow}, + { "Unknown", Beaprint.ansi_color_bad}, }; - if (!string.IsNullOrEmpty(lmCompatibilityLevelValue)) - { - if (int.TryParse(lmCompatibilityLevelValue, out int lmCompatibilityLevel)) - { - string color = lmCompatibilityLevel == 5 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; + Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE); + Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" + + $" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" + + $" ServerRequireSigning : {info.ServerRequireSigning}\n" + + $" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" + + $" LdapSigning : {(info.LdapSigning != null ? info.LdapSigningString : "null")} ({info.LdapSigningString})", + ntlmSettingsColors); - if (dict.TryGetValue(lmCompatibilityLevel, out string description)) - { - Beaprint.ColorPrint($" value: {lmCompatibilityLevel}, description: {description}", color); - } - else - { - throw new Exception($"Unable to get value description for value '{lmCompatibilityLevel}'"); - } - } - else - { - throw new Exception($"Unable to parse {key} value '{lmCompatibilityLevelValue}'"); - } - } - else + Beaprint.ColorPrint("\n Session Security", Beaprint.LBLUE); + + if (info.NTLMMinClientSec != null) { - Beaprint.ColorPrint(" The registry key does not exist", Beaprint.ansi_color_yellow); + var clientSessionSecurity = (SessionSecurity)info.NTLMMinClientSec; + var clientSessionSecurityDescription = clientSessionSecurity.GetDescription(); + var color = !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !clientSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ? + Beaprint.ansi_color_bad : + Beaprint.ansi_color_good; + Beaprint.ColorPrint($" NTLMMinClientSec : {info.NTLMMinClientSec} ({clientSessionSecurityDescription})", color); + + if (info.LanmanCompatibilityLevel < 3 && !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2)) + { + Beaprint.BadPrint(" [!] NTLM clients support NTLMv1!"); + } } + + if (info.NTLMMinServerSec != null) + { + var serverSessionSecurity = (SessionSecurity)info.NTLMMinServerSec; + var serverSessionSecurityDescription = serverSessionSecurity.GetDescription(); + var color = !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !serverSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ? + Beaprint.ansi_color_bad : + Beaprint.ansi_color_good; + Beaprint.ColorPrint($" NTLMMinServerSec : {info.NTLMMinServerSec} ({serverSessionSecurityDescription})\n", color); + + if (info.LanmanCompatibilityLevel < 3 && !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2)) + { + Beaprint.BadPrint(" [!] NTLM services on this machine support NTLMv1!"); + } + } + + var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; + + Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE); + Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})"); + Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor); + Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})"); + Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}"); } catch (Exception ex) { @@ -1047,5 +1075,36 @@ namespace winPEAS.Checks { } } + + private static void PrintPowerShellSessionSettings() + { + try + { + Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry"); + + if (!MyUtils.IsHighIntegrity()) + { + Beaprint.NoColorPrint(" You must be an administrator to run this check"); + return; + } + + var infos = PowerShell.GetPowerShellSessionSettingsInfos(); + + foreach (var info in infos) + { + Beaprint.NoColorPrint($" {"Name",-38} {info.Plugin}"); + + foreach (var access in info.Permissions) + { + Beaprint.NoColorPrint($" {access.Principal,-35} {access.Permission,-22}"); + } + + Beaprint.PrintLineSeparator(); + } + } + catch (Exception ex) + { + } + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs index 0fc8fc1..d439cf0 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs @@ -25,6 +25,7 @@ namespace winPEAS.Checks PrintVaultCreds, PrintCredentialManager, PrintSavedRDPInfo, + PrintRDPSettings, PrintRecentRunCommands, PrintDPAPIMasterKeys, PrintDpapiCredFiles, @@ -124,7 +125,7 @@ namespace winPEAS.Checks List> rdps_info = RemoteDesktop.GetSavedRDPConnections(); if (rdps_info.Count > 0) - System.Console.WriteLine(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID")); + Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID")); else { Beaprint.NotFoundPrint(); @@ -132,7 +133,7 @@ namespace winPEAS.Checks foreach (Dictionary rdp_info in rdps_info) { - System.Console.WriteLine(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"])); + Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"])); } } catch (Exception ex) @@ -400,5 +401,76 @@ namespace winPEAS.Checks Beaprint.PrintException(ex.Message); } } + + private static void PrintRDPSettings() + { + try + { + Beaprint.MainPrint("Remote Desktop Server/Client Settings"); + + var info = Info.WindowsCreds.RemoteDesktop.GetRDPSettingsInfo(); + + var server = info.ServerSettings; + Beaprint.ColorPrint(" RDP Server Settings", Beaprint.LBLUE); + Beaprint.NoColorPrint($" NetworkLevelAuthentication : {server.NetworkLevelAuthentication}"); + Beaprint.NoColorPrint($" BlockClipboardRedirection : {server.BlockClipboardRedirection}"); + Beaprint.NoColorPrint($" BlockComPortRedirection : {server.BlockComPortRedirection}"); + Beaprint.NoColorPrint($" BlockDriveRedirection : {server.BlockDriveRedirection}"); + Beaprint.NoColorPrint($" BlockLptPortRedirection : {server.BlockLptPortRedirection}"); + Beaprint.NoColorPrint($" BlockPnPDeviceRedirection : {server.BlockPnPDeviceRedirection}"); + Beaprint.NoColorPrint($" BlockPrinterRedirection : {server.BlockPrinterRedirection}"); + Beaprint.NoColorPrint($" AllowSmartCardRedirection : {server.AllowSmartCardRedirection}"); + + Beaprint.ColorPrint("\n RDP Client Settings", Beaprint.LBLUE); + Beaprint.NoColorPrint($" DisablePasswordSaving : {info.ClientSettings.DisablePasswordSaving}"); + Beaprint.NoColorPrint($" RestrictedRemoteAdministration : {info.ClientSettings.RestrictedRemoteAdministration}"); + + var type = info.ClientSettings.RestrictedRemoteAdministrationType; + + var types = new Dictionary() + { + { 1, "Require Restricted Admin Mode" }, + { 2, "Require Remote Credential Guard" }, + { 3, "Require Restricted Admin or Remote Credential Guard" }, + }; + + if (type != null) + { + var str = GetDescriptionByType(type); + + Beaprint.NoColorPrint($" RestrictedRemoteAdministrationType: {str}"); + } + + var level = info.ClientSettings.ServerAuthLevel; + if (level != null) + { + var str = GetDescriptionByType(level); + + Beaprint.NoColorPrint($" ServerAuthenticationLevel: {level} - {str}"); + } + } + catch (Exception ex) + { + } + } + + private static string GetDescriptionByType(uint? type) + { + var types = new Dictionary() + { + { 1, "Require Restricted Admin Mode" }, + { 2, "Require Remote Credential Guard" }, + { 3, "Require Restricted Admin or Remote Credential Guard" }, + }; + + string str = $"{type} - Unknown"; + + if (types.ContainsKey(type.Value)) + { + str = types[type.Value]; + } + + return str; + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs index 9ab52aa..b484caa 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs @@ -156,5 +156,17 @@ namespace winPEAS.Helpers.Registry { return Microsoft.Win32.Registry.Users.GetSubKeyNames() ?? new string[] { }; } + + internal static uint? GetDwordValue(string hive, string key, string val) + { + string strValue = RegistryHelper.GetRegValue(hive, key, val); + + if (uint.TryParse(strValue, out uint res)) + { + return res; + } + + return null; + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Search/LOLBAS.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Search/LOLBAS.cs new file mode 100644 index 0000000..1bb53f3 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Search/LOLBAS.cs @@ -0,0 +1,132 @@ +using System.Collections.Generic; + +namespace winPEAS.Helpers.Search +{ + class LOLBAS + { + public static readonly HashSet FileWithExtension = new HashSet(){ + "advpack.dll", + "appvlp.exe", + "at.exe", + "atbroker.exe", + "bash.exe", + "bginfo.exe", + "bitsadmin.exe", + "cl_invocation.ps1", + "cl_mutexverifiers.ps1", + "cdb.exe", + "certutil.exe", + "cmd.exe", + "cmdkey.exe", + "cmstp.exe", + "comsvcs.dll", + "control.exe", + "csc.exe", + "cscript.exe", + "desktopimgdownldr.exe", + "devtoolslauncher.exe", + "dfsvc.exe", + "diskshadow.exe", + "dnscmd.exe", + "dotnet.exe", + "dxcap.exe", + "esentutl.exe", + "eventvwr.exe", + "excel.exe", + "expand.exe", + "extexport.exe", + "extrac32.exe", + "findstr.exe", + "forfiles.exe", + "ftp.exe", + "gfxdownloadwrapper.exe", + "gpscript.exe", + "hh.exe", + "ie4uinit.exe", + "ieadvpack.dll", + "ieaframe.dll", + "ieexec.exe", + "ilasm.exe", + "infdefaultinstall.exe", + "installutil.exe", + "java.exe", + "jsc.exe", + "makecab.exe", + "manage-bde.wsf", + "mavinject.exe", + "mftrace.exe", + "microsoft.workflow.compiler.exe", + "mmc.exe", + "msbuild.exe", + "msconfig.exe", + "msdeploy.exe", + "msdt.exe", + "mshta.exe", + "mshtml.dll", + "msiexec.exe", + "netsh.exe", + "nc.exe", + "nc64.exe", + "nmap.exe", + "odbcconf.exe", + "pcalua.exe", + "pcwrun.exe", + "pcwutl.dll", + "pester.bat", + "powerpnt.exe", + "presentationhost.exe", + "print.exe", + "psr.exe", + "pubprn.vbs", + "rasautou.exe", + "reg.exe", + "regasm.exe", + "regedit.exe", + "regini.exe", + "register-cimprovider.exe", + "regsvcs.exe", + "regsvr32.exe", + "replace.exe", + "rpcping.exe", + "rundll32.exe", + "runonce.exe", + "runscripthelper.exe", + "sqltoolsps.exe", + "sc.exe", + "schtasks.exe", + "scriptrunner.exe", + "setupapi.dll", + "shdocvw.dll", + "shell32.dll", + "slmgr.vbs", + "sqldumper.exe", + "sqlps.exe", + "squirrel.exe", + "syncappvpublishingserver.exe", + "syncappvpublishingserver.vbs", + "syssetup.dll", + "tracker.exe", + "tttracer.exe", + "update.exe", + "url.dll", + "verclsid.exe", + "wab.exe", + "winword.exe", + "wmic.exe", + "wscript.exe", + "wsl.exe", + "wsreset.exe", + "xwizard.exe", + "zipfldr.dll", + "csi.exe", + "dnx.exe", + "msxsl.exe", + "ntdsutil.exe", + "rcsi.exe", + "te.exe", + "vbc.exe", + "vsjitdebugger.exe", + "winrm.vbs", + }; + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs index 1a9878a..e856b3c 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs @@ -12,9 +12,9 @@ namespace winPEAS.Helpers.Search { public static List RootDirUsers; private static List RootDirCurrentUser; - private static List ProgramFiles; - private static List ProgramFilesX86; - private static List DocumentsAndSettings; + public static List ProgramFiles; + public static List ProgramFilesX86; + public static List DocumentsAndSettings; private static List GroupPolicyHistory; private static string SystemDrive = Environment.GetEnvironmentVariable("SystemDrive"); diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettings.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettings.cs new file mode 100644 index 0000000..ec4c816 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettings.cs @@ -0,0 +1,100 @@ +using System.Collections.Generic; +using winPEAS.Helpers.Registry; + +namespace winPEAS.Info.NetworkInfo.InternetSettings +{ + class InternetSettings + { + public static InternetSettingsInfo GetInternetSettingsInfo() + { + var result = new InternetSettingsInfo(); + + // List user/system internet settings for zonemapkey (local, trusted, etc.) : + // 1 = Intranet zone – sites on your local network. + // 2 = Trusted Sites zone – sites that have been added to your trusted sites. + // 3 = Internet zone – sites that are on the Internet. + // 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites. + + + IDictionary zoneMapKeys = new Dictionary() + { + {"0", "My Computer" }, + {"1", "Local Intranet Zone"}, + {"2", "Trusted Sites Zone"}, + {"3", "Internet Zone"}, + {"4", "Restricted Sites Zone"} + }; + + // lists user/system internet settings, including default proxy info + string internetSettingsKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"; + AddSettings("HKCU", internetSettingsKey, result.GeneralSettings, zoneMapKeys: null); + AddSettings("HKLM", internetSettingsKey, result.GeneralSettings, zoneMapKeys: null); + + string zoneMapKey = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"; + AddSettings("HKCU", zoneMapKey, result.ZoneMaps, zoneMapKeys); + AddSettings("HKLM", zoneMapKey, result.ZoneMaps, zoneMapKeys); + + // List Zones settings with automatic logons + + /** + * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0..4}\1A00 + * Logon setting (1A00) may have any one of the following values (hexadecimal): + * Value Setting + * --------------------------------------------------------------- + * 0x00000000 Automatically logon with current username and password + * 0x00010000 Prompt for user name and password + * 0x00020000 Automatic logon only in the Intranet zone + * 0x00030000 Anonymous logon + **/ + + IDictionary zoneAuthSettings = new Dictionary() + { + {0x00000000, "Automatically logon with current username and password"}, + {0x00010000, "Prompt for user name and password"}, + {0x00020000, "Automatic logon only in the Intranet zone"}, + {0x00030000, "Anonymous logon"} + }; + + for (int i = 0; i <= 4; i++) + { + var keyPath = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\" + i; + var isParsed = uint.TryParse(RegistryHelper.GetRegValue("HKLM", keyPath, "1A00"), out uint authSetting); + + if (isParsed) + { + var zone = zoneMapKeys[i.ToString()]; + var authSettingStr = zoneAuthSettings[authSetting]; + + result.ZoneAuthSettings.Add(new InternetSettingsKey( + "HKLM", + keyPath, + "1A00", + authSetting.ToString(), + $"{zone} : {authSettingStr}" + )); + } + } + + return result; + } + + private static void AddSettings(string hive, string keyPath, IList internetSettingsList, IDictionary zoneMapKeys = null) + { + var proxySettings = (RegistryHelper.GetRegValues(hive, keyPath) ?? new Dictionary()); + if (proxySettings != null) + { + foreach (var kvp in proxySettings) + { + string interpretation = zoneMapKeys?[kvp.Value.ToString()]; + + internetSettingsList.Add(new InternetSettingsKey( + hive, + keyPath, + kvp.Key, + kvp.Value.ToString(), + interpretation)); + } + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsInfo.cs new file mode 100644 index 0000000..c2c61b0 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsInfo.cs @@ -0,0 +1,11 @@ +using System.Collections.Generic; + +namespace winPEAS.Info.NetworkInfo.InternetSettings +{ + class InternetSettingsInfo + { + public IList GeneralSettings { get; set; } = new List(); + public IList ZoneMaps { get; set; } = new List(); + public IList ZoneAuthSettings { get; set; } = new List(); + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsKey.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsKey.cs new file mode 100644 index 0000000..6fe1cbb --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsKey.cs @@ -0,0 +1,25 @@ +namespace winPEAS.Info.NetworkInfo.InternetSettings +{ + internal class InternetSettingsKey + { + public string ValueName { get; } + public string Value { get; } + public string Hive { get; } + public string Path { get; } + public string Interpretation { get; } + + public InternetSettingsKey( + string hive, + string path, + string valueName, + string value, + string interpretation) + { + ValueName = valueName; + Value = value; + Interpretation = interpretation; + Hive = hive; + Path = path; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/Ntlm.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/Ntlm.cs new file mode 100644 index 0000000..e9fd158 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/Ntlm.cs @@ -0,0 +1,39 @@ +using winPEAS.Helpers.Registry; + +namespace winPEAS.Info.SystemInfo.Ntlm +{ + internal class Ntlm + { + public static NtlmSettingsInfo GetNtlmSettingsInfo() + { + return new NtlmSettingsInfo + { + LanmanCompatibilityLevel = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel"), + + ClientRequireSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature") == 1, + ClientNegotiateSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature") == 1, + ServerRequireSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanManServer\Parameters", "RequireSecuritySignature") == 1, + ServerNegotiateSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanManServer\Parameters", "EnableSecuritySignature") == 1, + + + LdapSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LDAP", "LDAPClientIntegrity"), + + NTLMMinClientSec = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinClientSec"), + NTLMMinServerSec = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinServerSec"), + + + InboundRestrictions = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictReceivingNTLMTraffic"), // Network security: Restrict NTLM: Incoming NTLM traffic + OutboundRestrictions = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictSendingNTLMTraffic"), // Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + InboundAuditing = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "AuditReceivingNTLMTraffic"), // Network security: Restrict NTLM: Audit Incoming NTLM Traffic + OutboundExceptions = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "ClientAllowedNTLMServers"), // Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + + //DCRestrictions = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\Netlogon\Parameters", "RestrictNTLMInDomain"), // Network security: Restrict NTLM: NTLM authentication in this domain + //DCExceptions = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\Netlogon\Parameters", "DCAllowedNTLMServers"), // Network security: Restrict NTLM: Add server exceptions in this domain + //DCAuditing = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\Netlogon\Parameters", "AuditNTLMInDomain"), // Network security: Restrict NTLM: Audit NTLM authentication in this domain + //DCLdapSigning = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\NTDS\Parameters", "LDAPServerIntegrity"), + //LdapChannelBinding = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\NTDS\Parameters", "LdapEnforceChannelBinding"), + //ExtendedProtectionForAuthentication = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Control\LSA", "SuppressExtendedProtection"), + }; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/NtlmSettingsInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/NtlmSettingsInfo.cs new file mode 100644 index 0000000..b30bbb7 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/NtlmSettingsInfo.cs @@ -0,0 +1,109 @@ +namespace winPEAS.Info.SystemInfo.Ntlm +{ + internal class NtlmSettingsInfo + { + public uint? LanmanCompatibilityLevel { get; set; } + + public string LanmanCompatibilityLevelString + { + get + { + switch (LanmanCompatibilityLevel) + { + case 0: return "Send LM & NTLM responses"; + case 1: return "Send LM & NTLM - Use NTLMv2 session security if negotiated"; + case 2: return "Send NTLM response only"; + case null: + case 3: return "Send NTLMv2 response only - Win7+ default"; + case 4: return "Send NTLMv2 response only. DC: Refuse LM"; + case 5: return "Send NTLMv2 response only. DC: Refuse LM & NTLM"; + default: return "Unknown"; + } + } + } + + public bool ClientRequireSigning { get; set; } + public bool ClientNegotiateSigning { get; set; } + public bool ServerRequireSigning { get; set; } + public bool ServerNegotiateSigning { get; set; } + public uint? LdapSigning { get; set; } + + public string LdapSigningString + { + get + { + switch (LdapSigning) + { + case 0: return "No signing"; + case 1: + case null: return "Negotiate signing"; + case 2: return "Require Signing"; + default: return "Unknown"; + } + } + } + + public uint? NTLMMinClientSec { get; set; } + public uint? NTLMMinServerSec { get; set; } + public uint? InboundRestrictions { get; internal set; } + + public string InboundRestrictionsString + { + get + { + string inboundRestrictStr = InboundRestrictions switch + { + 0 => "Allow all", + 1 => "Deny all domain accounts", + 2 => "Deny all accounts", + _ => "Not defined", + }; + + return inboundRestrictStr; + } + } + + public uint? OutboundRestrictions { get; internal set; } + + public string OutboundRestrictionsString + { + get + { + string outboundRestrictStr = OutboundRestrictions switch + { + 0 => "Allow all", + 1 => "Audit all", + 2 => "Deny all", + _ => "Not defined", + }; + + return outboundRestrictStr; + } + } + + public uint? InboundAuditing { get; internal set; } + + public string InboundAuditingString + { + get + { + string inboundAuditStr = InboundAuditing switch + { + 0 => "Disable", + 1 => "Enable auditing for domain accounts", + 2 => "Enable auditing for all accounts", + _ => "Not defined", + }; + return inboundAuditStr; + } + } + + public string OutboundExceptions { get; internal set; } + + //public string DCRestrictions { get; internal set; } + //public string DCExceptions { get; internal set; } + //public string DCAuditing { get; internal set; } + //public string LdapChannelBinding { get; set; } + //public string ExtendedProtectionForAuthentication { get; set; } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PluginAccessInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PluginAccessInfo.cs new file mode 100644 index 0000000..8ed6ff3 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PluginAccessInfo.cs @@ -0,0 +1,19 @@ +namespace winPEAS.Info.SystemInfo.PowerShell +{ + internal class PluginAccessInfo + { + public string Principal { get; } + public string Sid { get; } + public string Permission { get; } + + public PluginAccessInfo( + string principal, + string sid, + string permission) + { + Principal = principal; + Sid = sid; + Permission = permission; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShell.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShell.cs new file mode 100644 index 0000000..4aeb41f --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShell.cs @@ -0,0 +1,54 @@ +using System.Collections.Generic; +using System.Security.AccessControl; +using System.Xml; +using winPEAS.Helpers.Registry; + +namespace winPEAS.Info.SystemInfo.PowerShell +{ + internal class PowerShell + { + public static IEnumerable GetPowerShellSessionSettingsInfos() + { + var plugins = new[] { "Microsoft.PowerShell", "Microsoft.PowerShell.Workflow", "Microsoft.PowerShell32" }; + + foreach (var plugin in plugins) + { + var config = RegistryHelper.GetRegValue("HKLM", $"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\{plugin}", "ConfigXML"); + + if (config == null) continue; + + var access = new List(); + + var xmlDoc = new XmlDocument(); + xmlDoc.LoadXml(config); + var security = xmlDoc.GetElementsByTagName("Security"); + + if (security.Count <= 0) + continue; + + foreach (XmlAttribute attr in security[0].Attributes) + { + if (attr.Name != "Sddl") + { + continue; + } + + var desc = new RawSecurityDescriptor(attr.Value); + foreach (QualifiedAce ace in desc.DiscretionaryAcl) + { + var principal = ace.SecurityIdentifier.Translate(typeof(System.Security.Principal.NTAccount)).ToString(); + var accessStr = ace.AceQualifier.ToString(); + + access.Add(new PluginAccessInfo( + principal, + ace.SecurityIdentifier.ToString(), + accessStr + )); + } + } + + yield return new PowerShellSessionSettingsInfo(plugin, access); + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShellSessionSettingsInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShellSessionSettingsInfo.cs new file mode 100644 index 0000000..26aa238 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShellSessionSettingsInfo.cs @@ -0,0 +1,16 @@ +using System.Collections.Generic; + +namespace winPEAS.Info.SystemInfo.PowerShell +{ + internal class PowerShellSessionSettingsInfo + { + public string Plugin { get; } + public List Permissions { get; } + + public PowerShellSessionSettingsInfo(string plugin, List permissions) + { + Plugin = plugin; + Permissions = permissions; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPClientSettings.cs b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPClientSettings.cs new file mode 100644 index 0000000..7b56814 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPClientSettings.cs @@ -0,0 +1,22 @@ +namespace winPEAS.Info.WindowsCreds +{ + internal class RDPClientSettings + { + public bool RestrictedRemoteAdministration { get; } + public uint? RestrictedRemoteAdministrationType { get; } + public uint? ServerAuthLevel { get; } + public bool DisablePasswordSaving { get; } + + public RDPClientSettings( + bool restrictedRemoteAdministration, + uint? restrictedRemoteAdministrationType, + uint? serverAuthLevel, + bool disablePasswordSaving) + { + RestrictedRemoteAdministration = restrictedRemoteAdministration; + RestrictedRemoteAdministrationType = restrictedRemoteAdministrationType; + ServerAuthLevel = serverAuthLevel; + DisablePasswordSaving = disablePasswordSaving; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPServerSettings.cs b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPServerSettings.cs new file mode 100644 index 0000000..e9b3ac9 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPServerSettings.cs @@ -0,0 +1,34 @@ +namespace winPEAS.Info.WindowsCreds +{ + internal class RDPServerSettings + { + public uint? NetworkLevelAuthentication { get; } + public uint? BlockClipboardRedirection { get; } + public uint? BlockComPortRedirection { get; } + public uint? BlockDriveRedirection { get; } + public uint? BlockLptPortRedirection { get; } + public uint? AllowSmartCardRedirection { get; } + public uint? BlockPnPDeviceRedirection { get; } + public uint? BlockPrinterRedirection { get; } + + public RDPServerSettings( + uint? networkLevelAuthentication, + uint? blockClipboardRedirection, + uint? blockComPortRedirection, + uint? blockDriveRedirection, + uint? blockLptPortRedirection, + uint? allowSmartCardRedirection, + uint? blockPnPDeviceRedirection, + uint? blockPrinterRedirection) + { + NetworkLevelAuthentication = networkLevelAuthentication; + BlockClipboardRedirection = blockClipboardRedirection; + BlockComPortRedirection = blockComPortRedirection; + BlockDriveRedirection = blockDriveRedirection; + BlockLptPortRedirection = blockLptPortRedirection; + AllowSmartCardRedirection = allowSmartCardRedirection; + BlockPnPDeviceRedirection = blockPnPDeviceRedirection; + BlockPrinterRedirection = blockPrinterRedirection; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPSettingsInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPSettingsInfo.cs new file mode 100644 index 0000000..b485ced --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPSettingsInfo.cs @@ -0,0 +1,17 @@ + +namespace winPEAS.Info.WindowsCreds +{ + internal class RDPSettingsInfo + { + public RDPClientSettings ClientSettings { get; } + public RDPServerSettings ServerSettings { get; } + + public RDPSettingsInfo( + RDPClientSettings clientSettings, + RDPServerSettings serverSettings) + { + ClientSettings = clientSettings; + ServerSettings = serverSettings; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RemoteDesktop.cs b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RemoteDesktop.cs new file mode 100644 index 0000000..730906a --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RemoteDesktop.cs @@ -0,0 +1,46 @@ +using winPEAS.Helpers.Registry; + +namespace winPEAS.Info.WindowsCreds +{ + internal class RemoteDesktop + { + public static RDPSettingsInfo GetRDPSettingsInfo() + { + // Client settings + var credDelegKey = @"Software\Policies\Microsoft\Windows\CredentialsDelegation"; + var restrictedAdmin = RegistryHelper.GetDwordValue("HKLM", credDelegKey, "RestrictedRemoteAdministration"); + var restrictedAdminType = RegistryHelper.GetDwordValue("HKLM", credDelegKey, "RestrictedRemoteAdministrationType"); + var serverAuthLevel = RegistryHelper.GetDwordValue("HKLM", @"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "AuthenticationLevel"); + var termServKey = @"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"; + var disablePwSaving = RegistryHelper.GetDwordValue("HKLM", termServKey, "DisablePasswordSaving"); + + // Server settings + var nla = RegistryHelper.GetDwordValue("HKLM", termServKey, "UserAuthentication"); + var blockClipboard = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableClip"); + var blockComPort = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableCcm"); + var blockDrives = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableCdm"); + var blockLptPort = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableLPT"); + var blockSmartCard = RegistryHelper.GetDwordValue("HKLM", termServKey, "fEnableSmartCard"); + var blockPnp = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisablePNPRedir"); + var blockPrinters = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableCpm"); + + return new RDPSettingsInfo( + new RDPClientSettings( + restrictedAdmin != null && restrictedAdmin != 0, + restrictedAdminType, + serverAuthLevel, + disablePwSaving == null || disablePwSaving == 1), + new RDPServerSettings( + nla, + blockClipboard, + blockComPort, + blockDrives, + blockLptPort, + blockSmartCard, + blockPnp, + blockPrinters + ) + ); + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Native/Enums/SessionSecurity.cs b/winPEAS/winPEASexe/winPEAS/Native/Enums/SessionSecurity.cs new file mode 100644 index 0000000..0f36bbb --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Native/Enums/SessionSecurity.cs @@ -0,0 +1,27 @@ +using System; +using System.ComponentModel; + +namespace winPEAS.Native.Enums +{ + [Flags] + enum SessionSecurity : uint + { + [Description("None checked")] + None = 0x00000000, + + [Description("Require message integrity")] + Integrity = 0x00000010, // Message integrity + + [Description("Require message confidentiality")] + Confidentiality = 0x00000020, // Message confidentiality + + [Description("Require NTLMv2 session security")] + NTLMv2 = 0x00080000, + + [Description("Require 128-bit encryption")] + Require128BitKey = 0x20000000, + + [Description("Require 56-bit encryption")] + Require56BitKey = 0x80000000 + } +} diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj index e5c1b3f..e8dab46 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj @@ -395,6 +395,7 @@ + @@ -427,6 +428,9 @@ + + + @@ -450,6 +454,11 @@ + + + + + @@ -467,6 +476,10 @@ + + + + @@ -529,6 +542,7 @@ + @@ -652,8 +666,6 @@ - - - + \ No newline at end of file