- added PrintLOLBAS

- added PrintInternetSettings
- added PrintPowerShellSessionSettings
- added PrintNtlmSettings
- added PrintRDPSettings
This commit is contained in:
makikvues 2021-02-11 22:36:39 +01:00
parent 49a4344730
commit f3c7e92735
21 changed files with 948 additions and 44 deletions

View File

@ -131,6 +131,7 @@ namespace winPEAS.Checks
PrintUserCredsFiles,
PrintOracleSQLDeveloperConfigFiles,
Slack.PrintInfo,
PrintLOLBAS,
PrintOutlookDownloads,
PrintMachineAndUserCertificateFiles,
PrintUsersInterestingFiles,
@ -976,5 +977,50 @@ namespace winPEAS.Checks
{
}
}
private static void PrintLOLBAS()
{
try
{
Beaprint.MainPrint("Looking for LOL Binaries and Scripts (can be slow)");
Beaprint.LinkPrint("https://lolbas-project.github.io/");
var systemDrive = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\";
string rootUsersSearchPath = $"{systemDrive}\\users";
string documentsAndSettings = $"{systemDrive}\\documents and settings";
var excludedDirs = new HashSet<string>()
{
@"c:\esupport",
@"c:\perflogs",
@"c:\programdata",
@"c:\program files (x86)",
@"c:\program files",
//@"c:\windows",
//@"c:\windows.old",
rootUsersSearchPath,
documentsAndSettings
};
var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);
files.AddRange(SearchHelper.RootDirUsers);
files.AddRange(SearchHelper.DocumentsAndSettings);
files.AddRange(SearchHelper.ProgramFiles);
files.AddRange(SearchHelper.ProgramFilesX86);
foreach (var file in files)
{
if (LOLBAS.FileWithExtension.Contains(file.Filename.ToLower()))
{
Beaprint.BadPrint($" {file.FullPath}");
}
}
}
catch (Exception ex)
{
}
}
}
}

View File

@ -8,6 +8,7 @@ using winPEAS.Helpers;
using winPEAS.Helpers.Extensions;
using winPEAS.Info.NetworkInfo;
using winPEAS.Info.NetworkInfo.Enums;
using winPEAS.Info.NetworkInfo.InternetSettings;
namespace winPEAS.Checks
{
@ -35,6 +36,7 @@ namespace winPEAS.Checks
PrintListeningPorts,
PrintFirewallRules,
PrintDNSCache,
PrintInternetSettings,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
@ -366,5 +368,55 @@ namespace winPEAS.Checks
{
}
}
private static void PrintInternetSettings()
{
try
{
Beaprint.MainPrint("Enumerating Internet settings, zone and proxy configuration");
var info = InternetSettings.GetInternetSettingsInfo();
Beaprint.ColorPrint(" General Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" {"Hive",-10} {"Key",-40} {"Value"}");
foreach (var i in info.GeneralSettings)
{
Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Value}");
}
Beaprint.ColorPrint("\n Zone Maps", Beaprint.LBLUE);
if (info.ZoneMaps.Count == 0)
{
Beaprint.NoColorPrint(" No URLs configured");
}
else
{
Beaprint.NoColorPrint($" {"Hive",-10} {"Value Name",-40} {"Interpretation"}");
foreach (var i in info.ZoneMaps)
{
Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Interpretation}");
}
}
Beaprint.ColorPrint("\n Zone Auth Settings", Beaprint.LBLUE);
if (info.ZoneAuthSettings.Count == 0)
{
Beaprint.NoColorPrint(" No Zone Auth Settings");
}
else
{
foreach (var i in info.ZoneAuthSettings)
{
Beaprint.NoColorPrint($" {i.Interpretation}");
}
}
}
catch (Exception ex)
{
}
}
}
}

View File

@ -18,6 +18,9 @@ using winPEAS.Info.SystemInfo.AuditPolicies;
using winPEAS.Info.SystemInfo.DotNet;
using winPEAS.Info.SystemInfo.GroupPolicy;
using winPEAS.Info.SystemInfo.WindowsDefender;
using winPEAS.Info.SystemInfo.PowerShell;
using winPEAS.Info.SystemInfo.Ntlm;
using winPEAS.Native.Enums;
namespace winPEAS.Checks
{
@ -70,13 +73,14 @@ namespace winPEAS.Checks
PrintWindowsDefenderInfo,
PrintUACInfo,
PrintPSInfo,
PrintPowerShellSessionSettings,
PrintTranscriptPS,
PrintInetInfo,
PrintDrivesInfo,
PrintWSUS,
PrintAlwaysInstallElevated,
PrintLSAInfo,
PrintLsaCompatiblityLevel,
PrintNtlmSettings,
PrintLocalGroupPolicy,
AppLockerHelper.PrintAppLockerPolicy,
PrintPrintersWMIInfo,
@ -612,52 +616,76 @@ namespace winPEAS.Checks
}
}
private void PrintLsaCompatiblityLevel()
private static void PrintNtlmSettings()
{
string hive = "HKLM";
string path = "SYSTEM\\CurrentControlSet\\Control\\Lsa\\";
string key = "LmCompatibilityLevel";
Beaprint.MainPrint($"Checking {hive}\\{path}{key}");
Beaprint.MainPrint($"Enumerating NTLM Settings");
try
{
string lmCompatibilityLevelValue = RegistryHelper.GetRegValue(hive, path, key);
Dictionary<int, string> dict = new Dictionary<int, string>()
var info = Ntlm.GetNtlmSettingsInfo();
string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel == 5 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor);
var ntlmSettingsColors = new Dictionary<string, string>
{
{ 0, "Send LM & NTLM responses" },
{ 1, "Send LM & NTLM responses, use NTLMv2 session security if negotiated" },
{ 2, "Send NTLM response only" },
{ 3, "Send NTLMv2 response only" },
{ 4, "Send NTLMv2 response only, refuse LM" },
{ 5, "Send NTLMv2 response only, refuse LM & NTLM" },
{ "True", Beaprint.ansi_color_good },
{ "False", Beaprint.ansi_color_bad },
{ "No signing", Beaprint.ansi_color_bad},
{ "null", Beaprint.ansi_color_bad},
{ "Require Signing", Beaprint.ansi_color_good},
{ "Negotiate signing", Beaprint.ansi_color_yellow},
{ "Unknown", Beaprint.ansi_color_bad},
};
if (!string.IsNullOrEmpty(lmCompatibilityLevelValue))
{
if (int.TryParse(lmCompatibilityLevelValue, out int lmCompatibilityLevel))
{
string color = lmCompatibilityLevel == 5 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE);
Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" +
$" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" +
$" ServerRequireSigning : {info.ServerRequireSigning}\n" +
$" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" +
$" LdapSigning : {(info.LdapSigning != null ? info.LdapSigningString : "null")} ({info.LdapSigningString})",
ntlmSettingsColors);
if (dict.TryGetValue(lmCompatibilityLevel, out string description))
Beaprint.ColorPrint("\n Session Security", Beaprint.LBLUE);
if (info.NTLMMinClientSec != null)
{
Beaprint.ColorPrint($" value: {lmCompatibilityLevel}, description: {description}", color);
}
else
var clientSessionSecurity = (SessionSecurity)info.NTLMMinClientSec;
var clientSessionSecurityDescription = clientSessionSecurity.GetDescription();
var color = !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !clientSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ?
Beaprint.ansi_color_bad :
Beaprint.ansi_color_good;
Beaprint.ColorPrint($" NTLMMinClientSec : {info.NTLMMinClientSec} ({clientSessionSecurityDescription})", color);
if (info.LanmanCompatibilityLevel < 3 && !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2))
{
throw new Exception($"Unable to get value description for value '{lmCompatibilityLevel}'");
Beaprint.BadPrint(" [!] NTLM clients support NTLMv1!");
}
}
else
if (info.NTLMMinServerSec != null)
{
throw new Exception($"Unable to parse {key} value '{lmCompatibilityLevelValue}'");
}
}
else
var serverSessionSecurity = (SessionSecurity)info.NTLMMinServerSec;
var serverSessionSecurityDescription = serverSessionSecurity.GetDescription();
var color = !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !serverSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ?
Beaprint.ansi_color_bad :
Beaprint.ansi_color_good;
Beaprint.ColorPrint($" NTLMMinServerSec : {info.NTLMMinServerSec} ({serverSessionSecurityDescription})\n", color);
if (info.LanmanCompatibilityLevel < 3 && !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2))
{
Beaprint.ColorPrint(" The registry key does not exist", Beaprint.ansi_color_yellow);
Beaprint.BadPrint(" [!] NTLM services on this machine support NTLMv1!");
}
}
var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE);
Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})");
Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor);
Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})");
Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}");
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
@ -1047,5 +1075,36 @@ namespace winPEAS.Checks
{
}
}
private static void PrintPowerShellSessionSettings()
{
try
{
Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry");
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var infos = PowerShell.GetPowerShellSessionSettingsInfos();
foreach (var info in infos)
{
Beaprint.NoColorPrint($" {"Name",-38} {info.Plugin}");
foreach (var access in info.Permissions)
{
Beaprint.NoColorPrint($" {access.Principal,-35} {access.Permission,-22}");
}
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
}
}
}
}

View File

@ -25,6 +25,7 @@ namespace winPEAS.Checks
PrintVaultCreds,
PrintCredentialManager,
PrintSavedRDPInfo,
PrintRDPSettings,
PrintRecentRunCommands,
PrintDPAPIMasterKeys,
PrintDpapiCredFiles,
@ -124,7 +125,7 @@ namespace winPEAS.Checks
List<Dictionary<string, string>> rdps_info = RemoteDesktop.GetSavedRDPConnections();
if (rdps_info.Count > 0)
System.Console.WriteLine(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID"));
Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID"));
else
{
Beaprint.NotFoundPrint();
@ -132,7 +133,7 @@ namespace winPEAS.Checks
foreach (Dictionary<string, string> rdp_info in rdps_info)
{
System.Console.WriteLine(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"]));
Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"]));
}
}
catch (Exception ex)
@ -400,5 +401,76 @@ namespace winPEAS.Checks
Beaprint.PrintException(ex.Message);
}
}
private static void PrintRDPSettings()
{
try
{
Beaprint.MainPrint("Remote Desktop Server/Client Settings");
var info = Info.WindowsCreds.RemoteDesktop.GetRDPSettingsInfo();
var server = info.ServerSettings;
Beaprint.ColorPrint(" RDP Server Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" NetworkLevelAuthentication : {server.NetworkLevelAuthentication}");
Beaprint.NoColorPrint($" BlockClipboardRedirection : {server.BlockClipboardRedirection}");
Beaprint.NoColorPrint($" BlockComPortRedirection : {server.BlockComPortRedirection}");
Beaprint.NoColorPrint($" BlockDriveRedirection : {server.BlockDriveRedirection}");
Beaprint.NoColorPrint($" BlockLptPortRedirection : {server.BlockLptPortRedirection}");
Beaprint.NoColorPrint($" BlockPnPDeviceRedirection : {server.BlockPnPDeviceRedirection}");
Beaprint.NoColorPrint($" BlockPrinterRedirection : {server.BlockPrinterRedirection}");
Beaprint.NoColorPrint($" AllowSmartCardRedirection : {server.AllowSmartCardRedirection}");
Beaprint.ColorPrint("\n RDP Client Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" DisablePasswordSaving : {info.ClientSettings.DisablePasswordSaving}");
Beaprint.NoColorPrint($" RestrictedRemoteAdministration : {info.ClientSettings.RestrictedRemoteAdministration}");
var type = info.ClientSettings.RestrictedRemoteAdministrationType;
var types = new Dictionary<uint, string>()
{
{ 1, "Require Restricted Admin Mode" },
{ 2, "Require Remote Credential Guard" },
{ 3, "Require Restricted Admin or Remote Credential Guard" },
};
if (type != null)
{
var str = GetDescriptionByType(type);
Beaprint.NoColorPrint($" RestrictedRemoteAdministrationType: {str}");
}
var level = info.ClientSettings.ServerAuthLevel;
if (level != null)
{
var str = GetDescriptionByType(level);
Beaprint.NoColorPrint($" ServerAuthenticationLevel: {level} - {str}");
}
}
catch (Exception ex)
{
}
}
private static string GetDescriptionByType(uint? type)
{
var types = new Dictionary<uint, string>()
{
{ 1, "Require Restricted Admin Mode" },
{ 2, "Require Remote Credential Guard" },
{ 3, "Require Restricted Admin or Remote Credential Guard" },
};
string str = $"{type} - Unknown";
if (types.ContainsKey(type.Value))
{
str = types[type.Value];
}
return str;
}
}
}

View File

@ -156,5 +156,17 @@ namespace winPEAS.Helpers.Registry
{
return Microsoft.Win32.Registry.Users.GetSubKeyNames() ?? new string[] { };
}
internal static uint? GetDwordValue(string hive, string key, string val)
{
string strValue = RegistryHelper.GetRegValue(hive, key, val);
if (uint.TryParse(strValue, out uint res))
{
return res;
}
return null;
}
}
}

View File

@ -0,0 +1,132 @@
using System.Collections.Generic;
namespace winPEAS.Helpers.Search
{
class LOLBAS
{
public static readonly HashSet<string> FileWithExtension = new HashSet<string>(){
"advpack.dll",
"appvlp.exe",
"at.exe",
"atbroker.exe",
"bash.exe",
"bginfo.exe",
"bitsadmin.exe",
"cl_invocation.ps1",
"cl_mutexverifiers.ps1",
"cdb.exe",
"certutil.exe",
"cmd.exe",
"cmdkey.exe",
"cmstp.exe",
"comsvcs.dll",
"control.exe",
"csc.exe",
"cscript.exe",
"desktopimgdownldr.exe",
"devtoolslauncher.exe",
"dfsvc.exe",
"diskshadow.exe",
"dnscmd.exe",
"dotnet.exe",
"dxcap.exe",
"esentutl.exe",
"eventvwr.exe",
"excel.exe",
"expand.exe",
"extexport.exe",
"extrac32.exe",
"findstr.exe",
"forfiles.exe",
"ftp.exe",
"gfxdownloadwrapper.exe",
"gpscript.exe",
"hh.exe",
"ie4uinit.exe",
"ieadvpack.dll",
"ieaframe.dll",
"ieexec.exe",
"ilasm.exe",
"infdefaultinstall.exe",
"installutil.exe",
"java.exe",
"jsc.exe",
"makecab.exe",
"manage-bde.wsf",
"mavinject.exe",
"mftrace.exe",
"microsoft.workflow.compiler.exe",
"mmc.exe",
"msbuild.exe",
"msconfig.exe",
"msdeploy.exe",
"msdt.exe",
"mshta.exe",
"mshtml.dll",
"msiexec.exe",
"netsh.exe",
"nc.exe",
"nc64.exe",
"nmap.exe",
"odbcconf.exe",
"pcalua.exe",
"pcwrun.exe",
"pcwutl.dll",
"pester.bat",
"powerpnt.exe",
"presentationhost.exe",
"print.exe",
"psr.exe",
"pubprn.vbs",
"rasautou.exe",
"reg.exe",
"regasm.exe",
"regedit.exe",
"regini.exe",
"register-cimprovider.exe",
"regsvcs.exe",
"regsvr32.exe",
"replace.exe",
"rpcping.exe",
"rundll32.exe",
"runonce.exe",
"runscripthelper.exe",
"sqltoolsps.exe",
"sc.exe",
"schtasks.exe",
"scriptrunner.exe",
"setupapi.dll",
"shdocvw.dll",
"shell32.dll",
"slmgr.vbs",
"sqldumper.exe",
"sqlps.exe",
"squirrel.exe",
"syncappvpublishingserver.exe",
"syncappvpublishingserver.vbs",
"syssetup.dll",
"tracker.exe",
"tttracer.exe",
"update.exe",
"url.dll",
"verclsid.exe",
"wab.exe",
"winword.exe",
"wmic.exe",
"wscript.exe",
"wsl.exe",
"wsreset.exe",
"xwizard.exe",
"zipfldr.dll",
"csi.exe",
"dnx.exe",
"msxsl.exe",
"ntdsutil.exe",
"rcsi.exe",
"te.exe",
"vbc.exe",
"vsjitdebugger.exe",
"winrm.vbs",
};
}
}

View File

@ -12,9 +12,9 @@ namespace winPEAS.Helpers.Search
{
public static List<CustomFileInfo> RootDirUsers;
private static List<CustomFileInfo> RootDirCurrentUser;
private static List<CustomFileInfo> ProgramFiles;
private static List<CustomFileInfo> ProgramFilesX86;
private static List<CustomFileInfo> DocumentsAndSettings;
public static List<CustomFileInfo> ProgramFiles;
public static List<CustomFileInfo> ProgramFilesX86;
public static List<CustomFileInfo> DocumentsAndSettings;
private static List<CustomFileInfo> GroupPolicyHistory;
private static string SystemDrive = Environment.GetEnvironmentVariable("SystemDrive");

View File

@ -0,0 +1,100 @@
using System.Collections.Generic;
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.NetworkInfo.InternetSettings
{
class InternetSettings
{
public static InternetSettingsInfo GetInternetSettingsInfo()
{
var result = new InternetSettingsInfo();
// List user/system internet settings for zonemapkey (local, trusted, etc.) :
// 1 = Intranet zone sites on your local network.
// 2 = Trusted Sites zone sites that have been added to your trusted sites.
// 3 = Internet zone sites that are on the Internet.
// 4 = Restricted Sites zone sites that have been specifically added to your restricted sites.
IDictionary<string, string> zoneMapKeys = new Dictionary<string, string>()
{
{"0", "My Computer" },
{"1", "Local Intranet Zone"},
{"2", "Trusted Sites Zone"},
{"3", "Internet Zone"},
{"4", "Restricted Sites Zone"}
};
// lists user/system internet settings, including default proxy info
string internetSettingsKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
AddSettings("HKCU", internetSettingsKey, result.GeneralSettings, zoneMapKeys: null);
AddSettings("HKLM", internetSettingsKey, result.GeneralSettings, zoneMapKeys: null);
string zoneMapKey = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey";
AddSettings("HKCU", zoneMapKey, result.ZoneMaps, zoneMapKeys);
AddSettings("HKLM", zoneMapKey, result.ZoneMaps, zoneMapKeys);
// List Zones settings with automatic logons
/**
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0..4}\1A00
* Logon setting (1A00) may have any one of the following values (hexadecimal):
* Value Setting
* ---------------------------------------------------------------
* 0x00000000 Automatically logon with current username and password
* 0x00010000 Prompt for user name and password
* 0x00020000 Automatic logon only in the Intranet zone
* 0x00030000 Anonymous logon
**/
IDictionary<uint, string> zoneAuthSettings = new Dictionary<uint, string>()
{
{0x00000000, "Automatically logon with current username and password"},
{0x00010000, "Prompt for user name and password"},
{0x00020000, "Automatic logon only in the Intranet zone"},
{0x00030000, "Anonymous logon"}
};
for (int i = 0; i <= 4; i++)
{
var keyPath = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\" + i;
var isParsed = uint.TryParse(RegistryHelper.GetRegValue("HKLM", keyPath, "1A00"), out uint authSetting);
if (isParsed)
{
var zone = zoneMapKeys[i.ToString()];
var authSettingStr = zoneAuthSettings[authSetting];
result.ZoneAuthSettings.Add(new InternetSettingsKey(
"HKLM",
keyPath,
"1A00",
authSetting.ToString(),
$"{zone} : {authSettingStr}"
));
}
}
return result;
}
private static void AddSettings(string hive, string keyPath, IList<InternetSettingsKey> internetSettingsList, IDictionary<string, string> zoneMapKeys = null)
{
var proxySettings = (RegistryHelper.GetRegValues(hive, keyPath) ?? new Dictionary<string, object>());
if (proxySettings != null)
{
foreach (var kvp in proxySettings)
{
string interpretation = zoneMapKeys?[kvp.Value.ToString()];
internetSettingsList.Add(new InternetSettingsKey(
hive,
keyPath,
kvp.Key,
kvp.Value.ToString(),
interpretation));
}
}
}
}
}

View File

@ -0,0 +1,11 @@
using System.Collections.Generic;
namespace winPEAS.Info.NetworkInfo.InternetSettings
{
class InternetSettingsInfo
{
public IList<InternetSettingsKey> GeneralSettings { get; set; } = new List<InternetSettingsKey>();
public IList<InternetSettingsKey> ZoneMaps { get; set; } = new List<InternetSettingsKey>();
public IList<InternetSettingsKey> ZoneAuthSettings { get; set; } = new List<InternetSettingsKey>();
}
}

View File

@ -0,0 +1,25 @@
namespace winPEAS.Info.NetworkInfo.InternetSettings
{
internal class InternetSettingsKey
{
public string ValueName { get; }
public string Value { get; }
public string Hive { get; }
public string Path { get; }
public string Interpretation { get; }
public InternetSettingsKey(
string hive,
string path,
string valueName,
string value,
string interpretation)
{
ValueName = valueName;
Value = value;
Interpretation = interpretation;
Hive = hive;
Path = path;
}
}
}

View File

@ -0,0 +1,39 @@
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.SystemInfo.Ntlm
{
internal class Ntlm
{
public static NtlmSettingsInfo GetNtlmSettingsInfo()
{
return new NtlmSettingsInfo
{
LanmanCompatibilityLevel = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel"),
ClientRequireSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature") == 1,
ClientNegotiateSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature") == 1,
ServerRequireSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanManServer\Parameters", "RequireSecuritySignature") == 1,
ServerNegotiateSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LanManServer\Parameters", "EnableSecuritySignature") == 1,
LdapSigning = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Services\LDAP", "LDAPClientIntegrity"),
NTLMMinClientSec = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinClientSec"),
NTLMMinServerSec = RegistryHelper.GetDwordValue("HKLM", @"SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinServerSec"),
InboundRestrictions = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictReceivingNTLMTraffic"), // Network security: Restrict NTLM: Incoming NTLM traffic
OutboundRestrictions = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictSendingNTLMTraffic"), // Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
InboundAuditing = RegistryHelper.GetDwordValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "AuditReceivingNTLMTraffic"), // Network security: Restrict NTLM: Audit Incoming NTLM Traffic
OutboundExceptions = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\Lsa\MSV1_0", "ClientAllowedNTLMServers"), // Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
//DCRestrictions = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\Netlogon\Parameters", "RestrictNTLMInDomain"), // Network security: Restrict NTLM: NTLM authentication in this domain
//DCExceptions = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\Netlogon\Parameters", "DCAllowedNTLMServers"), // Network security: Restrict NTLM: Add server exceptions in this domain
//DCAuditing = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\Netlogon\Parameters", "AuditNTLMInDomain"), // Network security: Restrict NTLM: Audit NTLM authentication in this domain
//DCLdapSigning = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\NTDS\Parameters", "LDAPServerIntegrity"),
//LdapChannelBinding = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Services\NTDS\Parameters", "LdapEnforceChannelBinding"),
//ExtendedProtectionForAuthentication = RegistryUtil.GetValue("HKLM", @"System\CurrentControlSet\Control\LSA", "SuppressExtendedProtection"),
};
}
}
}

View File

@ -0,0 +1,109 @@
namespace winPEAS.Info.SystemInfo.Ntlm
{
internal class NtlmSettingsInfo
{
public uint? LanmanCompatibilityLevel { get; set; }
public string LanmanCompatibilityLevelString
{
get
{
switch (LanmanCompatibilityLevel)
{
case 0: return "Send LM & NTLM responses";
case 1: return "Send LM & NTLM - Use NTLMv2 session security if negotiated";
case 2: return "Send NTLM response only";
case null:
case 3: return "Send NTLMv2 response only - Win7+ default";
case 4: return "Send NTLMv2 response only. DC: Refuse LM";
case 5: return "Send NTLMv2 response only. DC: Refuse LM & NTLM";
default: return "Unknown";
}
}
}
public bool ClientRequireSigning { get; set; }
public bool ClientNegotiateSigning { get; set; }
public bool ServerRequireSigning { get; set; }
public bool ServerNegotiateSigning { get; set; }
public uint? LdapSigning { get; set; }
public string LdapSigningString
{
get
{
switch (LdapSigning)
{
case 0: return "No signing";
case 1:
case null: return "Negotiate signing";
case 2: return "Require Signing";
default: return "Unknown";
}
}
}
public uint? NTLMMinClientSec { get; set; }
public uint? NTLMMinServerSec { get; set; }
public uint? InboundRestrictions { get; internal set; }
public string InboundRestrictionsString
{
get
{
string inboundRestrictStr = InboundRestrictions switch
{
0 => "Allow all",
1 => "Deny all domain accounts",
2 => "Deny all accounts",
_ => "Not defined",
};
return inboundRestrictStr;
}
}
public uint? OutboundRestrictions { get; internal set; }
public string OutboundRestrictionsString
{
get
{
string outboundRestrictStr = OutboundRestrictions switch
{
0 => "Allow all",
1 => "Audit all",
2 => "Deny all",
_ => "Not defined",
};
return outboundRestrictStr;
}
}
public uint? InboundAuditing { get; internal set; }
public string InboundAuditingString
{
get
{
string inboundAuditStr = InboundAuditing switch
{
0 => "Disable",
1 => "Enable auditing for domain accounts",
2 => "Enable auditing for all accounts",
_ => "Not defined",
};
return inboundAuditStr;
}
}
public string OutboundExceptions { get; internal set; }
//public string DCRestrictions { get; internal set; }
//public string DCExceptions { get; internal set; }
//public string DCAuditing { get; internal set; }
//public string LdapChannelBinding { get; set; }
//public string ExtendedProtectionForAuthentication { get; set; }
}
}

View File

@ -0,0 +1,19 @@
namespace winPEAS.Info.SystemInfo.PowerShell
{
internal class PluginAccessInfo
{
public string Principal { get; }
public string Sid { get; }
public string Permission { get; }
public PluginAccessInfo(
string principal,
string sid,
string permission)
{
Principal = principal;
Sid = sid;
Permission = permission;
}
}
}

View File

@ -0,0 +1,54 @@
using System.Collections.Generic;
using System.Security.AccessControl;
using System.Xml;
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.SystemInfo.PowerShell
{
internal class PowerShell
{
public static IEnumerable<PowerShellSessionSettingsInfo> GetPowerShellSessionSettingsInfos()
{
var plugins = new[] { "Microsoft.PowerShell", "Microsoft.PowerShell.Workflow", "Microsoft.PowerShell32" };
foreach (var plugin in plugins)
{
var config = RegistryHelper.GetRegValue("HKLM", $"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\{plugin}", "ConfigXML");
if (config == null) continue;
var access = new List<PluginAccessInfo>();
var xmlDoc = new XmlDocument();
xmlDoc.LoadXml(config);
var security = xmlDoc.GetElementsByTagName("Security");
if (security.Count <= 0)
continue;
foreach (XmlAttribute attr in security[0].Attributes)
{
if (attr.Name != "Sddl")
{
continue;
}
var desc = new RawSecurityDescriptor(attr.Value);
foreach (QualifiedAce ace in desc.DiscretionaryAcl)
{
var principal = ace.SecurityIdentifier.Translate(typeof(System.Security.Principal.NTAccount)).ToString();
var accessStr = ace.AceQualifier.ToString();
access.Add(new PluginAccessInfo(
principal,
ace.SecurityIdentifier.ToString(),
accessStr
));
}
}
yield return new PowerShellSessionSettingsInfo(plugin, access);
}
}
}
}

View File

@ -0,0 +1,16 @@
using System.Collections.Generic;
namespace winPEAS.Info.SystemInfo.PowerShell
{
internal class PowerShellSessionSettingsInfo
{
public string Plugin { get; }
public List<PluginAccessInfo> Permissions { get; }
public PowerShellSessionSettingsInfo(string plugin, List<PluginAccessInfo> permissions)
{
Plugin = plugin;
Permissions = permissions;
}
}
}

View File

@ -0,0 +1,22 @@
namespace winPEAS.Info.WindowsCreds
{
internal class RDPClientSettings
{
public bool RestrictedRemoteAdministration { get; }
public uint? RestrictedRemoteAdministrationType { get; }
public uint? ServerAuthLevel { get; }
public bool DisablePasswordSaving { get; }
public RDPClientSettings(
bool restrictedRemoteAdministration,
uint? restrictedRemoteAdministrationType,
uint? serverAuthLevel,
bool disablePasswordSaving)
{
RestrictedRemoteAdministration = restrictedRemoteAdministration;
RestrictedRemoteAdministrationType = restrictedRemoteAdministrationType;
ServerAuthLevel = serverAuthLevel;
DisablePasswordSaving = disablePasswordSaving;
}
}
}

View File

@ -0,0 +1,34 @@
namespace winPEAS.Info.WindowsCreds
{
internal class RDPServerSettings
{
public uint? NetworkLevelAuthentication { get; }
public uint? BlockClipboardRedirection { get; }
public uint? BlockComPortRedirection { get; }
public uint? BlockDriveRedirection { get; }
public uint? BlockLptPortRedirection { get; }
public uint? AllowSmartCardRedirection { get; }
public uint? BlockPnPDeviceRedirection { get; }
public uint? BlockPrinterRedirection { get; }
public RDPServerSettings(
uint? networkLevelAuthentication,
uint? blockClipboardRedirection,
uint? blockComPortRedirection,
uint? blockDriveRedirection,
uint? blockLptPortRedirection,
uint? allowSmartCardRedirection,
uint? blockPnPDeviceRedirection,
uint? blockPrinterRedirection)
{
NetworkLevelAuthentication = networkLevelAuthentication;
BlockClipboardRedirection = blockClipboardRedirection;
BlockComPortRedirection = blockComPortRedirection;
BlockDriveRedirection = blockDriveRedirection;
BlockLptPortRedirection = blockLptPortRedirection;
AllowSmartCardRedirection = allowSmartCardRedirection;
BlockPnPDeviceRedirection = blockPnPDeviceRedirection;
BlockPrinterRedirection = blockPrinterRedirection;
}
}
}

View File

@ -0,0 +1,17 @@

namespace winPEAS.Info.WindowsCreds
{
internal class RDPSettingsInfo
{
public RDPClientSettings ClientSettings { get; }
public RDPServerSettings ServerSettings { get; }
public RDPSettingsInfo(
RDPClientSettings clientSettings,
RDPServerSettings serverSettings)
{
ClientSettings = clientSettings;
ServerSettings = serverSettings;
}
}
}

View File

@ -0,0 +1,46 @@
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.WindowsCreds
{
internal class RemoteDesktop
{
public static RDPSettingsInfo GetRDPSettingsInfo()
{
// Client settings
var credDelegKey = @"Software\Policies\Microsoft\Windows\CredentialsDelegation";
var restrictedAdmin = RegistryHelper.GetDwordValue("HKLM", credDelegKey, "RestrictedRemoteAdministration");
var restrictedAdminType = RegistryHelper.GetDwordValue("HKLM", credDelegKey, "RestrictedRemoteAdministrationType");
var serverAuthLevel = RegistryHelper.GetDwordValue("HKLM", @"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "AuthenticationLevel");
var termServKey = @"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services";
var disablePwSaving = RegistryHelper.GetDwordValue("HKLM", termServKey, "DisablePasswordSaving");
// Server settings
var nla = RegistryHelper.GetDwordValue("HKLM", termServKey, "UserAuthentication");
var blockClipboard = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableClip");
var blockComPort = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableCcm");
var blockDrives = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableCdm");
var blockLptPort = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableLPT");
var blockSmartCard = RegistryHelper.GetDwordValue("HKLM", termServKey, "fEnableSmartCard");
var blockPnp = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisablePNPRedir");
var blockPrinters = RegistryHelper.GetDwordValue("HKLM", termServKey, "fDisableCpm");
return new RDPSettingsInfo(
new RDPClientSettings(
restrictedAdmin != null && restrictedAdmin != 0,
restrictedAdminType,
serverAuthLevel,
disablePwSaving == null || disablePwSaving == 1),
new RDPServerSettings(
nla,
blockClipboard,
blockComPort,
blockDrives,
blockLptPort,
blockSmartCard,
blockPnp,
blockPrinters
)
);
}
}
}

View File

@ -0,0 +1,27 @@
using System;
using System.ComponentModel;
namespace winPEAS.Native.Enums
{
[Flags]
enum SessionSecurity : uint
{
[Description("None checked")]
None = 0x00000000,
[Description("Require message integrity")]
Integrity = 0x00000010, // Message integrity
[Description("Require message confidentiality")]
Confidentiality = 0x00000020, // Message confidentiality
[Description("Require NTLMv2 session security")]
NTLMv2 = 0x00080000,
[Description("Require 128-bit encryption")]
Require128BitKey = 0x20000000,
[Description("Require 56-bit encryption")]
Require56BitKey = 0x80000000
}
}

View File

@ -395,6 +395,7 @@
<Compile Include="Helpers\Extensions\EnumExtensions.cs" />
<Compile Include="Helpers\MemoryHelper.cs" />
<Compile Include="Helpers\PermissionsHelper.cs" />
<Compile Include="Helpers\Search\LOLBAS.cs" />
<Compile Include="Helpers\Search\Patterns.cs" />
<Compile Include="Info\ApplicationInfo\ApplicationInfoHelper.cs" />
<Compile Include="Info\ApplicationInfo\AutoRuns.cs" />
@ -427,6 +428,9 @@
<Compile Include="Info\NetworkInfo\Enums\Protocol.cs" />
<Compile Include="Info\NetworkInfo\Enums\TcpTableClass.cs" />
<Compile Include="Info\NetworkInfo\Enums\UdpTableClass.cs" />
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettings.cs" />
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsInfo.cs" />
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsKey.cs" />
<Compile Include="Info\NetworkInfo\NetworkConnection.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6ROW_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6TABLE_OWNER_PID.cs" />
@ -450,6 +454,11 @@
<Compile Include="Info\SystemInfo\GroupPolicy\LocalGroupPolicyInfo.cs" />
<Compile Include="Info\SystemInfo\NamedPipes\NamedPipeInfo.cs" />
<Compile Include="Info\SystemInfo\NamedPipes\NamedPipes.cs" />
<Compile Include="Info\SystemInfo\Ntlm\Ntlm.cs" />
<Compile Include="Info\SystemInfo\Ntlm\NtlmSettingsInfo.cs" />
<Compile Include="Info\SystemInfo\PowerShell\PluginAccessInfo.cs" />
<Compile Include="Info\SystemInfo\PowerShell\PowerShell.cs" />
<Compile Include="Info\SystemInfo\PowerShell\PowerShellSessionSettingsInfo.cs" />
<Compile Include="Info\SystemInfo\Printers\PrinterInfo.cs" />
<Compile Include="Info\SystemInfo\Printers\Printers.cs" />
<Compile Include="Info\SystemInfo\SysMon\SysMon.cs" />
@ -467,6 +476,10 @@
<Compile Include="Info\UserInfo\Tenant\JoinType.cs" />
<Compile Include="Info\UserInfo\Tenant\Tenant.cs" />
<Compile Include="Info\UserInfo\Tenant\TenantInfo.cs" />
<Compile Include="Info\WindowsCreds\RDPClientSettings.cs" />
<Compile Include="Info\WindowsCreds\RDPServerSettings.cs" />
<Compile Include="Info\WindowsCreds\RDPSettingsInfo.cs" />
<Compile Include="Info\WindowsCreds\RemoteDesktop.cs" />
<Compile Include="InterestingFiles\GPP.cs" />
<Compile Include="InterestingFiles\InterestingFiles.cs" />
<Compile Include="InterestingFiles\Unattended.cs" />
@ -529,6 +542,7 @@
<Compile Include="Native\Enums\SECURITY_IMPERSONATION_LEVEL.cs" />
<Compile Include="Native\Enums\SECURITY_LOGON_TYPE.cs" />
<Compile Include="Native\Enums\ServerTypes.cs" />
<Compile Include="Native\Enums\SessionSecurity.cs" />
<Compile Include="Native\Enums\SE_OBJECT_TYPE.cs" />
<Compile Include="Native\Enums\SID_NAME_USE.cs" />
<Compile Include="Native\Enums\TokenType.cs" />
@ -652,8 +666,6 @@
<EmbeddedResource Include="Properties\Resources.ru.resx" />
<EmbeddedResource Include="Properties\Resources.zh-CN.resx" />
</ItemGroup>
<ItemGroup>
<Folder Include="Info\NetworkInfo\InternetSettings\" />
</ItemGroup>
<ItemGroup />
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>