darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- added PrintOtherUsersInterestingFiles check

Browse Source 
- cleanup
This commit is contained in:
makikvues 2021-01-24 13:19:52 +01:00
parent 39c71eb4a3
commit f5155d5eb4
6 changed files with 107 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -32,7 +32,7 @@ namespace winPEAS.Checks
if (permsFile.Count > 0)
{
Beaprint.BadPrint(" " + title);
Beaprint.BadPrint(" FilePermissions: " + string.Join(",", permsFile));
Beaprint.BadPrint(" File Permissions: " + string.Join(",", permsFile));
}
else
{
@ -42,7 +42,7 @@ namespace winPEAS.Checks
if (permsFolder.Count > 0)
{
Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title));
Beaprint.BadPrint(" FolderPermissions: " + string.Join(",", permsFile));
Beaprint.BadPrint(" Folder Permissions: " + string.Join(",", permsFile));
}
}
catch (Exception ex)

2
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -301,7 +301,7 @@ namespace winPEAS.Checks
catch (Exception ex)
{
Beaprint.GrayPrint("Error while creating directory list: " + ex);
}
}
}
private static void CheckRegANSI()

59
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -5,6 +5,7 @@ using System.Linq;
using System.Text.RegularExpressions;
using winPEAS.Helpers;
using winPEAS.Helpers.Search;
using winPEAS.Info.UserInfo;
using winPEAS.InterestingFiles;
using winPEAS.KnownFileCreds;
@ -123,7 +124,8 @@ namespace winPEAS.Checks
PrintUsersInterestingFiles,
PrintUsersDocsKeys,
PrintRecentFiles,
PrintRecycleBin
PrintRecycleBin,
PrintOtherUsersInterestingFiles
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
@ -484,5 +486,60 @@ namespace winPEAS.Checks
Beaprint.PrintException(ex.Message);
}
}
void PrintOtherUsersInterestingFiles()
{
try
{
Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
// check if admin already, if yes, print a message, if not, try to enumerate all files
if (MyUtils.IsHighIntegrity())
{
Beaprint.BadPrint(" You are already Administrator, check users home folders manually.");
}
else
// get all files and check them
{
var users = User.GetOtherUsersFolders();
foreach (var user in users)
{
Beaprint.GoodPrint($" Checking folder: {user}\n");
var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true);
foreach (var file in files)
{
FileAttributes attr = File.GetAttributes(file.FullPath);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
if (dirRights.Count > 0)
{
Beaprint.BadPrint($" Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights));
}
}
else
{
List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
if (fileRights.Count > 0)
{
Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights));
}
}
}
Beaprint.PrintLineSeparator();
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
}
}

8
winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
View File

@ -140,9 +140,11 @@ namespace winPEAS.Helpers
public static bool IsHighIntegrity()
{
// returns true if the current process is running with adminstrative privs in a high integrity context
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
using (WindowsIdentity identity = WindowsIdentity.GetCurrent())
{
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
}
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings

14
winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
View File

@ -19,7 +19,7 @@ namespace winPEAS.Helpers.Search
// private static List<CustomFileInfo> GroupPolicyHistoryLegacy;
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
{
ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
@ -54,7 +54,7 @@ namespace winPEAS.Helpers.Search
Parallel.ForEach(startDirsExcluded, (d) =>
{
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) =>
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
{
GetFiles(dir.FullName, pattern).ForEach(
(f) =>
@ -119,7 +119,7 @@ namespace winPEAS.Helpers.Search
private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern)
private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern, bool isFoldersIncluded = false)
{
DirectoryInfo dirInfo = null;
DirectoryInfo[] directories = null;
@ -128,6 +128,14 @@ namespace winPEAS.Helpers.Search
dirInfo = new DirectoryInfo(folder);
directories = dirInfo.GetDirectories();
if (isFoldersIncluded)
{
foreach (var directory in directories)
{
files.Add(new CustomFileInfo(null, null, directory.FullName));
}
}
foreach (var f in dirInfo.GetFiles(pattern))
{
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName));

30
winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
View File

@ -1,6 +1,7 @@
using System;
using System.Collections.Generic;
using System.DirectoryServices.AccountManagement;
using System.IO;
using System.Management;
using System.Security.Principal;
using winPEAS.Helpers;
@ -184,5 +185,34 @@ namespace winPEAS.Info.UserInfo
{
return MyUtils.ListFolder("Users");
}
public static HashSet<string> GetOtherUsersFolders()
{
HashSet<string> result = new HashSet<string>();
string currentUsername = Environment.UserName?.ToLower();
var usersBaseDirectory = Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Users");
SelectQuery query = new SelectQuery("Win32_UserAccount");
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query))
{
foreach (ManagementObject envVar in searcher.Get())
{
string username = (string)envVar["Name"];
username = username?.ToLower();
if (currentUsername != username)
{
string userDirectory = Path.Combine(usersBaseDirectory, username);
if (Directory.Exists(userDirectory))
{
result.Add(userDirectory.ToLower());
}
}
}
}
return result;
}
}
}