- added PrintOtherUsersInterestingFiles check
- cleanup
This commit is contained in:
makikvues
parent
39c71eb4a3
commit
f5155d5eb4
@ -32,7 +32,7 @@ namespace winPEAS.Checks
|
|||||||
if (permsFile.Count > 0)
|
if (permsFile.Count > 0)
|
||||||
{
|
{
|
||||||
Beaprint.BadPrint(" " + title);
|
Beaprint.BadPrint(" " + title);
|
||||||
Beaprint.BadPrint(" FilePermissions: " + string.Join(",", permsFile));
|
Beaprint.BadPrint(" File Permissions: " + string.Join(",", permsFile));
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@ -42,7 +42,7 @@ namespace winPEAS.Checks
|
|||||||
if (permsFolder.Count > 0)
|
if (permsFolder.Count > 0)
|
||||||
{
|
{
|
||||||
Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title));
|
Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title));
|
||||||
Beaprint.BadPrint(" FolderPermissions: " + string.Join(",", permsFile));
|
Beaprint.BadPrint(" Folder Permissions: " + string.Join(",", permsFile));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
|
|||||||
@ -5,6 +5,7 @@ using System.Linq;
|
|||||||
using System.Text.RegularExpressions;
|
using System.Text.RegularExpressions;
|
||||||
using winPEAS.Helpers;
|
using winPEAS.Helpers;
|
||||||
using winPEAS.Helpers.Search;
|
using winPEAS.Helpers.Search;
|
||||||
|
using winPEAS.Info.UserInfo;
|
||||||
using winPEAS.InterestingFiles;
|
using winPEAS.InterestingFiles;
|
||||||
using winPEAS.KnownFileCreds;
|
using winPEAS.KnownFileCreds;
|
||||||
|
|
||||||
@ -123,7 +124,8 @@ namespace winPEAS.Checks
|
|||||||
PrintUsersInterestingFiles,
|
PrintUsersInterestingFiles,
|
||||||
PrintUsersDocsKeys,
|
PrintUsersDocsKeys,
|
||||||
PrintRecentFiles,
|
PrintRecentFiles,
|
||||||
PrintRecycleBin
|
PrintRecycleBin,
|
||||||
|
PrintOtherUsersInterestingFiles
|
||||||
}.ForEach(action => CheckRunner.Run(action, isDebug));
|
}.ForEach(action => CheckRunner.Run(action, isDebug));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -484,5 +486,60 @@ namespace winPEAS.Checks
|
|||||||
Beaprint.PrintException(ex.Message);
|
Beaprint.PrintException(ex.Message);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void PrintOtherUsersInterestingFiles()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
|
||||||
|
|
||||||
|
// check if admin already, if yes, print a message, if not, try to enumerate all files
|
||||||
|
if (MyUtils.IsHighIntegrity())
|
||||||
|
{
|
||||||
|
Beaprint.BadPrint(" You are already Administrator, check users home folders manually.");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
// get all files and check them
|
||||||
|
{
|
||||||
|
var users = User.GetOtherUsersFolders();
|
||||||
|
|
||||||
|
foreach (var user in users)
|
||||||
|
{
|
||||||
|
Beaprint.GoodPrint($" Checking folder: {user}\n");
|
||||||
|
|
||||||
|
var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true);
|
||||||
|
|
||||||
|
foreach (var file in files)
|
||||||
|
{
|
||||||
|
FileAttributes attr = File.GetAttributes(file.FullPath);
|
||||||
|
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
|
||||||
|
{
|
||||||
|
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
|
||||||
|
|
||||||
|
if (dirRights.Count > 0)
|
||||||
|
{
|
||||||
|
Beaprint.BadPrint($" Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
|
||||||
|
|
||||||
|
if (fileRights.Count > 0)
|
||||||
|
{
|
||||||
|
Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Beaprint.PrintLineSeparator();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (Exception ex)
|
||||||
|
{
|
||||||
|
Beaprint.PrintException(ex.Message);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -140,10 +140,12 @@ namespace winPEAS.Helpers
|
|||||||
public static bool IsHighIntegrity()
|
public static bool IsHighIntegrity()
|
||||||
{
|
{
|
||||||
// returns true if the current process is running with adminstrative privs in a high integrity context
|
// returns true if the current process is running with adminstrative privs in a high integrity context
|
||||||
WindowsIdentity identity = WindowsIdentity.GetCurrent();
|
using (WindowsIdentity identity = WindowsIdentity.GetCurrent())
|
||||||
|
{
|
||||||
WindowsPrincipal principal = new WindowsPrincipal(identity);
|
WindowsPrincipal principal = new WindowsPrincipal(identity);
|
||||||
return principal.IsInRole(WindowsBuiltInRole.Administrator);
|
return principal.IsInRole(WindowsBuiltInRole.Administrator);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
|
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
|
||||||
public static bool ContainsAnyRegex(string haystack, List<string> regexps)
|
public static bool ContainsAnyRegex(string haystack, List<string> regexps)
|
||||||
|
|||||||
@ -19,7 +19,7 @@ namespace winPEAS.Helpers.Search
|
|||||||
// private static List<CustomFileInfo> GroupPolicyHistoryLegacy;
|
// private static List<CustomFileInfo> GroupPolicyHistoryLegacy;
|
||||||
|
|
||||||
|
|
||||||
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
|
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
|
||||||
{
|
{
|
||||||
ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
|
ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
|
||||||
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
|
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
|
||||||
@ -54,7 +54,7 @@ namespace winPEAS.Helpers.Search
|
|||||||
|
|
||||||
Parallel.ForEach(startDirsExcluded, (d) =>
|
Parallel.ForEach(startDirsExcluded, (d) =>
|
||||||
{
|
{
|
||||||
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) =>
|
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
|
||||||
{
|
{
|
||||||
GetFiles(dir.FullName, pattern).ForEach(
|
GetFiles(dir.FullName, pattern).ForEach(
|
||||||
(f) =>
|
(f) =>
|
||||||
@ -119,7 +119,7 @@ namespace winPEAS.Helpers.Search
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern)
|
private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern, bool isFoldersIncluded = false)
|
||||||
{
|
{
|
||||||
DirectoryInfo dirInfo = null;
|
DirectoryInfo dirInfo = null;
|
||||||
DirectoryInfo[] directories = null;
|
DirectoryInfo[] directories = null;
|
||||||
@ -128,6 +128,14 @@ namespace winPEAS.Helpers.Search
|
|||||||
dirInfo = new DirectoryInfo(folder);
|
dirInfo = new DirectoryInfo(folder);
|
||||||
directories = dirInfo.GetDirectories();
|
directories = dirInfo.GetDirectories();
|
||||||
|
|
||||||
|
if (isFoldersIncluded)
|
||||||
|
{
|
||||||
|
foreach (var directory in directories)
|
||||||
|
{
|
||||||
|
files.Add(new CustomFileInfo(null, null, directory.FullName));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
foreach (var f in dirInfo.GetFiles(pattern))
|
foreach (var f in dirInfo.GetFiles(pattern))
|
||||||
{
|
{
|
||||||
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName));
|
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName));
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
using System;
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
using System.DirectoryServices.AccountManagement;
|
using System.DirectoryServices.AccountManagement;
|
||||||
|
using System.IO;
|
||||||
using System.Management;
|
using System.Management;
|
||||||
using System.Security.Principal;
|
using System.Security.Principal;
|
||||||
using winPEAS.Helpers;
|
using winPEAS.Helpers;
|
||||||
@ -184,5 +185,34 @@ namespace winPEAS.Info.UserInfo
|
|||||||
{
|
{
|
||||||
return MyUtils.ListFolder("Users");
|
return MyUtils.ListFolder("Users");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static HashSet<string> GetOtherUsersFolders()
|
||||||
|
{
|
||||||
|
HashSet<string> result = new HashSet<string>();
|
||||||
|
string currentUsername = Environment.UserName?.ToLower();
|
||||||
|
var usersBaseDirectory = Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Users");
|
||||||
|
|
||||||
|
SelectQuery query = new SelectQuery("Win32_UserAccount");
|
||||||
|
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query))
|
||||||
|
{
|
||||||
|
foreach (ManagementObject envVar in searcher.Get())
|
||||||
|
{
|
||||||
|
string username = (string)envVar["Name"];
|
||||||
|
username = username?.ToLower();
|
||||||
|
|
||||||
|
if (currentUsername != username)
|
||||||
|
{
|
||||||
|
string userDirectory = Path.Combine(usersBaseDirectory, username);
|
||||||
|
|
||||||
|
if (Directory.Exists(userDirectory))
|
||||||
|
{
|
||||||
|
result.Add(userDirectory.ToLower());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user