From f55d20a67d31e44f4f35a45bb4fe8fe86cdc9b0f Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Fri, 11 Oct 2024 02:44:43 +0100 Subject: [PATCH] fix google password sync --- .../Helpers/Registry/RegistryHelper.cs | 43 +++++++++++++++++++ .../winPEAS/Info/CloudInfo/GPSInfo.cs | 23 ++++++++-- 2 files changed, 63 insertions(+), 3 deletions(-) diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs index 7e76194..8ec9005 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs @@ -138,6 +138,49 @@ namespace winPEAS.Helpers.Registry } } + public static string[] ListRegValues(string hive, string path) + { + string[] keys = null; + try + { + if (hive == "HKCU") + { + using (var regKeyValues = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path)) + { + if (regKeyValues != null) + { + keys = regKeyValues.GetValueNames(); + } + } + } + else if (hive == "HKU") + { + using (var regKeyValues = Microsoft.Win32.Registry.Users.OpenSubKey(path)) + { + if (regKeyValues != null) + { + keys = regKeyValues.GetValueNames(); + } + } + } + else + { + using (var regKeyValues = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path)) + { + if (regKeyValues != null) + { + keys = regKeyValues.GetValueNames(); + } + } + } + return keys; + } + catch + { + return null; + } + } + public static byte[] GetRegValueBytes(string hive, string path, string value) { // returns a byte array of single registry value under the specified path in the specified hive (HKLM/HKCU) diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GPSInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GPSInfo.cs index 8cd012d..802fdcc 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GPSInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GPSInfo.cs @@ -27,7 +27,7 @@ namespace winPEAS.Info.CloudInfo public static bool CheckIfGPSInstalled() { - string[] check = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Google\Google Apps Password Sync"); + string[] check = Helpers.Registry.RegistryHelper.ListRegValues("HKLM", @"SOFTWARE\Google\Google Apps Password Sync"); bool regExists = check != null && check.Length > 0; bool result = regExists || File.Exists(@"C:\Program Files\Google\Password Sync\PasswordSync.exe") || File.Exists(@"C:\Program Files\Google\Password Sync\password_sync_service.exe"); return result; @@ -66,15 +66,32 @@ namespace winPEAS.Info.CloudInfo // Get registry valus and decrypt them string hive = "HKLM"; string regAddr = @"SOFTWARE\Google\Google Apps Password Sync"; - string[] subkeys = Helpers.Registry.RegistryHelper.GetRegSubkeys(hive, regAddr); + string[] subkeys = Helpers.Registry.RegistryHelper.ListRegValues(hive, regAddr); if (subkeys == null || subkeys.Length == 0) { - Beaprint.PrintException("Winpeas need admin privs to check the registry for credentials"); + Beaprint.PrintException("WinPEAS need admin privs to check the registry for credentials"); } else { GPSRegValues.Add("Email", Helpers.Registry.RegistryHelper.GetRegValue(hive, regAddr, @"Email")); + // Remove "Email" and "address" from the array + string[] filteredSubkeys = subkeys + .Where(key => key != "Email" && key != "AuthToken" && key != "ADPassword" && key != "(Default)") + .ToArray(); + + // Check if there are any subkeys left after filtering + if (filteredSubkeys.Length > 1) + { + // Join the remaining subkeys with ", " and print to the console + GPSRegValues.Add("Other keys", string.Join(", ", filteredSubkeys) + " (might contain credentials but WinPEAS doesn't support them)"); + } + else + { + Console.WriteLine("No subkeys left after filtering."); + } + + // Check if AuthToken in the registry string authtokenInReg = Helpers.Registry.RegistryHelper.GetRegValue(hive, regAddr, @"AuthToken"); if (authtokenInReg.Length > 0)