diff --git a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs index 16d96cd..38cb01c 100755 --- a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs +++ b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs @@ -438,23 +438,6 @@ namespace winPEAS return results; } - public static string GetConsoleHostHistory() - { - string result = ""; - try - { - - string searchLocation = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); - if (System.IO.File.Exists(searchLocation)) - result = searchLocation; - } - catch (Exception ex) - { - Beaprint.GrayPrint("Error: " + ex); - } - return result; - } - public static List> GetRecycleBin() { List> results = new List>(); diff --git a/winPEAS/winPEASexe/winPEAS/Program.cs b/winPEAS/winPEASexe/winPEAS/Program.cs index 354a732..4ce87b8 100755 --- a/winPEAS/winPEASexe/winPEAS/Program.cs +++ b/winPEAS/winPEASexe/winPEAS/Program.cs @@ -238,32 +238,7 @@ namespace winPEAS } } - void PrintConsoleHostHistory() - { - try - { - Beaprint.MainPrint("Powershell Console Host History"); - string console_host_history = InterestingFiles.GetConsoleHostHistory(); - if (console_host_history != "") - { - - string text = File.ReadAllText(console_host_history); - List credStringsRegexPowershell = new List(credStringsRegex); - credStringsRegexPowershell.Add("CONVERTTO-SECURESTRING"); - - if (MyUtils.ContainsAnyRegex(text.ToUpper(), credStringsRegexPowershell)) - Beaprint.BadPrint(" " + console_host_history + " (Potential credentials found)"); - else - System.Console.WriteLine(" " + console_host_history); - } - } - catch (Exception ex) - { - Beaprint.GrayPrint(String.Format("{0}", ex)); - } - } - - void PrintAuditInfo() + void PrintAuditInfo() { try { @@ -589,7 +564,6 @@ namespace winPEAS PrintUACInfo(); PrintPSInfo(); PrintTranscriptPS(); - PrintConsoleHostHistory(); PrintInetInfo(); PrintDrivesInfo(); PrintWSUS(); diff --git a/winPEAS/winPEASexe/winPEAS/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/SystemInfo.cs index 1c9fdb2..a5409a9 100755 --- a/winPEAS/winPEASexe/winPEAS/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/SystemInfo.cs @@ -233,43 +233,83 @@ namespace winPEAS results["PS history file"] = ""; results["PS history size"] = ""; - Dictionary transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); - if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0)) - transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); + Dictionary transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", + "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); + if ((transcriptionSettingsCU == null) || (transcriptionSettingsCU.Count == 0)) + transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); - if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) + if ((transcriptionSettingsCU != null) && (transcriptionSettingsCU.Count != 0)) { - foreach (KeyValuePair kvp in transcriptionSettings) + foreach (KeyValuePair kvp in transcriptionSettingsCU) { - results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } - Dictionary moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); - if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0)) - moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); + Dictionary transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", + "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); + if ((transcriptionSettingsLM == null) || (transcriptionSettingsLM.Count == 0)) + transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); - if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) + if ((transcriptionSettingsLM != null) && (transcriptionSettingsLM.Count != 0)) { - foreach (KeyValuePair kvp in moduleLoggingSettings) + foreach (KeyValuePair kvp in transcriptionSettingsLM) + { + results["Transcription Settings LM"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + } + } + + Dictionary moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); + if ((moduleLoggingSettingsLM == null) || (moduleLoggingSettingsLM.Count == 0)) + moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); + + if ((moduleLoggingSettingsLM != null) && (moduleLoggingSettingsLM.Count != 0)) + { + foreach (KeyValuePair kvp in moduleLoggingSettingsLM) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } - Dictionary scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); - if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0)) - scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); + Dictionary moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); + if ((moduleLoggingSettingsCU == null) || (moduleLoggingSettingsCU.Count == 0)) + moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); - if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) + if ((moduleLoggingSettingsCU != null) && (moduleLoggingSettingsCU.Count != 0)) { - foreach (KeyValuePair kvp in scriptBlockSettings) + foreach (KeyValuePair kvp in moduleLoggingSettingsCU) { - results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + results["Module Logging Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } - + + Dictionary scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); + if ((scriptBlockSettingsLM == null) || (scriptBlockSettingsLM.Count == 0)) + scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); + + if ((scriptBlockSettingsLM != null) && (scriptBlockSettingsLM.Count != 0)) + { + foreach (KeyValuePair kvp in scriptBlockSettingsLM) + { + results["Scriptblock Logging Settings LM"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + } + } + + Dictionary scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); + if ((scriptBlockSettingsCU == null) || (scriptBlockSettingsCU.Count == 0)) + scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); + + if ((scriptBlockSettingsCU != null) && (scriptBlockSettingsCU.Count != 0)) + { + foreach (KeyValuePair kvp in scriptBlockSettingsCU) + { + results["Scriptblock Logging Settings CU"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + } + } + string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"); + string ps_history_path2 = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); + ps_history_path = File.Exists(ps_history_path) ? ps_history_path : ps_history_path2; if (File.Exists(ps_history_path)) { FileInfo fi = new FileInfo(ps_history_path); diff --git a/winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache b/winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache index d3d4a90..40457ca 100755 Binary files a/winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache and b/winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache differ