darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite into master

Browse Source
This commit is contained in:
carlospolop 2020-09-02 11:29:08 -04:00
commit f85f5221e7
4 changed files with 59 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
winPEAS/winPEASexe/winPEAS/InterestingFiles.cs
View File

@ -438,23 +438,6 @@ namespace winPEAS
return results; return results;
} }
public static string GetConsoleHostHistory()
{
string result = "";
try
{
string searchLocation = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(searchLocation))
result = searchLocation;
}
catch (Exception ex)
{
Beaprint.GrayPrint("Error: " + ex);
}
return result;
}
public static List<Dictionary<string, string>> GetRecycleBin() public static List<Dictionary<string, string>> GetRecycleBin()
{ {
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>(); List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();

26
winPEAS/winPEASexe/winPEAS/Program.cs
View File

@ -238,31 +238,6 @@ namespace winPEAS
} }
} }
void PrintConsoleHostHistory()
{
try
{
Beaprint.MainPrint("Powershell Console Host History");
string console_host_history = InterestingFiles.GetConsoleHostHistory();
if (console_host_history != "")
{
string text = File.ReadAllText(console_host_history);
List<string> credStringsRegexPowershell = new List<string>(credStringsRegex);
credStringsRegexPowershell.Add("CONVERTTO-SECURESTRING");
if (MyUtils.ContainsAnyRegex(text.ToUpper(), credStringsRegexPowershell))
Beaprint.BadPrint(" " + console_host_history + " (Potential credentials found)");
else
System.Console.WriteLine(" " + console_host_history);
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format("{0}", ex));
}
}
void PrintAuditInfo() void PrintAuditInfo()
{ {
try try
@ -589,7 +564,6 @@ namespace winPEAS
PrintUACInfo(); PrintUACInfo();
PrintPSInfo(); PrintPSInfo();
PrintTranscriptPS(); PrintTranscriptPS();
PrintConsoleHostHistory();
PrintInetInfo(); PrintInetInfo();
PrintDrivesInfo(); PrintDrivesInfo();
PrintWSUS(); PrintWSUS();

74
winPEAS/winPEASexe/winPEAS/SystemInfo.cs
View File

@ -233,43 +233,83 @@ namespace winPEAS
results["PS history file"] = ""; results["PS history file"] = "";
results["PS history size"] = ""; results["PS history size"] = "";
Dictionary<string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); Dictionary<string, object> transcriptionSettingsCU = MyUtils.GetRegValues("HKCU",
if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0)) "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); if ((transcriptionSettingsCU == null) || (transcriptionSettingsCU.Count == 0))
transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription");
if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) if ((transcriptionSettingsCU != null) && (transcriptionSettingsCU.Count != 0))
{ {
foreach (KeyValuePair<string, object> kvp in transcriptionSettings) foreach (KeyValuePair<string, object> kvp in transcriptionSettingsCU)
{ {
results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
} }
} }
Dictionary<string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); Dictionary<string, object> transcriptionSettingsLM = MyUtils.GetRegValues("HKLM",
if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0)) "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); if ((transcriptionSettingsLM == null) || (transcriptionSettingsLM.Count == 0))
transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription");
if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) if ((transcriptionSettingsLM != null) && (transcriptionSettingsLM.Count != 0))
{ {
foreach (KeyValuePair<string, object> kvp in moduleLoggingSettings) foreach (KeyValuePair<string, object> kvp in transcriptionSettingsLM)
{
results["Transcription Settings LM"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary<string, object> moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((moduleLoggingSettingsLM == null) || (moduleLoggingSettingsLM.Count == 0))
moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging");
if ((moduleLoggingSettingsLM != null) && (moduleLoggingSettingsLM.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in moduleLoggingSettingsLM)
{ {
results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
} }
} }
Dictionary<string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); Dictionary<string, object> moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0)) if ((moduleLoggingSettingsCU == null) || (moduleLoggingSettingsCU.Count == 0))
scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging");
if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) if ((moduleLoggingSettingsCU != null) && (moduleLoggingSettingsCU.Count != 0))
{ {
foreach (KeyValuePair<string, object> kvp in scriptBlockSettings) foreach (KeyValuePair<string, object> kvp in moduleLoggingSettingsCU)
{ {
results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); results["Module Logging Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary<string, object> scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettingsLM == null) || (scriptBlockSettingsLM.Count == 0))
scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging");
if ((scriptBlockSettingsLM != null) && (scriptBlockSettingsLM.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in scriptBlockSettingsLM)
{
results["Scriptblock Logging Settings LM"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
}
}
Dictionary<string, object> scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettingsCU == null) || (scriptBlockSettingsCU.Count == 0))
scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging");
if ((scriptBlockSettingsCU != null) && (scriptBlockSettingsCU.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in scriptBlockSettingsCU)
{
results["Scriptblock Logging Settings CU"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
} }
} }
string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"); string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt");
string ps_history_path2 = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE"));
ps_history_path = File.Exists(ps_history_path) ? ps_history_path : ps_history_path2;
if (File.Exists(ps_history_path)) if (File.Exists(ps_history_path))
{ {
FileInfo fi = new FileInfo(ps_history_path); FileInfo fi = new FileInfo(ps_history_path);

BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache
View File

Binary file not shown.