diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index 87171cb..0065467 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -7,14 +7,18 @@ namespace winPEAS.Checks { internal class ApplicationsInfo : ISystemCheck { - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Applications Information"); - PrintActiveWindow(); - PrintInstalledApps(); - PrintAutoRuns(); - PrintScheduled(); - PrintDeviceDrivers(); + + new List + { + PrintActiveWindow, + PrintInstalledApps, + PrintAutoRuns, + PrintScheduled, + PrintDeviceDrivers, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } void PrintActiveWindow() diff --git a/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs index fbd95dd..dc8404e 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs @@ -6,7 +6,7 @@ namespace winPEAS.Checks { internal class BrowserInfo : ISystemCheck { - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Browsers Information"); @@ -15,7 +15,7 @@ namespace winPEAS.Checks new Firefox(), new Chrome(), new InternetExplorer(), - }.ForEach(browser => browser.PrintInfo()); + }.ForEach(browser => CheckRunner.Run(browser.PrintInfo, isDebug)); } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 6d79fad..4cb3ed9 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -1,5 +1,6 @@ using System; using System.Collections.Generic; +using System.Diagnostics; using System.Linq; using System.Management; using System.Security.Principal; @@ -15,6 +16,7 @@ namespace winPEAS.Checks public static bool Banner = true; public static bool IsSearchFast = true; public static int SearchTime = 50; + public static bool IsDebug = false; // Create Dynamic blacklists public static readonly string CurrentUserName = Environment.UserName; @@ -101,7 +103,12 @@ namespace winPEAS.Checks if (string.Equals(arg, "wait", StringComparison.CurrentCultureIgnoreCase)) { wait = true; - } + } + + if (string.Equals(arg, "debug", StringComparison.CurrentCultureIgnoreCase)) + { + IsDebug = true; + } string argToLower = arg.ToLower(); if (systemCheckAllKeys.Contains(argToLower)) @@ -123,7 +130,7 @@ namespace winPEAS.Checks CreateDynamicLists(); - Beaprint.PrintInit(); + Beaprint.PrintInit(IsDebug); for (int i = 0; i < systemChecks.Count; i++) { @@ -131,7 +138,7 @@ namespace winPEAS.Checks if (systemCheckSelectedKeysHashSet.Contains(systemCheck.Key) || isAllChecks) { - systemCheck.Check.PrintInfo(); + systemCheck.Check.PrintInfo(IsDebug); if ((i < systemCheckSelectedKeysHashSet.Count - 1) && wait) { @@ -139,7 +146,7 @@ namespace winPEAS.Checks } } } - } + } private static void CreateDynamicLists() { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index 7d0916c..6937b2f 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -11,26 +11,118 @@ namespace winPEAS.Checks internal class FilesInfo : ISystemCheck { static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe"; - static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak"; + // static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak"; + + private static readonly IList patternsFileCreds = new List() + { + "*.cer$", + "*.csr$", + "*.der$", + "*.ftpconfig", + "*.gpg$", + "*.kdbx", + "*.ovpn", + "*.p12$", + "*.pgp$", + "*.rdg", + "*_history*", + "*config*.php", + "*id_dsa*", + "*id_rsa*", + "*vnc*.c*nf*", + "*vnc*.ini", + "*vnc*.txt", + "*vnc*.xml", + ".git-credentials", + ".gitconfig", + ".htpasswd", + "AppEvent.Evt", + "ConsoleHost_history.txt", + "Dockerfile", + "FreeSSHDservice.ini", + "KeePass.config", + "NetSetup.log", + "Ntds.dit", + "RDCMan.settings", + "SAM", + "SYSTEM", + "SecEvent.Evt", + "access.log", + "accessTokens.json", + "access_tokens.db", + "appcmd.exe", + "azureProfile.json", + "bash.exe", + "datasources.xml", + "default.sav", + "docker-compose.yml", + "drives.xml", + "elasticsearch.y*ml", + "error.log", + "ffftp.ini", + "filezilla.xml", + "groups.xml", + "httpd.conf", + "https-xampp.conf", + "https.conf", + "iis6.log", + "index.dat", + "kibana.y*ml", + "known_hosts", + "my.cnf", + "my.ini", + "ntuser.dat", + "pagefile.sys", + "php.ini", + "printers.xml", + "recentservers.xml", + "scclient.exe", + "scheduledtasks.xml", + "security", + "security.sav", + "server.xml", + "services.xml", + "setupinfo", + "setupinfo.bak", + "sitemanager.xml", + "sites.ini", + "software", + "software.sav", + "sysprep.inf", + "sysprep.xml", + "system.sav", + "tomcat-users.xml", + "unattend.txt", + "unattend.xml", + "unattended.xml", + "wcx_ftp.ini", + "web.*.config", + "winscp.ini", + "ws_ftp.ini", + "wsl.exe", + }; - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Interesting files and registry"); - Putty.PrintInfo(); - PrintCloudCreds(); - PrintUnattendFiles(); - PrintSAMBackups(); - PrintMcAffeSitelistFiles(); - PrintLinuxShells(); - PrintCachedGPPPassword(); - PrintPossCredsRegs(); - PrintUserCredsFiles(); - PrintUsersInterestingFiles(); - PrintUsersDocsKeys(); - PrintRecentFiles(); - PrintRecycleBin(); + new List + { + Putty.PrintInfo, + PrintCloudCreds, + PrintUnattendFiles, + PrintSAMBackups, + PrintMcAffeSitelistFiles, + PrintLinuxShells, + PrintCachedGPPPassword, + PrintPossCredsRegs, + PrintUserCredsFiles, + PrintUsersInterestingFiles, + PrintUsersDocsKeys, + PrintRecentFiles, + PrintRecycleBin + }.ForEach(action => CheckRunner.Run(action, isDebug)); } void PrintCloudCreds() @@ -224,15 +316,19 @@ namespace winPEAS.Checks { try { - string pattern_bin = _patternsFileCreds + ";*password*;*credential*"; + //string pattern_bin = _patternsFileCreds + ";*password*;*credential*"; + string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*"; + + Dictionary colorF = new Dictionary() - { - { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, - }; + { + { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, + }; Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); List> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); + foreach (Dictionary rec_file in recy_files) { foreach (string pattern in pattern_bin.Split(';')) @@ -244,8 +340,11 @@ namespace winPEAS.Checks } } } + if (recy_files.Count <= 0) + { Beaprint.NotFoundPrint(); + } } catch (Exception ex) { @@ -265,7 +364,11 @@ namespace winPEAS.Checks Beaprint.MainPrint("Searching known files that can contain creds in home"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); string searchPath = Environment.GetEnvironmentVariable("USERPROFILE"); - SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF); + + //SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF); + string patterns = string.Join(";", patternsFileCreds); + SearchHelper.FindFiles(searchPath, patterns, colorF); + } catch (Exception ex) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs b/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs index 2809bc7..e0f409b 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs @@ -2,6 +2,6 @@ { internal interface ISystemCheck { - void PrintInfo(); + void PrintInfo(bool isDebug); } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs index 8863ae3..a0c6d9d 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs @@ -11,15 +11,19 @@ namespace winPEAS.Checks static string commonShares = "[a-zA-Z]+[$]"; static string badIps = "127.0.0.1"; - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Network Information"); - PrintNetShares(); - PrintHostsFile(); - PrintNetworkIfaces(); - PrintListeningPorts(); - PrintFirewallRules(); - PrintDNSCache(); + + new List + { + PrintNetShares, + PrintHostsFile, + PrintNetworkIfaces, + PrintListeningPorts, + PrintFirewallRules, + PrintDNSCache, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } void PrintNetShares() diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs index c12e0d2..018109c 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs @@ -8,10 +8,14 @@ namespace winPEAS.Checks { internal class ProcessInfo : ISystemCheck { - public void PrintInfo() + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Processes Information"); - PrintInterestingProcesses(); + Beaprint.GreatPrint("Processes Information"); + + new List + { + PrintInterestingProcesses, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } void PrintInterestingProcesses() diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs index a9bd16f..288db6c 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs @@ -10,7 +10,7 @@ namespace winPEAS.Checks { Dictionary modifiableServices = new Dictionary(); - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Services Information"); @@ -18,17 +18,23 @@ namespace winPEAS.Checks try { - modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs); + CheckRunner.Run(() => + { + modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs); + }, isDebug); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } - PrintInterestingServices(); - PrintModifiableServices(); - PrintWritableRegServices(); - PrintPathDllHijacking(); + new List + { + PrintInterestingServices, + PrintModifiableServices, + PrintWritableRegServices, + PrintPathDllHijacking, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } void PrintInterestingServices() diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index c37ed47..7a71a79 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -12,30 +12,34 @@ namespace winPEAS.Checks static string goodUAC = "PromptPermitDenyOnSecureDesktop"; static string badLAPS = "LAPS not installed"; - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("System Information"); - PrintBasicSystemInfo(); - PrintUserEV(); - PrintSystemEV(); - PrintAuditInfo(); - PrintWEFInfo(); - PrintLAPSInfo(); - PrintWdigest(); - PrintLSAProtection(); - PrintCredentialGuard(); - PrintCachedCreds(); - PrintAVInfo(); - PrintUACInfo(); - PrintPSInfo(); - PrintTranscriptPS(); - PrintInetInfo(); - PrintDrivesInfo(); - PrintWSUS(); - PrintAlwaysInstallElevated(); + + new List + { + PrintBasicSystemInfo, + PrintUserEV, + PrintSystemEV, + PrintAuditInfo, + PrintWEFInfo, + PrintLAPSInfo, + PrintWdigest, + PrintLSAProtection, + PrintCredentialGuard, + PrintCachedCreds, + PrintAVInfo, + PrintUACInfo, + PrintPSInfo, + PrintTranscriptPS, + PrintInetInfo, + PrintDrivesInfo, + PrintWSUS, + PrintAlwaysInstallElevated, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } - void PrintBasicSystemInfo() + static void PrintBasicSystemInfo() { try { @@ -60,7 +64,7 @@ namespace winPEAS.Checks } } - void PrintPSInfo() + static void PrintPSInfo() { try { @@ -79,7 +83,7 @@ namespace winPEAS.Checks } } - void PrintTranscriptPS() + static void PrintTranscriptPS() { try { @@ -107,7 +111,7 @@ namespace winPEAS.Checks } } - void PrintAuditInfo() + static void PrintAuditInfo() { try { @@ -122,7 +126,7 @@ namespace winPEAS.Checks } } - void PrintWEFInfo() + static void PrintWEFInfo() { try { @@ -156,7 +160,7 @@ namespace winPEAS.Checks } } - void PrintWdigest() + static void PrintWdigest() { Beaprint.MainPrint("Wdigest"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS"); @@ -167,7 +171,7 @@ namespace winPEAS.Checks Beaprint.GoodPrint(" Wdigest is not enabled"); } - void PrintLSAProtection() + static void PrintLSAProtection() { Beaprint.MainPrint("LSA Protection"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); @@ -178,7 +182,7 @@ namespace winPEAS.Checks Beaprint.BadPrint(" LSA Protection is not enabled"); } - void PrintCredentialGuard() + static void PrintCredentialGuard() { Beaprint.MainPrint("Credentials Guard"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); @@ -197,7 +201,7 @@ namespace winPEAS.Checks Beaprint.BadPrint(" CredentialGuard is not enabled"); } - void PrintCachedCreds() + static void PrintCachedCreds() { Beaprint.MainPrint("Cached Creds"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); @@ -216,7 +220,7 @@ namespace winPEAS.Checks } } - void PrintUserEV() + static void PrintUserEV() { try { @@ -235,7 +239,7 @@ namespace winPEAS.Checks } } - void PrintSystemEV() + static void PrintSystemEV() { try { @@ -254,7 +258,7 @@ namespace winPEAS.Checks } } - void PrintInetInfo() + static void PrintInetInfo() { try { @@ -277,7 +281,7 @@ namespace winPEAS.Checks } } - void PrintDrivesInfo() + static void PrintDrivesInfo() { try { @@ -313,7 +317,7 @@ namespace winPEAS.Checks } } - void PrintAVInfo() + static void PrintAVInfo() { try { @@ -332,7 +336,7 @@ namespace winPEAS.Checks } } - void PrintUACInfo() + static void PrintUACInfo() { try { @@ -341,10 +345,10 @@ namespace winPEAS.Checks Dictionary uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); Dictionary colorsSI = new Dictionary() - { - { badUAC, Beaprint.ansi_color_bad }, - { goodUAC, Beaprint.ansi_color_good } - }; + { + { badUAC, Beaprint.ansi_color_bad }, + { goodUAC, Beaprint.ansi_color_good } + }; Beaprint.DictPrint(uacDict, colorsSI, false); if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0")) @@ -365,7 +369,7 @@ namespace winPEAS.Checks } } - void PrintWSUS() + static void PrintWSUS() { try { @@ -400,7 +404,7 @@ namespace winPEAS.Checks } } - void PrintAlwaysInstallElevated() + static void PrintAlwaysInstallElevated() { try { @@ -421,6 +425,5 @@ namespace winPEAS.Checks Beaprint.PrintException(ex.Message); } } - } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs index f46efa8..66f2e54 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs @@ -27,19 +27,22 @@ namespace winPEAS.Checks static readonly string _badPasswd = "NotChange|NotExpi"; static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege"; - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Users Information"); - - PrintCU(); - PrintTokenP(); - PrintClipboardText(); - PrintLoggedUsers(); - PrintRdpSessions(); - PrintEverLoggedUsers(); - PrintHomeFolders(); - PrintAutoLogin(); - PrintPasswordPolicies(); + + new List + { + PrintCU, + PrintTokenP, + PrintClipboardText, + PrintLoggedUsers, + PrintRdpSessions, + PrintEverLoggedUsers, + PrintHomeFolders, + PrintAutoLogin, + PrintPasswordPolicies, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } Dictionary ColorsU() diff --git a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs index 73eec3c..6a28e47 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs @@ -12,24 +12,28 @@ namespace winPEAS.Checks { internal class WindowsCreds : ISystemCheck { - public void PrintInfo() + public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Windows Credentials"); - PrintvaultCreds(); - PrintCredManag(); - PrintSavedRDPInfo(); - PrintRecentRunCommands(); - PrintDPAPIMasterKeys(); - PrintDpapiCredFiles(); - PrintRCManFiles(); - PrintKerberosTickets(); - //PrintKerberosTGTTickets(); #Not working - PrintWifi(); - PrintAppCmd(); - PrintSCClient(); + + new List + { + PrintvaultCreds, + PrintCredManag, + PrintSavedRDPInfo, + PrintRecentRunCommands, + PrintDPAPIMasterKeys, + PrintDpapiCredFiles, + PrintRCManFiles, + PrintKerberosTickets, + //PrintKerberosTGTTickets, #Not working + PrintWifi, + PrintAppCmd, + PrintSCClient, + }.ForEach(action => CheckRunner.Run(action, isDebug)); } - void PrintvaultCreds() + static void PrintvaultCreds() { try { @@ -49,7 +53,7 @@ namespace winPEAS.Checks } } - void PrintCredManag() + static void PrintCredManag() { try { @@ -77,7 +81,7 @@ namespace winPEAS.Checks } - void PrintSavedRDPInfo() + static void PrintSavedRDPInfo() { try { @@ -102,7 +106,7 @@ namespace winPEAS.Checks } } - void PrintRecentRunCommands() + static void PrintRecentRunCommands() { try { @@ -116,7 +120,7 @@ namespace winPEAS.Checks } } - void PrintDPAPIMasterKeys() + static void PrintDPAPIMasterKeys() { try { @@ -143,7 +147,7 @@ namespace winPEAS.Checks } } - void PrintDpapiCredFiles() + static void PrintDpapiCredFiles() { try { @@ -162,7 +166,7 @@ namespace winPEAS.Checks } } - void PrintRCManFiles() + static void PrintRCManFiles() { try { @@ -181,7 +185,7 @@ namespace winPEAS.Checks } } - void PrintKerberosTickets() + static void PrintKerberosTickets() { try { @@ -196,7 +200,7 @@ namespace winPEAS.Checks } } - void PrintKerberosTGTTickets() + static void PrintKerberosTGTTickets() { try { @@ -210,7 +214,7 @@ namespace winPEAS.Checks } } - void PrintWifi() + static void PrintWifi() { try { @@ -258,7 +262,7 @@ namespace winPEAS.Checks } } - void PrintAppCmd() + static void PrintAppCmd() { try { @@ -279,7 +283,7 @@ namespace winPEAS.Checks } } - void PrintSCClient() + static void PrintSCClient() { try { diff --git a/winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs b/winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs index 888c901..4d47b2b 100644 --- a/winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs +++ b/winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs @@ -3,8 +3,8 @@ using System.Collections.Concurrent; using System.Collections.Generic; using System.IO; using System.Linq; -using System.Threading.Tasks; -using winPEAS.Helpers; +using System.Text.RegularExpressions; +using System.Threading; namespace winPEAS.FastSearch.FileSearcher { @@ -17,6 +17,7 @@ namespace winPEAS.FastSearch.FileSearcher public static List GetFilesFast(string folder, string pattern = "*", HashSet excludedDirs = null) { ConcurrentBag files = new ConcurrentBag(); + // ConcurrentBag files = new ConcurrentBag(); //Beaprint.InfoPrint($"[*] folder 1: '{folder}'"); @@ -43,6 +44,7 @@ namespace winPEAS.FastSearch.FileSearcher GetStartDirectories(d.FullName, files, pattern).AsParallel().ForAll((dir) => { GetFiles(dir.FullName, pattern).ForEach((f) => files.Add(f)); + // FindFiles(dir.FullName, pattern, SearchOption.TopDirectoryOnly).ForEach((f) => files.Add(f)); }); }); @@ -147,5 +149,72 @@ namespace winPEAS.FastSearch.FileSearcher return result; } + + public static List FindFiles(string directory, string filters, SearchOption searchOption) + { + if (!Directory.Exists(directory)) return new List(); + + var include = (from filter in filters.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries) where !string.IsNullOrEmpty(filter.Trim()) select filter.Trim()); + var exclude = (from filter in include where filter.Contains(@"!") select filter); + + include = include.Except(exclude); + + if (include.Count() == 0) include = new string[] { "*" }; + + var rxfilters = from filter in exclude select string.Format("^{0}$", filter.Replace("!", "").Replace(".", @"\.").Replace("*", ".*").Replace("?", ".")); + Regex regex = new Regex(string.Join("|", rxfilters.ToArray())); + + List workers = new List(); + List files = new List(); + + foreach (string filter in include) + { + Thread worker = new Thread( + new ThreadStart( + delegate + { + try + { + //string[] allfiles = Directory.GetFiles(directory, filter, searchOption); + string[] allfiles = Directory.GetFiles(directory, filter, SearchOption.TopDirectoryOnly); + if (exclude.Count() > 0) + { + lock (files) + { + files.AddRange(allfiles.Where(p => !regex.Match(p).Success)); + } + } + else + { + lock (files) + { + files.AddRange(allfiles); + } + } + } + catch (UnauthorizedAccessException) + { + } + catch (PathTooLongException) + { + } + catch (DirectoryNotFoundException) + { + } + + } + )); + + workers.Add(worker); + worker.Start(); + } + + foreach (Thread worker in workers) + { + worker.Join(); + } + + return files; + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index b41bdae..7a5b2ea 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -78,7 +78,7 @@ namespace winPEAS.Helpers Thread.Sleep(700); } - public static void PrintInit() + public static void PrintInit(bool isDebug) { if (Checks.Checks.Banner) { @@ -87,6 +87,12 @@ namespace winPEAS.Helpers Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop" + NOCOLOR); Console.WriteLine(); + + if (isDebug) + { + MemoryHelper.DisplayMemoryStats(); + } + PrintLegend(); Console.WriteLine(); LinkPrint("https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:"); @@ -172,6 +178,12 @@ namespace winPEAS.Helpers Console.WriteLine(DGRAY + to_print + NOCOLOR); } + internal static void PrintDebugLine(string log) + { + Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR); + Console.WriteLine(); + } + public static void PrintLineSeparator() { GrayPrint(" ================================================================================================="); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/CheckRunner.cs b/winPEAS/winPEASexe/winPEAS/Helpers/CheckRunner.cs new file mode 100644 index 0000000..f34f32b --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Helpers/CheckRunner.cs @@ -0,0 +1,30 @@ +using System; +using System.Diagnostics; + +namespace winPEAS.Helpers +{ + internal static class CheckRunner + { + public static void Run(Action action, bool isDebug) + { + var timer = new Stopwatch(); + + if (isDebug) + { + timer.Start(); + } + + action(); + + if (isDebug) + { + timer.Stop(); + + TimeSpan timeTaken = timer.Elapsed; + string log = $"Execution took : {timeTaken.Minutes:00}m:{timeTaken.Seconds:00}s:{timeTaken.Milliseconds:000}"; + + Beaprint.PrintDebugLine(log); + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/MeasureHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/MeasureHelper.cs deleted file mode 100644 index 9b44375..0000000 --- a/winPEAS/winPEASexe/winPEAS/Helpers/MeasureHelper.cs +++ /dev/null @@ -1,20 +0,0 @@ -using System; -using System.Diagnostics; - -namespace winPEAS.Helpers -{ - internal static class MeasureHelper - { - public static void MeasureMethod(Action action, string description = null) - { - var timer = new Stopwatch(); - timer.Start(); - action(); - timer.Stop(); - - TimeSpan timeTaken = timer.Elapsed; - string log = $"({description ?? string.Empty}) Time taken: " + timeTaken.ToString(@"m\:ss\.fff"); - Beaprint.LinkPrint(log); - } - } -} diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs new file mode 100644 index 0000000..d69534f --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs @@ -0,0 +1,45 @@ +using System; +using System.Diagnostics; + +namespace winPEAS.Helpers +{ + internal static class MemoryHelper + { + public static void DisplayMemoryStats() + { + using (Process process = Process.GetCurrentProcess()) + { + if (!process.HasExited) + { + process.Refresh(); + + string memoryStats = $"{process.ProcessName} - Memory Stats\n" + + $"-------------------------------------\n" + + $" Physical memory usage : {ToSize(process.WorkingSet64)}\n" + + $" Paged system memory size : {ToSize(process.PagedSystemMemorySize64)}\n" + + $" Paged memory size : {ToSize(process.PagedMemorySize64)}\n"; + + Beaprint.PrintDebugLine(memoryStats); + } + } + } + + private static string[] suffixes = new[] { " B", " KB", " MB", " GB", " TB", " PB" }; + + private static string ToSize(double number, int precision = 2) + { + // unit's number of bytes + const double unit = 1024; + // suffix counter + int i = 0; + // as long as we're bigger than a unit, keep going + while (number > unit) + { + number /= unit; + i++; + } + // apply precision and current suffix + return Math.Round(number, precision) + suffixes[i]; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs index ad774db..5197f69 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs @@ -3,14 +3,12 @@ using System.Collections.Generic; using System.IO; using System.Linq; using System.Threading; -using winPEAS.FastSearch.FileSearcher; -using winPEAS.KnownFileCreds; namespace winPEAS.Helpers { internal static class SearchHelper { - public static List FindFiles_old_implementation(string path, string patterns) + public static List FindFiles(string path, string patterns) { // finds files matching one or more patterns under a given path, recursive // adapted from http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/ @@ -33,7 +31,7 @@ namespace winPEAS.Helpers // go recurse in all sub-directories foreach (var directory in Directory.GetDirectories(path)) - files.AddRange(FindFiles_old_implementation(directory, patterns)); + files.AddRange(FindFiles(directory, patterns)); } catch (UnauthorizedAccessException) { } catch (PathTooLongException) { } @@ -42,46 +40,7 @@ namespace winPEAS.Helpers return files; } - public static List FindFiles_fileSearcher(string path, string patterns) - { - var files = new List(); - - foreach (string pattern in patterns.Split(';')) - { - // var found = Directory.GetFiles(path, pattern, SearchOption.AllDirectories); - List res = FileSearcher.GetFilesFast(path, pattern); - files.AddRange(res.Select(s => s.FullName)); - } - - return files; - } - - - private static void PrintSearchResults(IEnumerable results, string description = null) - { - Beaprint.LinkPrint($"------------------------- results: {description ?? string.Empty} --------------------------------"); - if (results != null) - { - Beaprint.LinkPrint(string.Join("\n", results ?? Enumerable.Empty())); - } - Beaprint.LinkPrint($"------------------------- results: {description ?? string.Empty} --------------------------------"); - Beaprint.LinkPrint("\n\n\n\n"); - } - - public static List FindFiles(string path, string patterns) - { - List result = new List(); - - MeasureHelper.MeasureMethod(() => result = FindFiles_old_implementation(path, patterns), "old implementation"); - PrintSearchResults(result, "old implementation"); - - MeasureHelper.MeasureMethod(() => result = FindFiles_fileSearcher(path, patterns), "new implementation"); - PrintSearchResults(result, "new implementation"); - - return result; - } - - public static void FindFiles_old_implementation(string path, string patterns, Dictionary color) + public static void FindFiles(string path, string patterns, Dictionary color) { try { @@ -106,37 +65,13 @@ namespace winPEAS.Helpers { if (!directory.Contains("AppData")) { - FindFiles_old_implementation(directory, patterns, color); + FindFiles(directory, patterns, color); } } } catch (UnauthorizedAccessException) { } catch (PathTooLongException) { } catch (DirectoryNotFoundException) { } - } - - public static void FindFiles_fileSearcher(string path, string patterns, Dictionary color, HashSet excludedDirs = null) - { - // search every pattern in this directory's files - foreach (string pattern in patterns.Split(';')) - { - // var found = Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly).Where(filepath => !filepath.Contains(".dll")); - List res = FileSearcher.GetFilesFast(path, pattern, excludedDirs); - var found = res.Where(filepath => filepath.Extension != null && !filepath.Extension.Equals("dll")).Select(s => s.FullName); - Beaprint.AnsiPrint(" " + string.Join("\n ", found), color); - } - } - - public static void FindFiles(string path, string patterns, Dictionary color) - { - Beaprint.LinkPrint($"------------------------- results: old implementation --------------------------------"); - MeasureHelper.MeasureMethod(() => FindFiles_old_implementation(path, patterns, color), "old implementation"); - Beaprint.LinkPrint($"------------------------- results: old implementation --------------------------------"); - Beaprint.LinkPrint("\n\n\n\n"); - Beaprint.LinkPrint($"------------------------- results: new implementation --------------------------------"); - HashSet excludedDirs = new HashSet() { "AppData" }; - MeasureHelper.MeasureMethod(() => FindFiles_fileSearcher(path, patterns, color, excludedDirs), "new implementation"); - Beaprint.LinkPrint($"------------------------- results: new implementation --------------------------------"); - } + } } } diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj index 380cff9..921926b 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj @@ -116,6 +116,7 @@ + @@ -207,7 +208,7 @@ - +