darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- reverted new test search method

Browse Source 
- added debugging information - memory, method execution time
This commit is contained in:
makikvues 2021-01-10 20:37:49 +01:00
parent 2f467a3405
commit ff030224fe
18 changed files with 430 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -7,14 +7,18 @@ namespace winPEAS.Checks
{ {
internal class ApplicationsInfo : ISystemCheck internal class ApplicationsInfo : ISystemCheck
{ {
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Applications Information"); Beaprint.GreatPrint("Applications Information");
PrintActiveWindow();
PrintInstalledApps(); new List<Action>
PrintAutoRuns(); {
PrintScheduled(); PrintActiveWindow,
PrintDeviceDrivers(); PrintInstalledApps,
PrintAutoRuns,
PrintScheduled,
PrintDeviceDrivers,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintActiveWindow() void PrintActiveWindow()

4
winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs
View File

@ -6,7 +6,7 @@ namespace winPEAS.Checks
{ {
internal class BrowserInfo : ISystemCheck internal class BrowserInfo : ISystemCheck
{ {
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Browsers Information"); Beaprint.GreatPrint("Browsers Information");
@ -15,7 +15,7 @@ namespace winPEAS.Checks
new Firefox(), new Firefox(),
new Chrome(), new Chrome(),
new InternetExplorer(), new InternetExplorer(),
}.ForEach(browser => browser.PrintInfo()); }.ForEach(browser => CheckRunner.Run(browser.PrintInfo, isDebug));
} }
} }
} }

11
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -1,5 +1,6 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Diagnostics;
using System.Linq; using System.Linq;
using System.Management; using System.Management;
using System.Security.Principal; using System.Security.Principal;
@ -15,6 +16,7 @@ namespace winPEAS.Checks
public static bool Banner = true; public static bool Banner = true;
public static bool IsSearchFast = true; public static bool IsSearchFast = true;
public static int SearchTime = 50; public static int SearchTime = 50;
public static bool IsDebug = false;
// Create Dynamic blacklists // Create Dynamic blacklists
public static readonly string CurrentUserName = Environment.UserName; public static readonly string CurrentUserName = Environment.UserName;
@ -103,6 +105,11 @@ namespace winPEAS.Checks
wait = true; wait = true;
} }
if (string.Equals(arg, "debug", StringComparison.CurrentCultureIgnoreCase))
{
IsDebug = true;
}
string argToLower = arg.ToLower(); string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower)) if (systemCheckAllKeys.Contains(argToLower))
{ {
@ -123,7 +130,7 @@ namespace winPEAS.Checks
CreateDynamicLists(); CreateDynamicLists();
Beaprint.PrintInit(); Beaprint.PrintInit(IsDebug);
for (int i = 0; i < systemChecks.Count; i++) for (int i = 0; i < systemChecks.Count; i++)
{ {
@ -131,7 +138,7 @@ namespace winPEAS.Checks
if (systemCheckSelectedKeysHashSet.Contains(systemCheck.Key) || isAllChecks) if (systemCheckSelectedKeysHashSet.Contains(systemCheck.Key) || isAllChecks)
{ {
systemCheck.Check.PrintInfo(); systemCheck.Check.PrintInfo(IsDebug);
if ((i < systemCheckSelectedKeysHashSet.Count - 1) && wait) if ((i < systemCheckSelectedKeysHashSet.Count - 1) && wait)
{ {

137
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -11,26 +11,118 @@ namespace winPEAS.Checks
internal class FilesInfo : ISystemCheck internal class FilesInfo : ISystemCheck
{ {
static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe"; static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe";
static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak"; // static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
private static readonly IList<string> patternsFileCreds = new List<string>()
{
"*.cer$",
"*.csr$",
"*.der$",
"*.ftpconfig",
"*.gpg$",
"*.kdbx",
"*.ovpn",
"*.p12$",
"*.pgp$",
"*.rdg",
"*_history*",
"*config*.php",
"*id_dsa*",
"*id_rsa*",
"*vnc*.c*nf*",
"*vnc*.ini",
"*vnc*.txt",
"*vnc*.xml",
".git-credentials",
".gitconfig",
".htpasswd",
"AppEvent.Evt",
"ConsoleHost_history.txt",
"Dockerfile",
"FreeSSHDservice.ini",
"KeePass.config",
"NetSetup.log",
"Ntds.dit",
"RDCMan.settings",
"SAM",
"SYSTEM",
"SecEvent.Evt",
"access.log",
"accessTokens.json",
"access_tokens.db",
"appcmd.exe",
"azureProfile.json",
"bash.exe",
"datasources.xml",
"default.sav",
"docker-compose.yml",
"drives.xml",
"elasticsearch.y*ml",
"error.log",
"ffftp.ini",
"filezilla.xml",
"groups.xml",
"httpd.conf",
"https-xampp.conf",
"https.conf",
"iis6.log",
"index.dat",
"kibana.y*ml",
"known_hosts",
"my.cnf",
"my.ini",
"ntuser.dat",
"pagefile.sys",
"php.ini",
"printers.xml",
"recentservers.xml",
"scclient.exe",
"scheduledtasks.xml",
"security",
"security.sav",
"server.xml",
"services.xml",
"setupinfo",
"setupinfo.bak",
"sitemanager.xml",
"sites.ini",
"software",
"software.sav",
"sysprep.inf",
"sysprep.xml",
"system.sav",
"tomcat-users.xml",
"unattend.txt",
"unattend.xml",
"unattended.xml",
"wcx_ftp.ini",
"web.*.config",
"winscp.ini",
"ws_ftp.ini",
"wsl.exe",
};
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Interesting files and registry"); Beaprint.GreatPrint("Interesting files and registry");
Putty.PrintInfo(); new List<Action>
PrintCloudCreds(); {
PrintUnattendFiles(); Putty.PrintInfo,
PrintSAMBackups(); PrintCloudCreds,
PrintMcAffeSitelistFiles(); PrintUnattendFiles,
PrintLinuxShells(); PrintSAMBackups,
PrintCachedGPPPassword(); PrintMcAffeSitelistFiles,
PrintPossCredsRegs(); PrintLinuxShells,
PrintUserCredsFiles(); PrintCachedGPPPassword,
PrintUsersInterestingFiles(); PrintPossCredsRegs,
PrintUsersDocsKeys(); PrintUserCredsFiles,
PrintRecentFiles(); PrintUsersInterestingFiles,
PrintRecycleBin(); PrintUsersDocsKeys,
PrintRecentFiles,
PrintRecycleBin
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintCloudCreds() void PrintCloudCreds()
@ -224,7 +316,10 @@ namespace winPEAS.Checks
{ {
try try
{ {
string pattern_bin = _patternsFileCreds + ";*password*;*credential*"; //string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
Dictionary<string, string> colorF = new Dictionary<string, string>() Dictionary<string, string> colorF = new Dictionary<string, string>()
{ {
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
@ -233,6 +328,7 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
foreach (Dictionary<string, string> rec_file in recy_files) foreach (Dictionary<string, string> rec_file in recy_files)
{ {
foreach (string pattern in pattern_bin.Split(';')) foreach (string pattern in pattern_bin.Split(';'))
@ -244,9 +340,12 @@ namespace winPEAS.Checks
} }
} }
} }
if (recy_files.Count <= 0) if (recy_files.Count <= 0)
{
Beaprint.NotFoundPrint(); Beaprint.NotFoundPrint();
} }
}
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
@ -265,7 +364,11 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Searching known files that can contain creds in home"); Beaprint.MainPrint("Searching known files that can contain creds in home");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
string searchPath = Environment.GetEnvironmentVariable("USERPROFILE"); string searchPath = Environment.GetEnvironmentVariable("USERPROFILE");
SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
//SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
string patterns = string.Join(";", patternsFileCreds);
SearchHelper.FindFiles(searchPath, patterns, colorF);
} }
catch (Exception ex) catch (Exception ex)
{ {

2
winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs
View File

@ -2,6 +2,6 @@
{ {
internal interface ISystemCheck internal interface ISystemCheck
{ {
void PrintInfo(); void PrintInfo(bool isDebug);
} }
} }

18
winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs
View File

@ -11,15 +11,19 @@ namespace winPEAS.Checks
static string commonShares = "[a-zA-Z]+[$]"; static string commonShares = "[a-zA-Z]+[$]";
static string badIps = "127.0.0.1"; static string badIps = "127.0.0.1";
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Network Information"); Beaprint.GreatPrint("Network Information");
PrintNetShares();
PrintHostsFile(); new List<Action>
PrintNetworkIfaces(); {
PrintListeningPorts(); PrintNetShares,
PrintFirewallRules(); PrintHostsFile,
PrintDNSCache(); PrintNetworkIfaces,
PrintListeningPorts,
PrintFirewallRules,
PrintDNSCache,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintNetShares() void PrintNetShares()

8
winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
View File

@ -8,10 +8,14 @@ namespace winPEAS.Checks
{ {
internal class ProcessInfo : ISystemCheck internal class ProcessInfo : ISystemCheck
{ {
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Processes Information"); Beaprint.GreatPrint("Processes Information");
PrintInterestingProcesses();
new List<Action>
{
PrintInterestingProcesses,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintInterestingProcesses() void PrintInterestingProcesses()

16
winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
View File

@ -10,25 +10,31 @@ namespace winPEAS.Checks
{ {
Dictionary<string, string> modifiableServices = new Dictionary<string, string>(); Dictionary<string, string> modifiableServices = new Dictionary<string, string>();
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Services Information"); Beaprint.GreatPrint("Services Information");
/// Start finding Modifiable services so any function could use them /// Start finding Modifiable services so any function could use them
try try
{
CheckRunner.Run(() =>
{ {
modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs); modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
}, isDebug);
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
} }
PrintInterestingServices(); new List<Action>
PrintModifiableServices(); {
PrintWritableRegServices(); PrintInterestingServices,
PrintPathDllHijacking(); PrintModifiableServices,
PrintWritableRegServices,
PrintPathDllHijacking,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintInterestingServices() void PrintInterestingServices()

77
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -12,30 +12,34 @@ namespace winPEAS.Checks
static string goodUAC = "PromptPermitDenyOnSecureDesktop"; static string goodUAC = "PromptPermitDenyOnSecureDesktop";
static string badLAPS = "LAPS not installed"; static string badLAPS = "LAPS not installed";
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("System Information"); Beaprint.GreatPrint("System Information");
PrintBasicSystemInfo();
PrintUserEV(); new List<Action>
PrintSystemEV(); {
PrintAuditInfo(); PrintBasicSystemInfo,
PrintWEFInfo(); PrintUserEV,
PrintLAPSInfo(); PrintSystemEV,
PrintWdigest(); PrintAuditInfo,
PrintLSAProtection(); PrintWEFInfo,
PrintCredentialGuard(); PrintLAPSInfo,
PrintCachedCreds(); PrintWdigest,
PrintAVInfo(); PrintLSAProtection,
PrintUACInfo(); PrintCredentialGuard,
PrintPSInfo(); PrintCachedCreds,
PrintTranscriptPS(); PrintAVInfo,
PrintInetInfo(); PrintUACInfo,
PrintDrivesInfo(); PrintPSInfo,
PrintWSUS(); PrintTranscriptPS,
PrintAlwaysInstallElevated(); PrintInetInfo,
PrintDrivesInfo,
PrintWSUS,
PrintAlwaysInstallElevated,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintBasicSystemInfo() static void PrintBasicSystemInfo()
{ {
try try
{ {
@ -60,7 +64,7 @@ namespace winPEAS.Checks
} }
} }
void PrintPSInfo() static void PrintPSInfo()
{ {
try try
{ {
@ -79,7 +83,7 @@ namespace winPEAS.Checks
} }
} }
void PrintTranscriptPS() static void PrintTranscriptPS()
{ {
try try
{ {
@ -107,7 +111,7 @@ namespace winPEAS.Checks
} }
} }
void PrintAuditInfo() static void PrintAuditInfo()
{ {
try try
{ {
@ -122,7 +126,7 @@ namespace winPEAS.Checks
} }
} }
void PrintWEFInfo() static void PrintWEFInfo()
{ {
try try
{ {
@ -156,7 +160,7 @@ namespace winPEAS.Checks
} }
} }
void PrintWdigest() static void PrintWdigest()
{ {
Beaprint.MainPrint("Wdigest"); Beaprint.MainPrint("Wdigest");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
@ -167,7 +171,7 @@ namespace winPEAS.Checks
Beaprint.GoodPrint(" Wdigest is not enabled"); Beaprint.GoodPrint(" Wdigest is not enabled");
} }
void PrintLSAProtection() static void PrintLSAProtection()
{ {
Beaprint.MainPrint("LSA Protection"); Beaprint.MainPrint("LSA Protection");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
@ -178,7 +182,7 @@ namespace winPEAS.Checks
Beaprint.BadPrint(" LSA Protection is not enabled"); Beaprint.BadPrint(" LSA Protection is not enabled");
} }
void PrintCredentialGuard() static void PrintCredentialGuard()
{ {
Beaprint.MainPrint("Credentials Guard"); Beaprint.MainPrint("Credentials Guard");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
@ -197,7 +201,7 @@ namespace winPEAS.Checks
Beaprint.BadPrint(" CredentialGuard is not enabled"); Beaprint.BadPrint(" CredentialGuard is not enabled");
} }
void PrintCachedCreds() static void PrintCachedCreds()
{ {
Beaprint.MainPrint("Cached Creds"); Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
@ -216,7 +220,7 @@ namespace winPEAS.Checks
} }
} }
void PrintUserEV() static void PrintUserEV()
{ {
try try
{ {
@ -235,7 +239,7 @@ namespace winPEAS.Checks
} }
} }
void PrintSystemEV() static void PrintSystemEV()
{ {
try try
{ {
@ -254,7 +258,7 @@ namespace winPEAS.Checks
} }
} }
void PrintInetInfo() static void PrintInetInfo()
{ {
try try
{ {
@ -277,7 +281,7 @@ namespace winPEAS.Checks
} }
} }
void PrintDrivesInfo() static void PrintDrivesInfo()
{ {
try try
{ {
@ -313,7 +317,7 @@ namespace winPEAS.Checks
} }
} }
void PrintAVInfo() static void PrintAVInfo()
{ {
try try
{ {
@ -332,7 +336,7 @@ namespace winPEAS.Checks
} }
} }
void PrintUACInfo() static void PrintUACInfo()
{ {
try try
{ {
@ -365,7 +369,7 @@ namespace winPEAS.Checks
} }
} }
void PrintWSUS() static void PrintWSUS()
{ {
try try
{ {
@ -400,7 +404,7 @@ namespace winPEAS.Checks
} }
} }
void PrintAlwaysInstallElevated() static void PrintAlwaysInstallElevated()
{ {
try try
{ {
@ -421,6 +425,5 @@ namespace winPEAS.Checks
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
} }
} }
} }
} }

23
winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
View File

@ -27,19 +27,22 @@ namespace winPEAS.Checks
static readonly string _badPasswd = "NotChange|NotExpi"; static readonly string _badPasswd = "NotChange|NotExpi";
static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege"; static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Users Information"); Beaprint.GreatPrint("Users Information");
PrintCU(); new List<Action>
PrintTokenP(); {
PrintClipboardText(); PrintCU,
PrintLoggedUsers(); PrintTokenP,
PrintRdpSessions(); PrintClipboardText,
PrintEverLoggedUsers(); PrintLoggedUsers,
PrintHomeFolders(); PrintRdpSessions,
PrintAutoLogin(); PrintEverLoggedUsers,
PrintPasswordPolicies(); PrintHomeFolders,
PrintAutoLogin,
PrintPasswordPolicies,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
Dictionary<string, string> ColorsU() Dictionary<string, string> ColorsU()

54
winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
View File

@ -12,24 +12,28 @@ namespace winPEAS.Checks
{ {
internal class WindowsCreds : ISystemCheck internal class WindowsCreds : ISystemCheck
{ {
public void PrintInfo() public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Windows Credentials"); Beaprint.GreatPrint("Windows Credentials");
PrintvaultCreds();
PrintCredManag(); new List<Action>
PrintSavedRDPInfo(); {
PrintRecentRunCommands(); PrintvaultCreds,
PrintDPAPIMasterKeys(); PrintCredManag,
PrintDpapiCredFiles(); PrintSavedRDPInfo,
PrintRCManFiles(); PrintRecentRunCommands,
PrintKerberosTickets(); PrintDPAPIMasterKeys,
//PrintKerberosTGTTickets(); #Not working PrintDpapiCredFiles,
PrintWifi(); PrintRCManFiles,
PrintAppCmd(); PrintKerberosTickets,
PrintSCClient(); //PrintKerberosTGTTickets, #Not working
PrintWifi,
PrintAppCmd,
PrintSCClient,
}.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintvaultCreds() static void PrintvaultCreds()
{ {
try try
{ {
@ -49,7 +53,7 @@ namespace winPEAS.Checks
} }
} }
void PrintCredManag() static void PrintCredManag()
{ {
try try
{ {
@ -77,7 +81,7 @@ namespace winPEAS.Checks
} }
void PrintSavedRDPInfo() static void PrintSavedRDPInfo()
{ {
try try
{ {
@ -102,7 +106,7 @@ namespace winPEAS.Checks
} }
} }
void PrintRecentRunCommands() static void PrintRecentRunCommands()
{ {
try try
{ {
@ -116,7 +120,7 @@ namespace winPEAS.Checks
} }
} }
void PrintDPAPIMasterKeys() static void PrintDPAPIMasterKeys()
{ {
try try
{ {
@ -143,7 +147,7 @@ namespace winPEAS.Checks
} }
} }
void PrintDpapiCredFiles() static void PrintDpapiCredFiles()
{ {
try try
{ {
@ -162,7 +166,7 @@ namespace winPEAS.Checks
} }
} }
void PrintRCManFiles() static void PrintRCManFiles()
{ {
try try
{ {
@ -181,7 +185,7 @@ namespace winPEAS.Checks
} }
} }
void PrintKerberosTickets() static void PrintKerberosTickets()
{ {
try try
{ {
@ -196,7 +200,7 @@ namespace winPEAS.Checks
} }
} }
void PrintKerberosTGTTickets() static void PrintKerberosTGTTickets()
{ {
try try
{ {
@ -210,7 +214,7 @@ namespace winPEAS.Checks
} }
} }
void PrintWifi() static void PrintWifi()
{ {
try try
{ {
@ -258,7 +262,7 @@ namespace winPEAS.Checks
} }
} }
void PrintAppCmd() static void PrintAppCmd()
{ {
try try
{ {
@ -279,7 +283,7 @@ namespace winPEAS.Checks
} }
} }
void PrintSCClient() static void PrintSCClient()
{ {
try try
{ {

73
winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs
View File

@ -3,8 +3,8 @@ using System.Collections.Concurrent;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO; using System.IO;
using System.Linq; using System.Linq;
using System.Threading.Tasks; using System.Text.RegularExpressions;
using winPEAS.Helpers; using System.Threading;
namespace winPEAS.FastSearch.FileSearcher namespace winPEAS.FastSearch.FileSearcher
{ {
@ -17,6 +17,7 @@ namespace winPEAS.FastSearch.FileSearcher
public static List<FileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null) public static List<FileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
{ {
ConcurrentBag<FileInfo> files = new ConcurrentBag<FileInfo>(); ConcurrentBag<FileInfo> files = new ConcurrentBag<FileInfo>();
// ConcurrentBag<string> files = new ConcurrentBag<string>();
//Beaprint.InfoPrint($"[*] folder 1: '{folder}'"); //Beaprint.InfoPrint($"[*] folder 1: '{folder}'");
@ -43,6 +44,7 @@ namespace winPEAS.FastSearch.FileSearcher
GetStartDirectories(d.FullName, files, pattern).AsParallel().ForAll((dir) => GetStartDirectories(d.FullName, files, pattern).AsParallel().ForAll((dir) =>
{ {
GetFiles(dir.FullName, pattern).ForEach((f) => files.Add(f)); GetFiles(dir.FullName, pattern).ForEach((f) => files.Add(f));
// FindFiles(dir.FullName, pattern, SearchOption.TopDirectoryOnly).ForEach((f) => files.Add(f));
}); });
}); });
@ -147,5 +149,72 @@ namespace winPEAS.FastSearch.FileSearcher
return result; return result;
} }
public static List<string> FindFiles(string directory, string filters, SearchOption searchOption)
{
if (!Directory.Exists(directory)) return new List<string>();
var include = (from filter in filters.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries) where !string.IsNullOrEmpty(filter.Trim()) select filter.Trim());
var exclude = (from filter in include where filter.Contains(@"!") select filter);
include = include.Except(exclude);
if (include.Count() == 0) include = new string[] { "*" };
var rxfilters = from filter in exclude select string.Format("^{0}$", filter.Replace("!", "").Replace(".", @"\.").Replace("*", ".*").Replace("?", "."));
Regex regex = new Regex(string.Join("|", rxfilters.ToArray()));
List<Thread> workers = new List<Thread>();
List<string> files = new List<string>();
foreach (string filter in include)
{
Thread worker = new Thread(
new ThreadStart(
delegate
{
try
{
//string[] allfiles = Directory.GetFiles(directory, filter, searchOption);
string[] allfiles = Directory.GetFiles(directory, filter, SearchOption.TopDirectoryOnly);
if (exclude.Count() > 0)
{
lock (files)
{
files.AddRange(allfiles.Where(p => !regex.Match(p).Success));
}
}
else
{
lock (files)
{
files.AddRange(allfiles);
}
}
}
catch (UnauthorizedAccessException)
{
}
catch (PathTooLongException)
{
}
catch (DirectoryNotFoundException)
{
}
}
));
workers.Add(worker);
worker.Start();
}
foreach (Thread worker in workers)
{
worker.Join();
}
return files;
}
} }
} }

14
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -78,7 +78,7 @@ namespace winPEAS.Helpers
Thread.Sleep(700); Thread.Sleep(700);
} }
public static void PrintInit() public static void PrintInit(bool isDebug)
{ {
if (Checks.Checks.Banner) if (Checks.Checks.Banner)
{ {
@ -87,6 +87,12 @@ namespace winPEAS.Helpers
Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop" + NOCOLOR); Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop" + NOCOLOR);
Console.WriteLine(); Console.WriteLine();
if (isDebug)
{
MemoryHelper.DisplayMemoryStats();
}
PrintLegend(); PrintLegend();
Console.WriteLine(); Console.WriteLine();
LinkPrint("https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:"); LinkPrint("https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
@ -172,6 +178,12 @@ namespace winPEAS.Helpers
Console.WriteLine(DGRAY + to_print + NOCOLOR); Console.WriteLine(DGRAY + to_print + NOCOLOR);
} }
internal static void PrintDebugLine(string log)
{
Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR);
Console.WriteLine();
}
public static void PrintLineSeparator() public static void PrintLineSeparator()
{ {
GrayPrint(" ================================================================================================="); GrayPrint(" =================================================================================================");

30
winPEAS/winPEASexe/winPEAS/Helpers/CheckRunner.cs Normal file
View File

@ -0,0 +1,30 @@
using System;
using System.Diagnostics;
namespace winPEAS.Helpers
{
internal static class CheckRunner
{
public static void Run(Action action, bool isDebug)
{
var timer = new Stopwatch();
if (isDebug)
{
timer.Start();
}
action();
if (isDebug)
{
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
string log = $"Execution took : {timeTaken.Minutes:00}m:{timeTaken.Seconds:00}s:{timeTaken.Milliseconds:000}";
Beaprint.PrintDebugLine(log);
}
}
}
}

20
winPEAS/winPEASexe/winPEAS/Helpers/MeasureHelper.cs
View File

@ -1,20 +0,0 @@
using System;
using System.Diagnostics;
namespace winPEAS.Helpers
{
internal static class MeasureHelper
{
public static void MeasureMethod(Action action, string description = null)
{
var timer = new Stopwatch();
timer.Start();
action();
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
string log = $"({description ?? string.Empty}) Time taken: " + timeTaken.ToString(@"m\:ss\.fff");
Beaprint.LinkPrint(log);
}
}
}

45
winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs Normal file
View File

@ -0,0 +1,45 @@
using System;
using System.Diagnostics;
namespace winPEAS.Helpers
{
internal static class MemoryHelper
{
public static void DisplayMemoryStats()
{
using (Process process = Process.GetCurrentProcess())
{
if (!process.HasExited)
{
process.Refresh();
string memoryStats = $"{process.ProcessName} - Memory Stats\n" +
$"-------------------------------------\n" +
$" Physical memory usage : {ToSize(process.WorkingSet64)}\n" +
$" Paged system memory size : {ToSize(process.PagedSystemMemorySize64)}\n" +
$" Paged memory size : {ToSize(process.PagedMemorySize64)}\n";
Beaprint.PrintDebugLine(memoryStats);
}
}
}
private static string[] suffixes = new[] { " B", " KB", " MB", " GB", " TB", " PB" };
private static string ToSize(double number, int precision = 2)
{
// unit's number of bytes
const double unit = 1024;
// suffix counter
int i = 0;
// as long as we're bigger than a unit, keep going
while (number > unit)
{
number /= unit;
i++;
}
// apply precision and current suffix
return Math.Round(number, precision) + suffixes[i];
}
}
}

73
winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs
View File

@ -3,14 +3,12 @@ using System.Collections.Generic;
using System.IO; using System.IO;
using System.Linq; using System.Linq;
using System.Threading; using System.Threading;
using winPEAS.FastSearch.FileSearcher;
using winPEAS.KnownFileCreds;
namespace winPEAS.Helpers namespace winPEAS.Helpers
{ {
internal static class SearchHelper internal static class SearchHelper
{ {
public static List<string> FindFiles_old_implementation(string path, string patterns) public static List<string> FindFiles(string path, string patterns)
{ {
// finds files matching one or more patterns under a given path, recursive // finds files matching one or more patterns under a given path, recursive
// adapted from http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/ // adapted from http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/
@ -33,7 +31,7 @@ namespace winPEAS.Helpers
// go recurse in all sub-directories // go recurse in all sub-directories
foreach (var directory in Directory.GetDirectories(path)) foreach (var directory in Directory.GetDirectories(path))
files.AddRange(FindFiles_old_implementation(directory, patterns)); files.AddRange(FindFiles(directory, patterns));
} }
catch (UnauthorizedAccessException) { } catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { } catch (PathTooLongException) { }
@ -42,46 +40,7 @@ namespace winPEAS.Helpers
return files; return files;
} }
public static List<string> FindFiles_fileSearcher(string path, string patterns) public static void FindFiles(string path, string patterns, Dictionary<string, string> color)
{
var files = new List<string>();
foreach (string pattern in patterns.Split(';'))
{
// var found = Directory.GetFiles(path, pattern, SearchOption.AllDirectories);
List<FileInfo> res = FileSearcher.GetFilesFast(path, pattern);
files.AddRange(res.Select(s => s.FullName));
}
return files;
}
private static void PrintSearchResults(IEnumerable<string> results, string description = null)
{
Beaprint.LinkPrint($"------------------------- results: {description ?? string.Empty} --------------------------------");
if (results != null)
{
Beaprint.LinkPrint(string.Join("\n", results ?? Enumerable.Empty<string>()));
}
Beaprint.LinkPrint($"------------------------- results: {description ?? string.Empty} --------------------------------");
Beaprint.LinkPrint("\n\n\n\n");
}
public static List<string> FindFiles(string path, string patterns)
{
List<string> result = new List<string>();
MeasureHelper.MeasureMethod(() => result = FindFiles_old_implementation(path, patterns), "old implementation");
PrintSearchResults(result, "old implementation");
MeasureHelper.MeasureMethod(() => result = FindFiles_fileSearcher(path, patterns), "new implementation");
PrintSearchResults(result, "new implementation");
return result;
}
public static void FindFiles_old_implementation(string path, string patterns, Dictionary<string, string> color)
{ {
try try
{ {
@ -106,7 +65,7 @@ namespace winPEAS.Helpers
{ {
if (!directory.Contains("AppData")) if (!directory.Contains("AppData"))
{ {
FindFiles_old_implementation(directory, patterns, color); FindFiles(directory, patterns, color);
} }
} }
} }
@ -114,29 +73,5 @@ namespace winPEAS.Helpers
catch (PathTooLongException) { } catch (PathTooLongException) { }
catch (DirectoryNotFoundException) { } catch (DirectoryNotFoundException) { }
} }
public static void FindFiles_fileSearcher(string path, string patterns, Dictionary<string, string> color, HashSet<string> excludedDirs = null)
{
// search every pattern in this directory's files
foreach (string pattern in patterns.Split(';'))
{
// var found = Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly).Where(filepath => !filepath.Contains(".dll"));
List<FileInfo> res = FileSearcher.GetFilesFast(path, pattern, excludedDirs);
var found = res.Where(filepath => filepath.Extension != null && !filepath.Extension.Equals("dll")).Select(s => s.FullName);
Beaprint.AnsiPrint(" " + string.Join("\n ", found), color);
}
}
public static void FindFiles(string path, string patterns, Dictionary<string, string> color)
{
Beaprint.LinkPrint($"------------------------- results: old implementation --------------------------------");
MeasureHelper.MeasureMethod(() => FindFiles_old_implementation(path, patterns, color), "old implementation");
Beaprint.LinkPrint($"------------------------- results: old implementation --------------------------------");
Beaprint.LinkPrint("\n\n\n\n");
Beaprint.LinkPrint($"------------------------- results: new implementation --------------------------------");
HashSet<string> excludedDirs = new HashSet<string>() { "AppData" };
MeasureHelper.MeasureMethod(() => FindFiles_fileSearcher(path, patterns, color, excludedDirs), "new implementation");
Beaprint.LinkPrint($"------------------------- results: new implementation --------------------------------");
}
} }
} }

3
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -116,6 +116,7 @@
<Compile Include="Checks\SystemInfo.cs" /> <Compile Include="Checks\SystemInfo.cs" />
<Compile Include="Checks\UserInfo.cs" /> <Compile Include="Checks\UserInfo.cs" />
<Compile Include="Checks\WindowsCreds.cs" /> <Compile Include="Checks\WindowsCreds.cs" />
<Compile Include="Helpers\MemoryHelper.cs" />
<Compile Include="Helpers\PermissionsHelper.cs" /> <Compile Include="Helpers\PermissionsHelper.cs" />
<Compile Include="Info\ApplicationInfo\ApplicationInfoHelper.cs" /> <Compile Include="Info\ApplicationInfo\ApplicationInfoHelper.cs" />
<Compile Include="Info\ApplicationInfo\AutoRuns.cs" /> <Compile Include="Info\ApplicationInfo\AutoRuns.cs" />
@ -207,7 +208,7 @@
<Compile Include="TaskScheduler\XmlSerializationHelper.cs" /> <Compile Include="TaskScheduler\XmlSerializationHelper.cs" />
<Compile Include="Info\UserInfo\UserInfoHelper.cs" /> <Compile Include="Info\UserInfo\UserInfoHelper.cs" />
<Compile Include="Helpers\DomainHelper.cs" /> <Compile Include="Helpers\DomainHelper.cs" />
<Compile Include="Helpers\MeasureHelper.cs" /> <Compile Include="Helpers\CheckRunner.cs" />
<Compile Include="Helpers\ReflectionHelper.cs" /> <Compile Include="Helpers\ReflectionHelper.cs" />
<Compile Include="Helpers\RegistryHelper.cs" /> <Compile Include="Helpers\RegistryHelper.cs" />
<Compile Include="Helpers\SearchHelper.cs" /> <Compile Include="Helpers\SearchHelper.cs" />