darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- reverted new test search method

Browse Source 
- added debugging information - memory, method execution time
This commit is contained in:
makikvues 2021-01-10 20:37:49 +01:00
parent 2f467a3405
commit ff030224fe
18 changed files with 430 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -7,14 +7,18 @@ namespace winPEAS.Checks
{
internal class ApplicationsInfo : ISystemCheck
{
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Applications Information");
PrintActiveWindow();
PrintInstalledApps();
PrintAutoRuns();
PrintScheduled();
PrintDeviceDrivers();
new List<Action>
{
PrintActiveWindow,
PrintInstalledApps,
PrintAutoRuns,
PrintScheduled,
PrintDeviceDrivers,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintActiveWindow()

4
winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs
View File

@ -6,7 +6,7 @@ namespace winPEAS.Checks
{
internal class BrowserInfo : ISystemCheck
{
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Browsers Information");
@ -15,7 +15,7 @@ namespace winPEAS.Checks
new Firefox(),
new Chrome(),
new InternetExplorer(),
}.ForEach(browser => browser.PrintInfo());
}.ForEach(browser => CheckRunner.Run(browser.PrintInfo, isDebug));
}
}
}

15
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Management;
using System.Security.Principal;
@ -15,6 +16,7 @@ namespace winPEAS.Checks
public static bool Banner = true;
public static bool IsSearchFast = true;
public static int SearchTime = 50;
public static bool IsDebug = false;
// Create Dynamic blacklists
public static readonly string CurrentUserName = Environment.UserName;
@ -101,7 +103,12 @@ namespace winPEAS.Checks
if (string.Equals(arg, "wait", StringComparison.CurrentCultureIgnoreCase))
{
wait = true;
}
}
if (string.Equals(arg, "debug", StringComparison.CurrentCultureIgnoreCase))
{
IsDebug = true;
}
string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower))
@ -123,7 +130,7 @@ namespace winPEAS.Checks
CreateDynamicLists();
Beaprint.PrintInit();
Beaprint.PrintInit(IsDebug);
for (int i = 0; i < systemChecks.Count; i++)
{
@ -131,7 +138,7 @@ namespace winPEAS.Checks
if (systemCheckSelectedKeysHashSet.Contains(systemCheck.Key) || isAllChecks)
{
systemCheck.Check.PrintInfo();
systemCheck.Check.PrintInfo(IsDebug);
if ((i < systemCheckSelectedKeysHashSet.Count - 1) && wait)
{
@ -139,7 +146,7 @@ namespace winPEAS.Checks
}
}
}
}
}
private static void CreateDynamicLists()
{

143
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -11,26 +11,118 @@ namespace winPEAS.Checks
internal class FilesInfo : ISystemCheck
{
static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe";
static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
// static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
private static readonly IList<string> patternsFileCreds = new List<string>()
{
"*.cer$",
"*.csr$",
"*.der$",
"*.ftpconfig",
"*.gpg$",
"*.kdbx",
"*.ovpn",
"*.p12$",
"*.pgp$",
"*.rdg",
"*_history*",
"*config*.php",
"*id_dsa*",
"*id_rsa*",
"*vnc*.c*nf*",
"*vnc*.ini",
"*vnc*.txt",
"*vnc*.xml",
".git-credentials",
".gitconfig",
".htpasswd",
"AppEvent.Evt",
"ConsoleHost_history.txt",
"Dockerfile",
"FreeSSHDservice.ini",
"KeePass.config",
"NetSetup.log",
"Ntds.dit",
"RDCMan.settings",
"SAM",
"SYSTEM",
"SecEvent.Evt",
"access.log",
"accessTokens.json",
"access_tokens.db",
"appcmd.exe",
"azureProfile.json",
"bash.exe",
"datasources.xml",
"default.sav",
"docker-compose.yml",
"drives.xml",
"elasticsearch.y*ml",
"error.log",
"ffftp.ini",
"filezilla.xml",
"groups.xml",
"httpd.conf",
"https-xampp.conf",
"https.conf",
"iis6.log",
"index.dat",
"kibana.y*ml",
"known_hosts",
"my.cnf",
"my.ini",
"ntuser.dat",
"pagefile.sys",
"php.ini",
"printers.xml",
"recentservers.xml",
"scclient.exe",
"scheduledtasks.xml",
"security",
"security.sav",
"server.xml",
"services.xml",
"setupinfo",
"setupinfo.bak",
"sitemanager.xml",
"sites.ini",
"software",
"software.sav",
"sysprep.inf",
"sysprep.xml",
"system.sav",
"tomcat-users.xml",
"unattend.txt",
"unattend.xml",
"unattended.xml",
"wcx_ftp.ini",
"web.*.config",
"winscp.ini",
"ws_ftp.ini",
"wsl.exe",
};
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Interesting files and registry");
Putty.PrintInfo();
PrintCloudCreds();
PrintUnattendFiles();
PrintSAMBackups();
PrintMcAffeSitelistFiles();
PrintLinuxShells();
PrintCachedGPPPassword();
PrintPossCredsRegs();
PrintUserCredsFiles();
PrintUsersInterestingFiles();
PrintUsersDocsKeys();
PrintRecentFiles();
PrintRecycleBin();
new List<Action>
{
Putty.PrintInfo,
PrintCloudCreds,
PrintUnattendFiles,
PrintSAMBackups,
PrintMcAffeSitelistFiles,
PrintLinuxShells,
PrintCachedGPPPassword,
PrintPossCredsRegs,
PrintUserCredsFiles,
PrintUsersInterestingFiles,
PrintUsersDocsKeys,
PrintRecentFiles,
PrintRecycleBin
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintCloudCreds()
@ -224,15 +316,19 @@ namespace winPEAS.Checks
{
try
{
string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
//string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
};
{
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
foreach (Dictionary<string, string> rec_file in recy_files)
{
foreach (string pattern in pattern_bin.Split(';'))
@ -244,8 +340,11 @@ namespace winPEAS.Checks
}
}
}
if (recy_files.Count <= 0)
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
@ -265,7 +364,11 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Searching known files that can contain creds in home");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
string searchPath = Environment.GetEnvironmentVariable("USERPROFILE");
SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
//SearchHelper.FindFiles(searchPath, _patternsFileCreds, colorF);
string patterns = string.Join(";", patternsFileCreds);
SearchHelper.FindFiles(searchPath, patterns, colorF);
}
catch (Exception ex)
{

2
winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs
View File

@ -2,6 +2,6 @@
{
internal interface ISystemCheck
{
void PrintInfo();
void PrintInfo(bool isDebug);
}
}

18
winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs
View File

@ -11,15 +11,19 @@ namespace winPEAS.Checks
static string commonShares = "[a-zA-Z]+[$]";
static string badIps = "127.0.0.1";
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Network Information");
PrintNetShares();
PrintHostsFile();
PrintNetworkIfaces();
PrintListeningPorts();
PrintFirewallRules();
PrintDNSCache();
new List<Action>
{
PrintNetShares,
PrintHostsFile,
PrintNetworkIfaces,
PrintListeningPorts,
PrintFirewallRules,
PrintDNSCache,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintNetShares()

10
winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
View File

@ -8,10 +8,14 @@ namespace winPEAS.Checks
{
internal class ProcessInfo : ISystemCheck
{
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Processes Information");
PrintInterestingProcesses();
Beaprint.GreatPrint("Processes Information");
new List<Action>
{
PrintInterestingProcesses,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintInterestingProcesses()

18
winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
View File

@ -10,7 +10,7 @@ namespace winPEAS.Checks
{
Dictionary<string, string> modifiableServices = new Dictionary<string, string>();
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Services Information");
@ -18,17 +18,23 @@ namespace winPEAS.Checks
try
{
modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
CheckRunner.Run(() =>
{
modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
}, isDebug);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
PrintInterestingServices();
PrintModifiableServices();
PrintWritableRegServices();
PrintPathDllHijacking();
new List<Action>
{
PrintInterestingServices,
PrintModifiableServices,
PrintWritableRegServices,
PrintPathDllHijacking,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintInterestingServices()

85
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -12,30 +12,34 @@ namespace winPEAS.Checks
static string goodUAC = "PromptPermitDenyOnSecureDesktop";
static string badLAPS = "LAPS not installed";
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("System Information");
PrintBasicSystemInfo();
PrintUserEV();
PrintSystemEV();
PrintAuditInfo();
PrintWEFInfo();
PrintLAPSInfo();
PrintWdigest();
PrintLSAProtection();
PrintCredentialGuard();
PrintCachedCreds();
PrintAVInfo();
PrintUACInfo();
PrintPSInfo();
PrintTranscriptPS();
PrintInetInfo();
PrintDrivesInfo();
PrintWSUS();
PrintAlwaysInstallElevated();
new List<Action>
{
PrintBasicSystemInfo,
PrintUserEV,
PrintSystemEV,
PrintAuditInfo,
PrintWEFInfo,
PrintLAPSInfo,
PrintWdigest,
PrintLSAProtection,
PrintCredentialGuard,
PrintCachedCreds,
PrintAVInfo,
PrintUACInfo,
PrintPSInfo,
PrintTranscriptPS,
PrintInetInfo,
PrintDrivesInfo,
PrintWSUS,
PrintAlwaysInstallElevated,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintBasicSystemInfo()
static void PrintBasicSystemInfo()
{
try
{
@ -60,7 +64,7 @@ namespace winPEAS.Checks
}
}
void PrintPSInfo()
static void PrintPSInfo()
{
try
{
@ -79,7 +83,7 @@ namespace winPEAS.Checks
}
}
void PrintTranscriptPS()
static void PrintTranscriptPS()
{
try
{
@ -107,7 +111,7 @@ namespace winPEAS.Checks
}
}
void PrintAuditInfo()
static void PrintAuditInfo()
{
try
{
@ -122,7 +126,7 @@ namespace winPEAS.Checks
}
}
void PrintWEFInfo()
static void PrintWEFInfo()
{
try
{
@ -156,7 +160,7 @@ namespace winPEAS.Checks
}
}
void PrintWdigest()
static void PrintWdigest()
{
Beaprint.MainPrint("Wdigest");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
@ -167,7 +171,7 @@ namespace winPEAS.Checks
Beaprint.GoodPrint(" Wdigest is not enabled");
}
void PrintLSAProtection()
static void PrintLSAProtection()
{
Beaprint.MainPrint("LSA Protection");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
@ -178,7 +182,7 @@ namespace winPEAS.Checks
Beaprint.BadPrint(" LSA Protection is not enabled");
}
void PrintCredentialGuard()
static void PrintCredentialGuard()
{
Beaprint.MainPrint("Credentials Guard");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
@ -197,7 +201,7 @@ namespace winPEAS.Checks
Beaprint.BadPrint(" CredentialGuard is not enabled");
}
void PrintCachedCreds()
static void PrintCachedCreds()
{
Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
@ -216,7 +220,7 @@ namespace winPEAS.Checks
}
}
void PrintUserEV()
static void PrintUserEV()
{
try
{
@ -235,7 +239,7 @@ namespace winPEAS.Checks
}
}
void PrintSystemEV()
static void PrintSystemEV()
{
try
{
@ -254,7 +258,7 @@ namespace winPEAS.Checks
}
}
void PrintInetInfo()
static void PrintInetInfo()
{
try
{
@ -277,7 +281,7 @@ namespace winPEAS.Checks
}
}
void PrintDrivesInfo()
static void PrintDrivesInfo()
{
try
{
@ -313,7 +317,7 @@ namespace winPEAS.Checks
}
}
void PrintAVInfo()
static void PrintAVInfo()
{
try
{
@ -332,7 +336,7 @@ namespace winPEAS.Checks
}
}
void PrintUACInfo()
static void PrintUACInfo()
{
try
{
@ -341,10 +345,10 @@ namespace winPEAS.Checks
Dictionary<string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
{
{ badUAC, Beaprint.ansi_color_bad },
{ goodUAC, Beaprint.ansi_color_good }
};
{
{ badUAC, Beaprint.ansi_color_bad },
{ goodUAC, Beaprint.ansi_color_good }
};
Beaprint.DictPrint(uacDict, colorsSI, false);
if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0"))
@ -365,7 +369,7 @@ namespace winPEAS.Checks
}
}
void PrintWSUS()
static void PrintWSUS()
{
try
{
@ -400,7 +404,7 @@ namespace winPEAS.Checks
}
}
void PrintAlwaysInstallElevated()
static void PrintAlwaysInstallElevated()
{
try
{
@ -421,6 +425,5 @@ namespace winPEAS.Checks
Beaprint.PrintException(ex.Message);
}
}
}
}

25
winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
View File

@ -27,19 +27,22 @@ namespace winPEAS.Checks
static readonly string _badPasswd = "NotChange|NotExpi";
static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Users Information");
PrintCU();
PrintTokenP();
PrintClipboardText();
PrintLoggedUsers();
PrintRdpSessions();
PrintEverLoggedUsers();
PrintHomeFolders();
PrintAutoLogin();
PrintPasswordPolicies();
new List<Action>
{
PrintCU,
PrintTokenP,
PrintClipboardText,
PrintLoggedUsers,
PrintRdpSessions,
PrintEverLoggedUsers,
PrintHomeFolders,
PrintAutoLogin,
PrintPasswordPolicies,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
Dictionary<string, string> ColorsU()

54
winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
View File

@ -12,24 +12,28 @@ namespace winPEAS.Checks
{
internal class WindowsCreds : ISystemCheck
{
public void PrintInfo()
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Windows Credentials");
PrintvaultCreds();
PrintCredManag();
PrintSavedRDPInfo();
PrintRecentRunCommands();
PrintDPAPIMasterKeys();
PrintDpapiCredFiles();
PrintRCManFiles();
PrintKerberosTickets();
//PrintKerberosTGTTickets(); #Not working
PrintWifi();
PrintAppCmd();
PrintSCClient();
new List<Action>
{
PrintvaultCreds,
PrintCredManag,
PrintSavedRDPInfo,
PrintRecentRunCommands,
PrintDPAPIMasterKeys,
PrintDpapiCredFiles,
PrintRCManFiles,
PrintKerberosTickets,
//PrintKerberosTGTTickets, #Not working
PrintWifi,
PrintAppCmd,
PrintSCClient,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
void PrintvaultCreds()
static void PrintvaultCreds()
{
try
{
@ -49,7 +53,7 @@ namespace winPEAS.Checks
}
}
void PrintCredManag()
static void PrintCredManag()
{
try
{
@ -77,7 +81,7 @@ namespace winPEAS.Checks
}
void PrintSavedRDPInfo()
static void PrintSavedRDPInfo()
{
try
{
@ -102,7 +106,7 @@ namespace winPEAS.Checks
}
}
void PrintRecentRunCommands()
static void PrintRecentRunCommands()
{
try
{
@ -116,7 +120,7 @@ namespace winPEAS.Checks
}
}
void PrintDPAPIMasterKeys()
static void PrintDPAPIMasterKeys()
{
try
{
@ -143,7 +147,7 @@ namespace winPEAS.Checks
}
}
void PrintDpapiCredFiles()
static void PrintDpapiCredFiles()
{
try
{
@ -162,7 +166,7 @@ namespace winPEAS.Checks
}
}
void PrintRCManFiles()
static void PrintRCManFiles()
{
try
{
@ -181,7 +185,7 @@ namespace winPEAS.Checks
}
}
void PrintKerberosTickets()
static void PrintKerberosTickets()
{
try
{
@ -196,7 +200,7 @@ namespace winPEAS.Checks
}
}
void PrintKerberosTGTTickets()
static void PrintKerberosTGTTickets()
{
try
{
@ -210,7 +214,7 @@ namespace winPEAS.Checks
}
}
void PrintWifi()
static void PrintWifi()
{
try
{
@ -258,7 +262,7 @@ namespace winPEAS.Checks
}
}
void PrintAppCmd()
static void PrintAppCmd()
{
try
{
@ -279,7 +283,7 @@ namespace winPEAS.Checks
}
}
void PrintSCClient()
static void PrintSCClient()
{
try
{

73
winPEAS/winPEASexe/winPEAS/FastSearch/FileSearcher/FileSearcher.cs
View File

@ -3,8 +3,8 @@ using System.Collections.Concurrent;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using winPEAS.Helpers;
using System.Text.RegularExpressions;
using System.Threading;
namespace winPEAS.FastSearch.FileSearcher
{
@ -17,6 +17,7 @@ namespace winPEAS.FastSearch.FileSearcher
public static List<FileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
{
ConcurrentBag<FileInfo> files = new ConcurrentBag<FileInfo>();
// ConcurrentBag<string> files = new ConcurrentBag<string>();
//Beaprint.InfoPrint($"[*] folder 1: '{folder}'");
@ -43,6 +44,7 @@ namespace winPEAS.FastSearch.FileSearcher
GetStartDirectories(d.FullName, files, pattern).AsParallel().ForAll((dir) =>
{
GetFiles(dir.FullName, pattern).ForEach((f) => files.Add(f));
// FindFiles(dir.FullName, pattern, SearchOption.TopDirectoryOnly).ForEach((f) => files.Add(f));
});
});
@ -147,5 +149,72 @@ namespace winPEAS.FastSearch.FileSearcher
return result;
}
public static List<string> FindFiles(string directory, string filters, SearchOption searchOption)
{
if (!Directory.Exists(directory)) return new List<string>();
var include = (from filter in filters.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries) where !string.IsNullOrEmpty(filter.Trim()) select filter.Trim());
var exclude = (from filter in include where filter.Contains(@"!") select filter);
include = include.Except(exclude);
if (include.Count() == 0) include = new string[] { "*" };
var rxfilters = from filter in exclude select string.Format("^{0}$", filter.Replace("!", "").Replace(".", @"\.").Replace("*", ".*").Replace("?", "."));
Regex regex = new Regex(string.Join("|", rxfilters.ToArray()));
List<Thread> workers = new List<Thread>();
List<string> files = new List<string>();
foreach (string filter in include)
{
Thread worker = new Thread(
new ThreadStart(
delegate
{
try
{
//string[] allfiles = Directory.GetFiles(directory, filter, searchOption);
string[] allfiles = Directory.GetFiles(directory, filter, SearchOption.TopDirectoryOnly);
if (exclude.Count() > 0)
{
lock (files)
{
files.AddRange(allfiles.Where(p => !regex.Match(p).Success));
}
}
else
{
lock (files)
{
files.AddRange(allfiles);
}
}
}
catch (UnauthorizedAccessException)
{
}
catch (PathTooLongException)
{
}
catch (DirectoryNotFoundException)
{
}
}
));
workers.Add(worker);
worker.Start();
}
foreach (Thread worker in workers)
{
worker.Join();
}
return files;
}
}
}

14
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -78,7 +78,7 @@ namespace winPEAS.Helpers
Thread.Sleep(700);
}
public static void PrintInit()
public static void PrintInit(bool isDebug)
{
if (Checks.Checks.Banner)
{
@ -87,6 +87,12 @@ namespace winPEAS.Helpers
Console.WriteLine(YELLOW + " WinPEAS " + GREEN + Version + NOCOLOR + YELLOW + " by carlospolop" + NOCOLOR);
Console.WriteLine();
if (isDebug)
{
MemoryHelper.DisplayMemoryStats();
}
PrintLegend();
Console.WriteLine();
LinkPrint("https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
@ -172,6 +178,12 @@ namespace winPEAS.Helpers
Console.WriteLine(DGRAY + to_print + NOCOLOR);
}
internal static void PrintDebugLine(string log)
{
Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR);
Console.WriteLine();
}
public static void PrintLineSeparator()
{
GrayPrint(" =================================================================================================");

30
winPEAS/winPEASexe/winPEAS/Helpers/CheckRunner.cs Normal file
View File

@ -0,0 +1,30 @@
using System;
using System.Diagnostics;
namespace winPEAS.Helpers
{
internal static class CheckRunner
{
public static void Run(Action action, bool isDebug)
{
var timer = new Stopwatch();
if (isDebug)
{
timer.Start();
}
action();
if (isDebug)
{
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
string log = $"Execution took : {timeTaken.Minutes:00}m:{timeTaken.Seconds:00}s:{timeTaken.Milliseconds:000}";
Beaprint.PrintDebugLine(log);
}
}
}
}

20
winPEAS/winPEASexe/winPEAS/Helpers/MeasureHelper.cs
View File

@ -1,20 +0,0 @@
using System;
using System.Diagnostics;
namespace winPEAS.Helpers
{
internal static class MeasureHelper
{
public static void MeasureMethod(Action action, string description = null)
{
var timer = new Stopwatch();
timer.Start();
action();
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
string log = $"({description ?? string.Empty}) Time taken: " + timeTaken.ToString(@"m\:ss\.fff");
Beaprint.LinkPrint(log);
}
}
}

45
winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs Normal file
View File

@ -0,0 +1,45 @@
using System;
using System.Diagnostics;
namespace winPEAS.Helpers
{
internal static class MemoryHelper
{
public static void DisplayMemoryStats()
{
using (Process process = Process.GetCurrentProcess())
{
if (!process.HasExited)
{
process.Refresh();
string memoryStats = $"{process.ProcessName} - Memory Stats\n" +
$"-------------------------------------\n" +
$" Physical memory usage : {ToSize(process.WorkingSet64)}\n" +
$" Paged system memory size : {ToSize(process.PagedSystemMemorySize64)}\n" +
$" Paged memory size : {ToSize(process.PagedMemorySize64)}\n";
Beaprint.PrintDebugLine(memoryStats);
}
}
}
private static string[] suffixes = new[] { " B", " KB", " MB", " GB", " TB", " PB" };
private static string ToSize(double number, int precision = 2)
{
// unit's number of bytes
const double unit = 1024;
// suffix counter
int i = 0;
// as long as we're bigger than a unit, keep going
while (number > unit)
{
number /= unit;
i++;
}
// apply precision and current suffix
return Math.Round(number, precision) + suffixes[i];
}
}
}

75
winPEAS/winPEASexe/winPEAS/Helpers/SearchHelper.cs
View File

@ -3,14 +3,12 @@ using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading;
using winPEAS.FastSearch.FileSearcher;
using winPEAS.KnownFileCreds;
namespace winPEAS.Helpers
{
internal static class SearchHelper
{
public static List<string> FindFiles_old_implementation(string path, string patterns)
public static List<string> FindFiles(string path, string patterns)
{
// finds files matching one or more patterns under a given path, recursive
// adapted from http://csharphelper.com/blog/2015/06/find-files-that-match-multiple-patterns-in-c/
@ -33,7 +31,7 @@ namespace winPEAS.Helpers
// go recurse in all sub-directories
foreach (var directory in Directory.GetDirectories(path))
files.AddRange(FindFiles_old_implementation(directory, patterns));
files.AddRange(FindFiles(directory, patterns));
}
catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { }
@ -42,46 +40,7 @@ namespace winPEAS.Helpers
return files;
}
public static List<string> FindFiles_fileSearcher(string path, string patterns)
{
var files = new List<string>();
foreach (string pattern in patterns.Split(';'))
{
// var found = Directory.GetFiles(path, pattern, SearchOption.AllDirectories);
List<FileInfo> res = FileSearcher.GetFilesFast(path, pattern);
files.AddRange(res.Select(s => s.FullName));
}
return files;
}
private static void PrintSearchResults(IEnumerable<string> results, string description = null)
{
Beaprint.LinkPrint($"------------------------- results: {description ?? string.Empty} --------------------------------");
if (results != null)
{
Beaprint.LinkPrint(string.Join("\n", results ?? Enumerable.Empty<string>()));
}
Beaprint.LinkPrint($"------------------------- results: {description ?? string.Empty} --------------------------------");
Beaprint.LinkPrint("\n\n\n\n");
}
public static List<string> FindFiles(string path, string patterns)
{
List<string> result = new List<string>();
MeasureHelper.MeasureMethod(() => result = FindFiles_old_implementation(path, patterns), "old implementation");
PrintSearchResults(result, "old implementation");
MeasureHelper.MeasureMethod(() => result = FindFiles_fileSearcher(path, patterns), "new implementation");
PrintSearchResults(result, "new implementation");
return result;
}
public static void FindFiles_old_implementation(string path, string patterns, Dictionary<string, string> color)
public static void FindFiles(string path, string patterns, Dictionary<string, string> color)
{
try
{
@ -106,37 +65,13 @@ namespace winPEAS.Helpers
{
if (!directory.Contains("AppData"))
{
FindFiles_old_implementation(directory, patterns, color);
FindFiles(directory, patterns, color);
}
}
}
catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { }
catch (DirectoryNotFoundException) { }
}
public static void FindFiles_fileSearcher(string path, string patterns, Dictionary<string, string> color, HashSet<string> excludedDirs = null)
{
// search every pattern in this directory's files
foreach (string pattern in patterns.Split(';'))
{
// var found = Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly).Where(filepath => !filepath.Contains(".dll"));
List<FileInfo> res = FileSearcher.GetFilesFast(path, pattern, excludedDirs);
var found = res.Where(filepath => filepath.Extension != null && !filepath.Extension.Equals("dll")).Select(s => s.FullName);
Beaprint.AnsiPrint(" " + string.Join("\n ", found), color);
}
}
public static void FindFiles(string path, string patterns, Dictionary<string, string> color)
{
Beaprint.LinkPrint($"------------------------- results: old implementation --------------------------------");
MeasureHelper.MeasureMethod(() => FindFiles_old_implementation(path, patterns, color), "old implementation");
Beaprint.LinkPrint($"------------------------- results: old implementation --------------------------------");
Beaprint.LinkPrint("\n\n\n\n");
Beaprint.LinkPrint($"------------------------- results: new implementation --------------------------------");
HashSet<string> excludedDirs = new HashSet<string>() { "AppData" };
MeasureHelper.MeasureMethod(() => FindFiles_fileSearcher(path, patterns, color, excludedDirs), "new implementation");
Beaprint.LinkPrint($"------------------------- results: new implementation --------------------------------");
}
}
}
}

3
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -116,6 +116,7 @@
<Compile Include="Checks\SystemInfo.cs" />
<Compile Include="Checks\UserInfo.cs" />
<Compile Include="Checks\WindowsCreds.cs" />
<Compile Include="Helpers\MemoryHelper.cs" />
<Compile Include="Helpers\PermissionsHelper.cs" />
<Compile Include="Info\ApplicationInfo\ApplicationInfoHelper.cs" />
<Compile Include="Info\ApplicationInfo\AutoRuns.cs" />
@ -207,7 +208,7 @@
<Compile Include="TaskScheduler\XmlSerializationHelper.cs" />
<Compile Include="Info\UserInfo\UserInfoHelper.cs" />
<Compile Include="Helpers\DomainHelper.cs" />
<Compile Include="Helpers\MeasureHelper.cs" />
<Compile Include="Helpers\CheckRunner.cs" />
<Compile Include="Helpers\ReflectionHelper.cs" />
<Compile Include="Helpers\RegistryHelper.cs" />
<Compile Include="Helpers\SearchHelper.cs" />