1
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-27 14:13:38 +01:00

improvements

This commit is contained in:
carlospolop 2023-04-13 22:02:50 +02:00
parent 438e00527d
commit 4a0b8fb065
11 changed files with 5745 additions and 116 deletions

View File

@ -0,0 +1,5 @@
$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$filePath = Join-Path $scriptDir "regexes.yaml"
$url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
Invoke-WebRequest $url -OutFile $filePath

24
build_lists/download_regexes.py Executable file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python3
import os
import requests
from pathlib import Path
def download_regexes():
print("[+] Downloading regexes...")
url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
response = requests.get(url)
if response.status_code == 200:
# Save the content of the response to a file
script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
target_file = script_folder / 'regexes.yaml'
with open(target_file, "w") as file:
file.write(response.text)
print(f"Downloaded and saved in '{target_file}' successfully!")
else:
print("Error: Unable to download the regexes file.")
exit(1)
download_regexes()

File diff suppressed because it is too large Load Diff

File diff suppressed because one or more lines are too long

View File

@ -37,6 +37,7 @@ search_for_regex(){
timeout 120 find /tmp /srv /Applications -type f -not -path "*/node_modules/*" -exec grep -HnRIE$i "$regex" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &
fi
wait
printf "\033[2K\r"
}

View File

@ -218,7 +218,7 @@ checkProcSysBreakouts(){
##############################################
containerCheck
print_2title "Container related tools present"
print_2title "Container related tools present (if any):"
command -v docker
command -v lxc
command -v rkt
@ -226,8 +226,10 @@ command -v kubectl
command -v podman
command -v runc
print_2title "Am I Containered?"
execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
print_2title "Am I Containered?"
execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
fi
print_2title "Container details"
print_list "Is this a container? ...........$NC $containerType"
@ -260,7 +262,7 @@ if echo "$containerType" | grep -qi "docker"; then
print_2title "Docker Container details"
inDockerGroup
print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "Looking and enumerating Docker Sockets\n"$NC
print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
enumerateDockerSockets
print_list "Docker version .................$NC$dockerVersion"
checkDockerVersionExploits
@ -268,7 +270,7 @@ if echo "$containerType" | grep -qi "docker"; then
print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
if [ "$inContainer" ]; then
checkDockerRootless
print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
echo ""
fi
if df -h | grep docker; then
@ -328,7 +330,6 @@ if [ "$inContainer" ]; then
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"

View File

@ -95,9 +95,9 @@ if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
fi
if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
echo "Current user has other interactive shells running" | sed -${E} "s,.*,${SED_RED},g";
ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
echo "Current user has other interactive shells running: " | sed -${E} "s,.*,${SED_RED},g";
ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
fi
else

View File

@ -527,7 +527,7 @@ STRINGS="$(command -v strings 2>/dev/null)"
LDD="$(command -v ldd 2>/dev/null)"
READELF="$(command -v readelf 2>/dev/null)"
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/prl-opengl-switcher.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
notBackup="/tdbbackup$|/db_hotbackup$"
@ -542,7 +542,7 @@ mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier"
profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|appmenu-qt5.sh|apps-bin-path.sh|bash_completion.sh|cedilla-portuguese.sh|colorgrep.csh|colorgrep.sh|colorls.csh|colorls.sh|colorxzgrep.csh|colorxzgrep.sh|colorzgrep.csh|colorzgrep.sh|csh.local|cursor.sh|gawk.csh|gawk.sh|im-config_wayland.sh|kali.sh|lang.csh|lang.sh|less.csh|less.sh|flatpak.sh|sh.local|vim.csh|vim.sh|vte.csh|vte-2.91.sh|which2.csh|which2.sh|xauthority.sh|Z97-byobu.sh|xdg_dirs_desktop_session.sh|Z99-cloudinit-warnings.sh|Z99-cloud-locale-test.sh"
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com"
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|mmyangfl@gmail.com|rogershimizu@gmail.com|thmarques@gmail.com"
timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|dpkg-db-backup.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|plocate-updatedb.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-license-check.timer|ua-messaging.timer|ua-timer.timer|ureadahead-stop.timer"
@ -697,8 +697,8 @@ print_3title(){
}
print_3title_no_nl(){
echo -ne "\033[2K\r"
printf ${BLUE}"\r══╣ $GREEN${1}..."$NC #There are 2 "═"
printf "\033[2K\r"
printf ${BLUE}"══╣ $GREEN${1}..."$NC #There are 2 "═"
}
print_list(){

View File

@ -377,7 +377,7 @@ class LinpeasBuilder:
for values in regexes:
section_name = values["name"]
regexes_search_section += f'print_2title "Searching {section_name}"\n'
regexes_search_section += f' print_2title "Searching {section_name}"\n'
for entry in values["regexes"]:
name = entry["name"]

View File

@ -1,26 +1,11 @@
import os
import yaml
import requests
from pathlib import Path
def download_regexes():
print("[+] Downloading regexes...")
url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
response = requests.get(url)
if response.status_code == 200:
# Save the content of the response to a file
script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
target_file = script_folder / '..' / '..' / '..' / 'build_lists' / 'regexes.yaml'
with open(target_file, "w") as file:
file.write(response.text)
print(f"Downloaded and saved in '{target_file}' successfully!")
else:
print("Error: Unable to download the regexes file.")
exit(1)
download_regexes()
script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
target_file = script_folder / '..' / '..' / '..' / 'build_lists' / 'download_regexes.py'
os.system(target_file)
CURRENT_DIR = os.path.dirname(os.path.realpath(__file__))

View File

@ -53,6 +53,7 @@ $wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions someti
## Parameters Examples
```bash
winpeas.exe -h # Get Help
winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs)
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
winpeas.exe notcolor #Do not color the output
@ -64,35 +65,6 @@ winpeas.exe -linpeas=http://127.0.0.1/linpeas.sh #Execute also additional linpea
winpeas.exe -lolbas #Execute also additional LOLBAS search check
```
## Help
```
domain Enumerate domain information
systeminfo Search system information
userinfo Search user information
processinfo Search processes information
servicesinfo Search services information
applicationsinfo Search installed applications information
networkinfo Search network information
windowscreds Search windows credentials
browserinfo Search browser information
filesinfo Search generic files that can contains credentials
fileanalysis Search specific files that can contains credentials and for regexes inside files
eventsinfo Display interesting events information
quiet Do not print banner
notcolor Don't use ansi colors (all white)
searchpf Search credentials via regex also in Program Files folders
wait Wait for user input between checks
debug Display debugging information - memory usage, method execution time
log[=logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
MaxRegexFileSize=1000000 Max file size (in Bytes) to search regex in. Default: 1000000B
Additional checks (slower):
-lolbas Run additional LOLBAS check
-linpeas=[url] Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL
(default: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh)
```
## Basic information
The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.