mirror of
https://github.com/carlospolop/PEASS-ng
synced 2025-02-21 10:30:58 +01:00
winPEAS check permissions SIDs
This commit is contained in:
parent
02aeb9f347
commit
4cc980ee58
linPEAS
winPEAS/winPEASexe/winPEAS
ApplicationInfo.csBeaprint.csKnownFileCredsInfo.csMyUtils.csNetworkInfo.csProgram.csServicesInfo.csUserInfo.cswinPEAS.csproj.user
bin
obj
Debug
Release
x64
Debug
winPEAS.csproj.FileListAbsolute.txtwinPEAS.csproj.Fody.CopyLocal.cachewinPEAS.csprojAssemblyReference.cachewinPEAS.exewinPEAS.pdb
Release
x86/Release
@ -1569,13 +1569,13 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head
|
||||
echo ""
|
||||
|
||||
##-- 19IF) Interesting hidden files
|
||||
printf $Y"[+] "$GREEN"Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .git, .svn, .gitconfig, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml\n"$NC
|
||||
##-- 19IF) Interesting files
|
||||
printf $Y"[+] "$GREEN"Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml\n"$NC
|
||||
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data\n"$NC
|
||||
fils=`find /etc /home /root /tmp /usr /opt /mnt /var/backups /var/www /var/opt /var/cache \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "*httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".gitconfig" -o -name ".git-credentials" -o -name ".git" -o -name ".svn" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`
|
||||
for f in $fils; do
|
||||
if [ -r $f ]; then
|
||||
ls -ld $f 2>/dev/null | sed "s,bash_history\|\.sudo_as_admin_successful\|\.plan\|\.htpasswd\|\.git-credentials\|.git\|.svn\|\.rhosts\|httpd.conf,${C}[1;31m&${C}[0m," | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g";
|
||||
ls -ld $f 2>/dev/null | sed "s,_history\|\.sudo_as_admin_successful\|.profile\|bashrc\|httpd.conf\|\.plan\|\.htpasswd\|.gitconfig\|\.git-credentials\|.git\|.svn\|\.rhosts\|hosts.equiv\|Dockerfile\|docker-compose.yml,${C}[1;31m&${C}[0m," | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g";
|
||||
if [ `echo $f | grep "_history"` ]; then
|
||||
printf $GREEN"Looking for possible passwords inside $f\n"$NC
|
||||
cat $f | grep $pwd_inside_history | sed "s,$pwd_inside_history,${C}[1;31m&${C}[0m,"
|
||||
@ -1595,7 +1595,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
|
||||
##-- 20IF) All hidden files
|
||||
printf $Y"[+] "$GREEN"All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)\n"$NC
|
||||
find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/\|\.gitignore\|.npmignore\|_history$\|\.profile\|\.bashrc\|\.listing\|\.ignore\|\.uuid\|\.plan\|\.htpasswd\|\.git-credentials\|.rhosts\|.depend\|.placeholder\|.gitkeep\|.git$\|.svn$" | head -n 70
|
||||
find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/\|_history$\|.sudo_as_admin_successful\|\.profile\|\.bashrc\|\.plan\|\.htpasswd\|.gitconfig\|\.git-credentials\|\.rhosts\|\.gitignore\|.npmignore\|\.listing\|\.ignore\|\.uuid\|.depend\|.placeholder\|.gitkeep" | head -n 70
|
||||
echo ""
|
||||
|
||||
##-- 21IF) Readable files in /tmp, /var/tmp, /var/backups
|
||||
|
@ -57,7 +57,7 @@ namespace winPEAS
|
||||
foreach (string f in Directory.GetFiles(fpath))
|
||||
{
|
||||
results[f] = new Dictionary<string, string>(){
|
||||
{ f, String.Join(", ", MyUtils.GetPermissionsFile(f, Program.interestingUsersGroups)) }
|
||||
{ f, String.Join(", ", MyUtils.GetPermissionsFile(f, Program.currentUserSIDs)) }
|
||||
};
|
||||
}
|
||||
foreach (string d in Directory.GetDirectories(fpath))
|
||||
@ -97,8 +97,8 @@ namespace winPEAS
|
||||
{ "Folder", folder },
|
||||
{ "File", filepath },
|
||||
{ "isWritableReg", ""},
|
||||
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups))},
|
||||
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups))},
|
||||
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))},
|
||||
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs))},
|
||||
{ "isUnquotedSpaced", "" }
|
||||
});
|
||||
}
|
||||
@ -106,7 +106,7 @@ namespace winPEAS
|
||||
return results;
|
||||
}
|
||||
|
||||
public static List<Dictionary<string, string>> GetAutoRuns(List<string> NtAccountNames)
|
||||
public static List<Dictionary<string, string>> GetAutoRuns(Dictionary<string,string> NtAccountNames)
|
||||
{
|
||||
List<Dictionary<string, string>> reg_autorus = ServicesInfo.GetRegistryAutoRuns(NtAccountNames);
|
||||
List<Dictionary<string, string>> file_autorus = GetAutoRunsFolder();
|
||||
|
@ -9,7 +9,8 @@ namespace winPEAS
|
||||
{
|
||||
class Beaprint
|
||||
{
|
||||
public static string GRAY = "\x1b[1;90m";
|
||||
public static string GRAY = "\x1b[1;37m";
|
||||
public static string DGRAY = "\x1b[1;90m";
|
||||
static string RED = "\x1b[1;31m";
|
||||
public static string LRED = "\x1b[1;31m";
|
||||
static string GREEN = "\x1b[1;32m";
|
||||
@ -33,6 +34,9 @@ namespace winPEAS
|
||||
public static string ansi_current_user = MAGENTA;
|
||||
|
||||
|
||||
/////////////////////////////////
|
||||
///////// PRINT THINGS /////////
|
||||
/////////////////////////////////
|
||||
public static void PrintBanner()
|
||||
{
|
||||
try
|
||||
@ -132,32 +136,6 @@ namespace winPEAS
|
||||
System.Console.WriteLine(YELLOW + " [+] " + LYELLOW + "By default all checks (except CMD checks) are executed" + NOCOLOR);
|
||||
}
|
||||
|
||||
public static void deleteColors()
|
||||
{
|
||||
GRAY = "";
|
||||
RED = "";
|
||||
LRED = "";
|
||||
GREEN = "";
|
||||
LGREEN = "";
|
||||
YELLOW = "";
|
||||
LYELLOW = "";
|
||||
BLUE = "";
|
||||
LBLUE = "";
|
||||
MAGENTA = "";
|
||||
LMAGENTA = "";
|
||||
CYAN = "";
|
||||
LCYAN = "";
|
||||
REDYELLOW = "";
|
||||
NOCOLOR = "";
|
||||
ansi_color_bad = "";
|
||||
ansi_color_good = "";
|
||||
ansi_color_gray = "";
|
||||
ansi_color_yellow = "";
|
||||
ansi_users_active = "";
|
||||
ansi_users_disabled = "";
|
||||
ansi_current_user = "";
|
||||
}
|
||||
|
||||
|
||||
/////////////////////////////////
|
||||
/// DIFFERENT PRINT FUNCTIONS ///
|
||||
@ -182,7 +160,7 @@ namespace winPEAS
|
||||
try
|
||||
{
|
||||
System.Console.WriteLine();
|
||||
System.Console.WriteLine(YELLOW + " [+] " + GREEN + toPrint + YELLOW + "(" + GRAY + attackid + YELLOW + ")" + NOCOLOR);
|
||||
System.Console.WriteLine(YELLOW + " [+] " + GREEN + toPrint + YELLOW + "(" + DGRAY + attackid + YELLOW + ")" + NOCOLOR);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
@ -231,7 +209,7 @@ namespace winPEAS
|
||||
|
||||
public static void GrayPrint(string to_print)
|
||||
{
|
||||
System.Console.WriteLine(GRAY + to_print + NOCOLOR);
|
||||
System.Console.WriteLine(DGRAY + to_print + NOCOLOR);
|
||||
}
|
||||
|
||||
public static void PrintLineSeparator()
|
||||
@ -357,7 +335,6 @@ namespace winPEAS
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public static void DictPrint(List<Dictionary<string, string>> listdicprint, Dictionary<string, string> colors, bool delete_nulls, bool no_gray = false)
|
||||
{
|
||||
try
|
||||
@ -407,5 +384,35 @@ namespace winPEAS
|
||||
else
|
||||
NotFoundPrint();
|
||||
}
|
||||
|
||||
|
||||
//////////////////////////////////
|
||||
/// Delete Colors (nocolor) :( ///
|
||||
/// //////////////////////////////
|
||||
public static void deleteColors()
|
||||
{
|
||||
GRAY = "";
|
||||
RED = "";
|
||||
LRED = "";
|
||||
GREEN = "";
|
||||
LGREEN = "";
|
||||
YELLOW = "";
|
||||
LYELLOW = "";
|
||||
BLUE = "";
|
||||
LBLUE = "";
|
||||
MAGENTA = "";
|
||||
LMAGENTA = "";
|
||||
CYAN = "";
|
||||
LCYAN = "";
|
||||
REDYELLOW = "";
|
||||
NOCOLOR = "";
|
||||
ansi_color_bad = "";
|
||||
ansi_color_good = "";
|
||||
ansi_color_gray = "";
|
||||
ansi_color_yellow = "";
|
||||
ansi_users_active = "";
|
||||
ansi_users_disabled = "";
|
||||
ansi_current_user = "";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -660,88 +660,91 @@ namespace winPEAS
|
||||
public static List<Dictionary<string, string>> DumpVault()
|
||||
{
|
||||
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
|
||||
// pulled directly from @djhohnstein's SharpWeb project: https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs
|
||||
var OSVersion = Environment.OSVersion.Version;
|
||||
var OSMajor = OSVersion.Major;
|
||||
var OSMinor = OSVersion.Minor;
|
||||
|
||||
Type VAULT_ITEM;
|
||||
|
||||
if (OSMajor >= 6 && OSMinor >= 2)
|
||||
try
|
||||
{
|
||||
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
|
||||
}
|
||||
else
|
||||
{
|
||||
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
|
||||
}
|
||||
// pulled directly from @djhohnstein's SharpWeb project: https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs
|
||||
var OSVersion = Environment.OSVersion.Version;
|
||||
var OSMajor = OSVersion.Major;
|
||||
var OSMinor = OSVersion.Minor;
|
||||
|
||||
Int32 vaultCount = 0;
|
||||
IntPtr vaultGuidPtr = IntPtr.Zero;
|
||||
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
|
||||
Type VAULT_ITEM;
|
||||
|
||||
//var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr);
|
||||
|
||||
if ((int)result != 0)
|
||||
{
|
||||
Console.WriteLine(" [ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")");
|
||||
return results;
|
||||
}
|
||||
|
||||
// Create dictionary to translate Guids to human readable elements
|
||||
IntPtr guidAddress = vaultGuidPtr;
|
||||
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
|
||||
vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
|
||||
vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
|
||||
vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
|
||||
vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
|
||||
vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
|
||||
vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
|
||||
vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
|
||||
vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
|
||||
vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
|
||||
|
||||
for (int i = 0; i < vaultCount; i++)
|
||||
{
|
||||
|
||||
// Open vault block
|
||||
object vaultGuidString = System.Runtime.InteropServices.Marshal.PtrToStructure(guidAddress, typeof(Guid));
|
||||
Guid vaultGuid = new Guid(vaultGuidString.ToString());
|
||||
guidAddress = (IntPtr)(guidAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(typeof(Guid)));
|
||||
IntPtr vaultHandle = IntPtr.Zero;
|
||||
string vaultType;
|
||||
if (vaultSchema.ContainsKey(vaultGuid))
|
||||
if (OSMajor >= 6 && OSMinor >= 2)
|
||||
{
|
||||
vaultType = vaultSchema[vaultGuid];
|
||||
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
|
||||
}
|
||||
else
|
||||
{
|
||||
vaultType = vaultGuid.ToString();
|
||||
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
|
||||
}
|
||||
result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle);
|
||||
if (result != 0)
|
||||
{
|
||||
Console.WriteLine("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString());
|
||||
continue;
|
||||
}
|
||||
// Vault opened successfully! Continue.
|
||||
|
||||
// Fetch all items within Vault
|
||||
int vaultItemCount = 0;
|
||||
IntPtr vaultItemPtr = IntPtr.Zero;
|
||||
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
|
||||
if (result != 0)
|
||||
Int32 vaultCount = 0;
|
||||
IntPtr vaultGuidPtr = IntPtr.Zero;
|
||||
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
|
||||
|
||||
//var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr);
|
||||
|
||||
if ((int)result != 0)
|
||||
{
|
||||
Console.WriteLine("Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString());
|
||||
continue;
|
||||
Console.WriteLine(" [ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")");
|
||||
return results;
|
||||
}
|
||||
var structAddress = vaultItemPtr;
|
||||
if (vaultItemCount > 0)
|
||||
|
||||
// Create dictionary to translate Guids to human readable elements
|
||||
IntPtr guidAddress = vaultGuidPtr;
|
||||
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
|
||||
vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
|
||||
vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
|
||||
vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
|
||||
vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
|
||||
vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
|
||||
vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
|
||||
vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
|
||||
vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
|
||||
vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
|
||||
|
||||
for (int i = 0; i < vaultCount; i++)
|
||||
{
|
||||
// For each vault item...
|
||||
for (int j = 1; j <= vaultItemCount; j++)
|
||||
|
||||
// Open vault block
|
||||
object vaultGuidString = System.Runtime.InteropServices.Marshal.PtrToStructure(guidAddress, typeof(Guid));
|
||||
Guid vaultGuid = new Guid(vaultGuidString.ToString());
|
||||
guidAddress = (IntPtr)(guidAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(typeof(Guid)));
|
||||
IntPtr vaultHandle = IntPtr.Zero;
|
||||
string vaultType;
|
||||
if (vaultSchema.ContainsKey(vaultGuid))
|
||||
{
|
||||
Dictionary<string, string> vault_cred = new Dictionary<string, string>() {
|
||||
vaultType = vaultSchema[vaultGuid];
|
||||
}
|
||||
else
|
||||
{
|
||||
vaultType = vaultGuid.ToString();
|
||||
}
|
||||
result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle);
|
||||
if (result != 0)
|
||||
{
|
||||
Console.WriteLine("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString());
|
||||
continue;
|
||||
}
|
||||
// Vault opened successfully! Continue.
|
||||
|
||||
// Fetch all items within Vault
|
||||
int vaultItemCount = 0;
|
||||
IntPtr vaultItemPtr = IntPtr.Zero;
|
||||
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
|
||||
if (result != 0)
|
||||
{
|
||||
Console.WriteLine("Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString());
|
||||
continue;
|
||||
}
|
||||
var structAddress = vaultItemPtr;
|
||||
if (vaultItemCount > 0)
|
||||
{
|
||||
// For each vault item...
|
||||
for (int j = 1; j <= vaultItemCount; j++)
|
||||
{
|
||||
Dictionary<string, string> vault_cred = new Dictionary<string, string>() {
|
||||
{ "GUID", String.Format("{0}", vaultGuid) },
|
||||
{ "Type", vaultType },
|
||||
{ "Resource", "" },
|
||||
@ -752,72 +755,77 @@ namespace winPEAS
|
||||
{ "Error", "" }
|
||||
};
|
||||
|
||||
// Begin fetching vault item...
|
||||
var currentItem = System.Runtime.InteropServices.Marshal.PtrToStructure(structAddress, VAULT_ITEM);
|
||||
structAddress = (IntPtr)(structAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(VAULT_ITEM));
|
||||
// Begin fetching vault item...
|
||||
var currentItem = System.Runtime.InteropServices.Marshal.PtrToStructure(structAddress, VAULT_ITEM);
|
||||
structAddress = (IntPtr)(structAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(VAULT_ITEM));
|
||||
|
||||
IntPtr passwordVaultItem = IntPtr.Zero;
|
||||
// Field Info retrieval
|
||||
FieldInfo schemaIdInfo = currentItem.GetType().GetField("SchemaId");
|
||||
Guid schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString());
|
||||
FieldInfo pResourceElementInfo = currentItem.GetType().GetField("pResourceElement");
|
||||
IntPtr pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem);
|
||||
FieldInfo pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement");
|
||||
IntPtr pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem);
|
||||
FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified");
|
||||
UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem);
|
||||
IntPtr passwordVaultItem = IntPtr.Zero;
|
||||
// Field Info retrieval
|
||||
FieldInfo schemaIdInfo = currentItem.GetType().GetField("SchemaId");
|
||||
Guid schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString());
|
||||
FieldInfo pResourceElementInfo = currentItem.GetType().GetField("pResourceElement");
|
||||
IntPtr pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem);
|
||||
FieldInfo pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement");
|
||||
IntPtr pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem);
|
||||
FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified");
|
||||
UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem);
|
||||
|
||||
IntPtr pPackageSid = IntPtr.Zero;
|
||||
if (OSMajor >= 6 && OSMinor >= 2)
|
||||
{
|
||||
// Newer versions have package sid
|
||||
FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
|
||||
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
|
||||
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
|
||||
}
|
||||
else
|
||||
{
|
||||
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
|
||||
}
|
||||
IntPtr pPackageSid = IntPtr.Zero;
|
||||
if (OSMajor >= 6 && OSMinor >= 2)
|
||||
{
|
||||
// Newer versions have package sid
|
||||
FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
|
||||
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
|
||||
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
|
||||
}
|
||||
else
|
||||
{
|
||||
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
|
||||
}
|
||||
|
||||
if (result != 0)
|
||||
{
|
||||
vault_cred["Error"] = "Occured while retrieving vault item. Error: 0x" + result.ToString();
|
||||
continue;
|
||||
}
|
||||
object passwordItem = System.Runtime.InteropServices.Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM);
|
||||
FieldInfo pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement");
|
||||
IntPtr pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem);
|
||||
// Fetch the credential from the authenticator element
|
||||
object cred = GetVaultElementValue(pAuthenticatorElement);
|
||||
object packageSid = null;
|
||||
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
|
||||
{
|
||||
packageSid = GetVaultElementValue(pPackageSid);
|
||||
}
|
||||
if (cred != null) // Indicates successful fetch
|
||||
{
|
||||
object resource = GetVaultElementValue(pResourceElement);
|
||||
if (resource != null)
|
||||
if (result != 0)
|
||||
{
|
||||
vault_cred["Resource"] = String.Format("{0}", resource);
|
||||
vault_cred["Error"] = "Occured while retrieving vault item. Error: 0x" + result.ToString();
|
||||
continue;
|
||||
}
|
||||
object identity = GetVaultElementValue(pIdentityElement);
|
||||
if (identity != null)
|
||||
object passwordItem = System.Runtime.InteropServices.Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM);
|
||||
FieldInfo pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement");
|
||||
IntPtr pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem);
|
||||
// Fetch the credential from the authenticator element
|
||||
object cred = GetVaultElementValue(pAuthenticatorElement);
|
||||
object packageSid = null;
|
||||
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
|
||||
{
|
||||
vault_cred["Identity"] = String.Format("{0}", identity);
|
||||
packageSid = GetVaultElementValue(pPackageSid);
|
||||
}
|
||||
if (packageSid != null)
|
||||
if (cred != null) // Indicates successful fetch
|
||||
{
|
||||
vault_cred["PacakgeSid"] = String.Format("{0}", packageSid);
|
||||
object resource = GetVaultElementValue(pResourceElement);
|
||||
if (resource != null)
|
||||
{
|
||||
vault_cred["Resource"] = String.Format("{0}", resource);
|
||||
}
|
||||
object identity = GetVaultElementValue(pIdentityElement);
|
||||
if (identity != null)
|
||||
{
|
||||
vault_cred["Identity"] = String.Format("{0}", identity);
|
||||
}
|
||||
if (packageSid != null)
|
||||
{
|
||||
vault_cred["PacakgeSid"] = String.Format("{0}", packageSid);
|
||||
}
|
||||
vault_cred["Credential"] = String.Format("{0}", cred);
|
||||
vault_cred["Last Modified"] = String.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
|
||||
results.Add(vault_cred);
|
||||
}
|
||||
vault_cred["Credential"] = String.Format("{0}", cred);
|
||||
vault_cred["Last Modified"] = String.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
|
||||
results.Add(vault_cred);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch(Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
|
@ -16,7 +16,63 @@ namespace winPEAS
|
||||
{
|
||||
class MyUtils
|
||||
{
|
||||
//////////////////////
|
||||
/// IsDomainJoined ///
|
||||
//////////////////////
|
||||
/// The clases and functions here are dedicated to discover if the current host is joined in a domain or not, and get the domain name if so
|
||||
/// It can be done using .Net (default) and WMI (used if .Net fails)
|
||||
internal class Win32
|
||||
{
|
||||
public const int ErrorSuccess = 0;
|
||||
|
||||
[DllImport("Netapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
|
||||
public static extern int NetGetJoinInformation(string server, out IntPtr domain, out NetJoinStatus status);
|
||||
|
||||
[DllImport("Netapi32.dll")]
|
||||
public static extern int NetApiBufferFree(IntPtr Buffer);
|
||||
|
||||
public enum NetJoinStatus
|
||||
{
|
||||
NetSetupUnknownStatus = 0,
|
||||
NetSetupUnjoined,
|
||||
NetSetupWorkgroupName,
|
||||
NetSetupDomainName
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public static string IsDomainJoined()
|
||||
{
|
||||
// returns Compuer Domain if the system is inside an AD (an nothing if it is not)
|
||||
try
|
||||
{
|
||||
Win32.NetJoinStatus status = Win32.NetJoinStatus.NetSetupUnknownStatus;
|
||||
IntPtr pDomain = IntPtr.Zero;
|
||||
int result = Win32.NetGetJoinInformation(null, out pDomain, out status);
|
||||
if (pDomain != IntPtr.Zero)
|
||||
{
|
||||
Win32.NetApiBufferFree(pDomain);
|
||||
}
|
||||
|
||||
if (result == Win32.ErrorSuccess)
|
||||
{
|
||||
// If in domain, return domain name, if not, return empty
|
||||
if (status == Win32.NetJoinStatus.NetSetupDomainName)
|
||||
return Environment.UserDomainName;
|
||||
return "";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Trying to check if domain is joined using WMI", ex.Message));
|
||||
IsDomainJoinedWmi();
|
||||
}
|
||||
return "";
|
||||
}
|
||||
|
||||
public static string IsDomainJoinedWmi()
|
||||
{
|
||||
// returns Compuer Domain if the system is inside an AD (an nothing if it is not)
|
||||
try
|
||||
@ -36,84 +92,16 @@ namespace winPEAS
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
//By default true, because this way will check domain and local, but never should get here the code
|
||||
//By default local
|
||||
return "";
|
||||
}
|
||||
|
||||
public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
try
|
||||
{
|
||||
foreach (KeyValuePair<string, string> entry in dic_in)
|
||||
if (!String.IsNullOrEmpty(entry.Value.Trim()))
|
||||
results[entry.Key] = entry.Value;
|
||||
return results;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
public static List<string> ListFolder(String path)
|
||||
{
|
||||
string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
|
||||
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
|
||||
return dirs.ToList();
|
||||
}
|
||||
|
||||
//From https://stackoverflow.com/questions/929276/how-to-recursively-list-all-the-files-in-a-directory-in-c
|
||||
public static Dictionary<string, string> GecRecursivePrivs(string path)
|
||||
{
|
||||
/*string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
|
||||
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
|
||||
return dirs.ToList();*/
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
results[path] = ""; //If you cant open, then there are no privileges for you (and the try will explode)
|
||||
try
|
||||
{
|
||||
results[path] = String.Join(", ", GetPermissionsFolder(path, Program.interestingUsersGroups));
|
||||
if (String.IsNullOrEmpty(results[path]))
|
||||
{
|
||||
foreach (string d in Directory.GetDirectories(path))
|
||||
{
|
||||
foreach (string f in Directory.GetFiles(d))
|
||||
{
|
||||
results[f] = String.Join(", ", GetPermissionsFile(f, Program.interestingUsersGroups));
|
||||
}
|
||||
results.Concat(GecRecursivePrivs(d)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
|
||||
}
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
//Access denied to a path
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
//From Seatbelt
|
||||
public static bool IsHighIntegrity()
|
||||
{
|
||||
// returns true if the current process is running with adminstrative privs in a high integrity context
|
||||
WindowsIdentity identity = WindowsIdentity.GetCurrent();
|
||||
WindowsPrincipal principal = new WindowsPrincipal(identity);
|
||||
return principal.IsInRole(WindowsBuiltInRole.Administrator);
|
||||
}
|
||||
|
||||
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
|
||||
public static bool ContainsAnyRegex(string haystack, List<string> regexps)
|
||||
{
|
||||
foreach (string regex in regexps)
|
||||
{
|
||||
if (Regex.Match(haystack, regex, RegexOptions.IgnoreCase).Success)
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// From Seatbelt
|
||||
///////////////////////////////////////////
|
||||
/// Interf. for Keys and Values in Reg. ///
|
||||
///////////////////////////////////////////
|
||||
/// Functions related to obtain keys and values from the registry
|
||||
/// Some parts adapted from Seatbelt
|
||||
public static string GetRegValue(string hive, string path, string value)
|
||||
{
|
||||
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)
|
||||
@ -254,6 +242,241 @@ namespace winPEAS
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
///////////////////////////////////
|
||||
//////// Check Permissions ////////
|
||||
///////////////////////////////////
|
||||
/// Get interesting permissions from Files, Folders and Registry
|
||||
public static List<string> GetPermissionsFile(string path, Dictionary<string,string> SIDs)
|
||||
{
|
||||
/*Permisos especiales para carpetas
|
||||
*https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN
|
||||
*https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights?redirectedfrom=MSDN
|
||||
*/
|
||||
|
||||
List<string> results = new List<string>();
|
||||
path = path.Trim();
|
||||
if (path == null || path == "")
|
||||
return results;
|
||||
|
||||
Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase);
|
||||
string binaryPath = reg_path.Groups[1].ToString();
|
||||
path = binaryPath;
|
||||
if (path == null || path == "")
|
||||
return results;
|
||||
|
||||
try
|
||||
{
|
||||
FileSecurity fSecurity = File.GetAccessControl(path);
|
||||
results = GetMyPermissionsF(fSecurity, SIDs);
|
||||
}
|
||||
catch
|
||||
{
|
||||
//By some reason some times it cannot find a file or cannot get permissions (normally with some binaries inside system32)
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
public static List<string> GetPermissionsFolder(string path, Dictionary<string, string> SIDs)
|
||||
{
|
||||
List<string> results = new List<string>();
|
||||
|
||||
try
|
||||
{
|
||||
path = path.Trim();
|
||||
if (String.IsNullOrEmpty(path))
|
||||
return results;
|
||||
|
||||
path = GetFolderFromString(path);
|
||||
|
||||
if (String.IsNullOrEmpty(path))
|
||||
return results;
|
||||
|
||||
FileSecurity fSecurity = File.GetAccessControl(path);
|
||||
results = GetMyPermissionsF(fSecurity, SIDs);
|
||||
}
|
||||
catch
|
||||
{
|
||||
//Te exceptions here use to be "Not access to a file", nothing interesting
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs)
|
||||
{
|
||||
// Get interesting permissions in fSecurity (Only files and folders)
|
||||
List<string> results = new List<string>();
|
||||
Dictionary<string, string> container = new Dictionary<string, string>();
|
||||
|
||||
foreach (FileSystemAccessRule rule in fSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
|
||||
{
|
||||
//First, check if the rule to check is interesting
|
||||
int current_perm = (int)rule.FileSystemRights;
|
||||
string current_perm_str = PermInt2Str(current_perm, false);
|
||||
if (current_perm_str == "")
|
||||
continue;
|
||||
|
||||
foreach (KeyValuePair<string, string> mySID in SIDs)
|
||||
{
|
||||
// If the rule is interesting, check if any of my SIDs is in the rule
|
||||
if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower())
|
||||
{
|
||||
string SID_name = String.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value;
|
||||
|
||||
if (container.ContainsKey(SID_name))
|
||||
{
|
||||
if (!container[SID_name].Contains(current_perm_str))
|
||||
container[SID_name] += " " + current_perm_str;
|
||||
}
|
||||
else
|
||||
container[SID_name] = current_perm_str;
|
||||
|
||||
string to_add = String.Format("{0} [{1}]", SID_name, current_perm_str);
|
||||
}
|
||||
}
|
||||
}
|
||||
foreach (KeyValuePair<string, string> SID_input in container)
|
||||
{
|
||||
string to_add = String.Format("{0} [{1}]", SID_input.Key, SID_input.Value);
|
||||
results.Add(to_add);
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
public static List<string> GetMyPermissionsR(RegistryKey key, Dictionary<string, string> SIDs)
|
||||
{
|
||||
// Get interesting permissions in rSecurity (Only Registry)
|
||||
List<string> results = new List<string>();
|
||||
Dictionary<string, string> container = new Dictionary<string, string>();
|
||||
|
||||
try
|
||||
{
|
||||
var rSecurity = key.GetAccessControl();
|
||||
|
||||
//Go through the rules returned from the DirectorySecurity
|
||||
foreach (RegistryAccessRule rule in rSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
|
||||
{
|
||||
int current_perm = (int)rule.RegistryRights;
|
||||
string current_perm_str = PermInt2Str(current_perm, true);
|
||||
if (current_perm_str == "")
|
||||
continue;
|
||||
|
||||
foreach (KeyValuePair<string, string> mySID in SIDs)
|
||||
{
|
||||
// If the rule is interesting, check if any of my SIDs is in the rule
|
||||
if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower())
|
||||
{
|
||||
string SID_name = String.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value;
|
||||
|
||||
if (container.ContainsKey(SID_name))
|
||||
{
|
||||
if (!container[SID_name].Contains(current_perm_str))
|
||||
container[SID_name] += " " + current_perm_str;
|
||||
}
|
||||
else
|
||||
container[SID_name] = current_perm_str;
|
||||
|
||||
string to_add = String.Format("{0} [{1}]", SID_name, current_perm_str);
|
||||
}
|
||||
}
|
||||
}
|
||||
foreach (KeyValuePair<string, string> SID_input in container)
|
||||
{
|
||||
string to_add = String.Format("{0} [{1}]", SID_input.Key, SID_input.Value);
|
||||
results.Add(to_add);
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false)
|
||||
{
|
||||
Dictionary<string, int> interesting_perms = new Dictionary<string, int>()
|
||||
{
|
||||
{ "AllAccess", 0xf01ff},
|
||||
{ "GenericAll", 0x10000000},
|
||||
{ "FullControl", (int)FileSystemRights.FullControl },
|
||||
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
|
||||
{ "GenericWrite", 0x40000000 },
|
||||
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
|
||||
{ "Modify", (int)FileSystemRights.Modify },
|
||||
{ "Write", (int)FileSystemRights.Write },
|
||||
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
|
||||
{ "Delete", (int)FileSystemRights.Delete },
|
||||
{ "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
|
||||
{ "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
|
||||
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes },
|
||||
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
|
||||
};
|
||||
|
||||
if (only_write_or_equivalent)
|
||||
{
|
||||
interesting_perms = new Dictionary<string, int>()
|
||||
{
|
||||
{ "AllAccess", 0xf01ff},
|
||||
{ "GenericAll", 0x10000000},
|
||||
{ "FullControl", (int)FileSystemRights.FullControl },
|
||||
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
|
||||
{ "GenericWrite", 0x40000000 },
|
||||
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
|
||||
{ "Modify", (int)FileSystemRights.Modify },
|
||||
{ "Write", (int)FileSystemRights.Write },
|
||||
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
|
||||
};
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
foreach (KeyValuePair<string, int> entry in interesting_perms)
|
||||
{
|
||||
if ((entry.Value & current_perm) == entry.Value)
|
||||
return entry.Key;
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint("Error in PermInt2Str: " + ex);
|
||||
}
|
||||
return "";
|
||||
}
|
||||
|
||||
//From https://stackoverflow.com/questions/929276/how-to-recursively-list-all-the-files-in-a-directory-in-c
|
||||
public static Dictionary<string, string> GecRecursivePrivs(string path)
|
||||
{
|
||||
/*string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
|
||||
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
|
||||
return dirs.ToList();*/
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
results[path] = ""; //If you cant open, then there are no privileges for you (and the try will explode)
|
||||
try
|
||||
{
|
||||
results[path] = String.Join(", ", GetPermissionsFolder(path, Program.currentUserSIDs));
|
||||
if (String.IsNullOrEmpty(results[path]))
|
||||
{
|
||||
foreach (string d in Directory.GetDirectories(path))
|
||||
{
|
||||
foreach (string f in Directory.GetFiles(d))
|
||||
{
|
||||
results[f] = String.Join(", ", GetPermissionsFile(f, Program.currentUserSIDs));
|
||||
}
|
||||
results.Concat(GecRecursivePrivs(d)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
|
||||
}
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
//Access denied to a path
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
////////////////////////////////////
|
||||
/////// MISC - Files & Paths ///////
|
||||
////////////////////////////////////
|
||||
public static bool CheckIfDotNet(string path)
|
||||
{
|
||||
bool isDotNet = false;
|
||||
@ -306,7 +529,7 @@ namespace winPEAS
|
||||
string binaryPath = GetExecutableFromPath(path);
|
||||
if (binaryPath == "")
|
||||
{
|
||||
binaryPath = GetExecutableFromPath(system32dir +"\\" + path);
|
||||
binaryPath = GetExecutableFromPath(system32dir + "\\" + path);
|
||||
if (!File.Exists(binaryPath))
|
||||
{
|
||||
binaryPath = GetExecutableFromPath(windowsdir + "\\" + path);
|
||||
@ -323,55 +546,6 @@ namespace winPEAS
|
||||
return binaryPath;
|
||||
}
|
||||
|
||||
public static List<string> GetPermissionsFile(string path, List<string> lowgroups)
|
||||
{
|
||||
/*Permisos especiales para carpetas
|
||||
*https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN
|
||||
*https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights?redirectedfrom=MSDN
|
||||
*/
|
||||
|
||||
List<string> results = new List<string>();
|
||||
path = path.Trim();
|
||||
if (path == null || path == "")
|
||||
return results;
|
||||
|
||||
Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase);
|
||||
string binaryPath = reg_path.Groups[1].ToString();
|
||||
path = binaryPath;
|
||||
if (path == null || path == "")
|
||||
return results;
|
||||
|
||||
try
|
||||
{
|
||||
FileSecurity fSecurity = File.GetAccessControl(path);
|
||||
foreach (FileSystemAccessRule rule in fSecurity.GetAccessRules(true, true, typeof(NTAccount)))
|
||||
{
|
||||
int current_perm = (int)rule.FileSystemRights;
|
||||
string current_perm_str = permInt2Str(current_perm);
|
||||
if (current_perm_str == "")
|
||||
continue;
|
||||
|
||||
foreach (string group in lowgroups)
|
||||
{
|
||||
if (rule.IdentityReference.Value.ToLower().Contains(group.ToLower()))
|
||||
{
|
||||
string to_add = String.Format("{0} [{1}]", rule.IdentityReference.Value, current_perm_str);
|
||||
if (!results.Contains(to_add))
|
||||
{
|
||||
results.Add(to_add);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
//By some reason some times it cannot find a file or cannot get permissions (normally with some binaries inside system32)
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
public static string GetFolderFromString(string path)
|
||||
{
|
||||
string fpath = path;
|
||||
@ -387,102 +561,6 @@ namespace winPEAS
|
||||
return fpath;
|
||||
}
|
||||
|
||||
public static List<string> GetPermissionsFolder(string path, List<string> NtAccountNames)
|
||||
{
|
||||
List<string> results = new List<string>();
|
||||
|
||||
try
|
||||
{
|
||||
path = path.Trim();
|
||||
if (String.IsNullOrEmpty(path))
|
||||
return results;
|
||||
|
||||
path = GetFolderFromString(path);
|
||||
|
||||
if (String.IsNullOrEmpty(path))
|
||||
return results;
|
||||
|
||||
FileSecurity fSecurity = File.GetAccessControl(path);
|
||||
//Go through the rules returned from the DirectorySecurity
|
||||
foreach (FileSystemAccessRule rule in fSecurity.GetAccessRules(true, true, typeof(NTAccount)))
|
||||
{
|
||||
int current_perm = (int)rule.FileSystemRights;
|
||||
string current_perm_str = permInt2Str(current_perm);
|
||||
if (current_perm_str == "")
|
||||
continue;
|
||||
|
||||
//If we find one that matches the identity we are looking for
|
||||
foreach (string name in NtAccountNames)
|
||||
{
|
||||
if (rule.IdentityReference.Value.ToLower().Contains(name.ToLower()))
|
||||
{
|
||||
string to_add = String.Format("{0} [{1}]", rule.IdentityReference.Value, current_perm_str);
|
||||
if (!results.Contains(to_add))
|
||||
{
|
||||
results.Add(to_add);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
//Te exceptions here use to be "Not access to a file", nothing interesting
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
public static string permInt2Str(int current_perm, bool only_write_or_equivalent=false)
|
||||
{
|
||||
Dictionary<string, int> interesting_perms = new Dictionary<string, int>()
|
||||
{
|
||||
{ "AllAccess", 0xf01ff},
|
||||
{ "GenericAll", 0x10000000},
|
||||
{ "FullControl", (int)FileSystemRights.FullControl },
|
||||
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
|
||||
{ "GenericWrite", 0x40000000 },
|
||||
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
|
||||
{ "Modify", (int)FileSystemRights.Modify },
|
||||
{ "Write", (int)FileSystemRights.Write },
|
||||
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
|
||||
{ "Delete", (int)FileSystemRights.Delete },
|
||||
{ "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
|
||||
{ "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
|
||||
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes },
|
||||
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
|
||||
};
|
||||
|
||||
if (only_write_or_equivalent)
|
||||
{
|
||||
interesting_perms = new Dictionary<string, int>()
|
||||
{
|
||||
{ "AllAccess", 0xf01ff},
|
||||
{ "GenericAll", 0x10000000},
|
||||
{ "FullControl", (int)FileSystemRights.FullControl },
|
||||
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
|
||||
{ "GenericWrite", 0x40000000 },
|
||||
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
|
||||
{ "Modify", (int)FileSystemRights.Modify },
|
||||
{ "Write", (int)FileSystemRights.Write },
|
||||
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
|
||||
};
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
foreach (KeyValuePair<string, int> entry in interesting_perms)
|
||||
{
|
||||
if ((entry.Value & current_perm) == entry.Value)
|
||||
return entry.Key;
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint("Error in permInt2Str: " + ex);
|
||||
}
|
||||
return "";
|
||||
}
|
||||
|
||||
public static bool CheckQuoteAndSpace(string path)
|
||||
{
|
||||
@ -494,94 +572,6 @@ namespace winPEAS
|
||||
return false;
|
||||
}
|
||||
|
||||
//Adapted from https://social.msdn.microsoft.com/Forums/vstudio/en-US/378491d6-23a3-4ae7-a702-c52c5abb0e8d/access-to-both-32-and-64-bit-registry-using-c-and-regmultisz?forum=csharpgeneral
|
||||
[DllImport("Advapi32.dll", EntryPoint = "RegOpenKeyExW", CharSet = CharSet.Unicode)]
|
||||
static extern int RegOpenKeyEx(IntPtr hKey, [In] string lpSubKey, int ulOptions, int samDesired, out IntPtr phkResult);
|
||||
[DllImport("Advapi32.dll", EntryPoint = "RegQueryValueExW", CharSet = CharSet.Unicode)]
|
||||
static extern int RegQueryValueEx(IntPtr hKey, [In] string lpValueName, IntPtr lpReserved, out int lpType, [Out] byte[] lpData, ref int lpcbData);
|
||||
[DllImport("advapi32.dll")]
|
||||
static extern int RegCloseKey(IntPtr hKey);
|
||||
|
||||
static public readonly IntPtr HKEY_CLASSES_ROOT = new IntPtr(-2147483648);
|
||||
static public readonly IntPtr HKEY_CURRENT_USER = new IntPtr(-2147483647);
|
||||
static public readonly IntPtr HKEY_LOCAL_MACHINE = new IntPtr(-2147483646);
|
||||
static public readonly IntPtr HKEY_USERS = new IntPtr(-2147483645);
|
||||
static public readonly IntPtr HKEY_PERFORMANCE_DATA = new IntPtr(-2147483644);
|
||||
static public readonly IntPtr HKEY_CURRENT_CONFIG = new IntPtr(-2147483643);
|
||||
static public readonly IntPtr HKEY_DYN_DATA = new IntPtr(-2147483642);
|
||||
|
||||
public const int KEY_READ = 0x20019;
|
||||
public const int KEY_WRITE = 0x20006;
|
||||
public const int KEY_QUERY_VALUE = 0x0001;
|
||||
public const int KEY_SET_VALUE = 0x0002;
|
||||
public const int KEY_WOW64_64KEY = 0x0100;
|
||||
public const int KEY_WOW64_32KEY = 0x0200;
|
||||
public const int KEY_ALL_ACCESS = 0xF003F;
|
||||
|
||||
public const int REG_NONE = 0;
|
||||
public const int REG_SZ = 1;
|
||||
public const int REG_EXPAND_SZ = 2;
|
||||
public const int REG_BINARY = 3;
|
||||
public const int REG_DWORD = 4;
|
||||
public const int REG_DWORD_BIG_ENDIAN = 5;
|
||||
public const int REG_LINK = 6;
|
||||
public const int REG_MULTI_SZ = 7;
|
||||
public const int REG_RESOURCE_LIST = 8;
|
||||
public const int REG_FULL_RESOURCE_DESCRIPTOR = 9;
|
||||
public const int REG_RESOURCE_REQUIREMENTS_LIST = 10;
|
||||
public const int REG_QWORD = 11;
|
||||
|
||||
[StructLayoutAttribute(LayoutKind.Sequential)]
|
||||
public struct SECURITY_DESCRIPTOR
|
||||
{
|
||||
public byte revision;
|
||||
public byte size;
|
||||
public short control;
|
||||
public IntPtr owner;
|
||||
public IntPtr group;
|
||||
public IntPtr sacl;
|
||||
public IntPtr dacl;
|
||||
}
|
||||
|
||||
public static List<string> CheckAccessReg(RegistryKey key, List<string> NtAccountNames)
|
||||
{
|
||||
List<string> results = new List<string>();
|
||||
|
||||
try
|
||||
{
|
||||
var security = key.GetAccessControl();
|
||||
|
||||
//Go through the rules returned from the DirectorySecurity
|
||||
foreach (RegistryAccessRule rule in security.GetAccessRules(true, true, typeof(NTAccount)))
|
||||
{
|
||||
int current_perm = (int)rule.RegistryRights;
|
||||
string current_perm_str = permInt2Str(current_perm, true);
|
||||
if (current_perm_str == "" || current_perm_str == "WriteExtendedAttributes")
|
||||
continue;
|
||||
|
||||
//If we find one that matches the identity we are looking for
|
||||
foreach (string name in NtAccountNames)
|
||||
{
|
||||
if (rule.IdentityReference.Value.ToLower().Contains(name.ToLower()))
|
||||
{
|
||||
string to_add = String.Format("{0} [{1}]", rule.IdentityReference.Value, current_perm_str);
|
||||
if (!results.Contains(to_add))
|
||||
{
|
||||
results.Add(to_add);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
|
||||
public static List<string> FindFiles(string path, string patterns)
|
||||
{
|
||||
// finds files matching one or more patterns under a given path, recursive
|
||||
@ -629,6 +619,55 @@ namespace winPEAS
|
||||
catch (PathTooLongException) { }
|
||||
}
|
||||
|
||||
|
||||
//////////////////////
|
||||
//////// MISC ////////
|
||||
//////////////////////
|
||||
public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
try
|
||||
{
|
||||
foreach (KeyValuePair<string, string> entry in dic_in)
|
||||
if (!String.IsNullOrEmpty(entry.Value.Trim()))
|
||||
results[entry.Key] = entry.Value;
|
||||
return results;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
public static List<string> ListFolder(String path)
|
||||
{
|
||||
string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
|
||||
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
|
||||
return dirs.ToList();
|
||||
}
|
||||
|
||||
|
||||
//From Seatbelt
|
||||
public static bool IsHighIntegrity()
|
||||
{
|
||||
// returns true if the current process is running with adminstrative privs in a high integrity context
|
||||
WindowsIdentity identity = WindowsIdentity.GetCurrent();
|
||||
WindowsPrincipal principal = new WindowsPrincipal(identity);
|
||||
return principal.IsInRole(WindowsBuiltInRole.Administrator);
|
||||
}
|
||||
|
||||
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
|
||||
public static bool ContainsAnyRegex(string haystack, List<string> regexps)
|
||||
{
|
||||
foreach (string regex in regexps)
|
||||
{
|
||||
if (Regex.Match(haystack, regex, RegexOptions.IgnoreCase).Success)
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
// From https://stackoverflow.com/questions/206323/how-to-execute-command-line-in-c-get-std-out-results
|
||||
public static string ExecCMD(string args, string alternative_binary="")
|
||||
{
|
||||
|
@ -367,7 +367,7 @@ namespace winPEAS
|
||||
|
||||
//value meanings: http://msdn.microsoft.com/en-us/library/aa390438(v=vs.85).aspx
|
||||
current_perm = Convert.ToInt32(result.Properties["ReturnValue"].Value);
|
||||
perm_str = MyUtils.permInt2Str(current_perm);
|
||||
perm_str = MyUtils.PermInt2Str(current_perm);
|
||||
}
|
||||
catch (ManagementException me)
|
||||
{
|
||||
|
@ -39,7 +39,6 @@ namespace winPEAS
|
||||
|
||||
// Create Dynamic blacklists
|
||||
static string currentUserName = Environment.UserName;
|
||||
public static List<string> interestingUsersGroups = new List<string> { "Everyone", @"Builtin\Users", "Todos", currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
|
||||
public static string currentUserDomainName = Environment.UserDomainName;
|
||||
public static string currentADDomainName = "";
|
||||
public static bool partofdomain = false;
|
||||
@ -47,7 +46,7 @@ namespace winPEAS
|
||||
static SelectQuery query = null;
|
||||
static ManagementObjectSearcher searcher = null;
|
||||
public static ManagementObjectCollection win32_users = null;
|
||||
static List<string> currentUserGroups = new List<string>();
|
||||
public static Dictionary<string,string> currentUserSIDs = new Dictionary<string, string>();
|
||||
static string paint_activeUsers = "";
|
||||
static string paint_activeUsers_no_Administrator = "";
|
||||
static string paint_disabledUsers = "";
|
||||
@ -60,7 +59,7 @@ namespace winPEAS
|
||||
try
|
||||
{
|
||||
Beaprint.GrayPrint(" Creating Dynamic lists, this could take a while, please wait...");
|
||||
Beaprint.GrayPrint(" - Getting AD info...");
|
||||
Beaprint.GrayPrint(" - Checking if domain...");
|
||||
currentADDomainName = MyUtils.IsDomainJoined();
|
||||
partofdomain = currentADDomainName == "" ? false : true;
|
||||
currentUserIsLocal = currentADDomainName != currentUserDomainName;
|
||||
@ -84,8 +83,19 @@ namespace winPEAS
|
||||
|
||||
try {
|
||||
Beaprint.GrayPrint(" - Creating current user groups list...");
|
||||
currentUserGroups = UserInfo.GetUserGroups(currentUserName, currentUserDomainName);
|
||||
interestingUsersGroups.AddRange(currentUserGroups);
|
||||
WindowsIdentity identity = WindowsIdentity.GetCurrent();
|
||||
IdentityReferenceCollection currentSIDs= identity.Groups;
|
||||
foreach (IdentityReference group in identity.Groups)
|
||||
{
|
||||
string gName = "";
|
||||
try
|
||||
{
|
||||
gName = UserInfo.SID2GroupName(group.ToString());
|
||||
}
|
||||
catch { }
|
||||
currentUserSIDs[group.ToString()] = gName;
|
||||
}
|
||||
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
@ -301,27 +311,28 @@ namespace winPEAS
|
||||
{
|
||||
Beaprint.MainPrint("Drives Information", "T1120");
|
||||
Beaprint.LinkPrint("", "Remember that you should search more info inside the other drives");
|
||||
foreach (Dictionary<string, string> drive in SystemInfo.GetDrivesInfo())
|
||||
{
|
||||
string drive_permissions = String.Join(", ", MyUtils.GetPermissionsFolder(drive["Name"], interestingUsersGroups));
|
||||
string dToPrint = " {0} (Type: {1})";
|
||||
if (drive["Volume label"] != "")
|
||||
dToPrint += "(Volume label: {2})";
|
||||
|
||||
if (drive["Filesystem"] != "")
|
||||
dToPrint += "(Filesystem: {3})";
|
||||
|
||||
if (drive["Available space"] != "")
|
||||
dToPrint += "(Available space: {4} GB)";
|
||||
|
||||
if (drive_permissions.Length > 0)
|
||||
dToPrint += "(Permissions: {5})";
|
||||
|
||||
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
|
||||
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
|
||||
{
|
||||
{ "Permissions.*", Beaprint.ansi_color_bad}
|
||||
};
|
||||
Beaprint.AnsiPrint(String.Format(dToPrint, drive["Name"], drive["Type"], drive["Volume label"], drive["Filesystem"], (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString(), drive_permissions), colorsSI);
|
||||
|
||||
foreach (Dictionary<string, string> drive in SystemInfo.GetDrivesInfo())
|
||||
{
|
||||
string drive_permissions = String.Join(", ", MyUtils.GetPermissionsFolder(drive["Name"], currentUserSIDs));
|
||||
string dToPrint = String.Format(" {0} (Type: {1})", drive["Name"], drive["Type"]);
|
||||
if (!String.IsNullOrEmpty(drive["Volume label"]))
|
||||
dToPrint += "(Volume label: "+ drive["Volume label"] + ")";
|
||||
|
||||
if (!String.IsNullOrEmpty(drive["Filesystem"]))
|
||||
dToPrint += "(Filesystem: "+ drive["Filesystem"] + ")";
|
||||
|
||||
if (!String.IsNullOrEmpty(drive["Available space"]))
|
||||
dToPrint += "(Available space: "+ (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString() + " GB)";
|
||||
|
||||
if (drive_permissions.Length > 0)
|
||||
dToPrint += "(Permissions: "+ drive_permissions + ")";
|
||||
|
||||
Beaprint.AnsiPrint(dToPrint, colorsSI);
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
@ -435,11 +446,19 @@ namespace winPEAS
|
||||
{
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Current users", "T1087&T1069&T1033");
|
||||
Beaprint.MainPrint("Users", "T1087&T1069&T1033");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
|
||||
|
||||
List<string> users_grps = UserInfo.GetMachineUsers(false, false, false, false, true);
|
||||
|
||||
Beaprint.AnsiPrint(" Current user: " + currentUserName, colorsU());
|
||||
|
||||
List<string> currentGroupsNames = new List<string>();
|
||||
foreach (KeyValuePair<string,string> g in currentUserSIDs)
|
||||
currentGroupsNames.Add(String.IsNullOrEmpty(g.Value) ? g.Key : g.Value);
|
||||
|
||||
Beaprint.AnsiPrint(" Current groups: " + String.Join(", ", currentGroupsNames), colorsU());
|
||||
Beaprint.PrintLineSeparator();
|
||||
Beaprint.ListPrint(users_grps, colorsU());
|
||||
}
|
||||
catch (Exception ex)
|
||||
@ -582,7 +601,7 @@ namespace winPEAS
|
||||
List<string> user_folders = UserInfo.GetUsersFolders();
|
||||
foreach (string ufold in user_folders)
|
||||
{
|
||||
string perms = String.Join(", ", MyUtils.GetPermissionsFolder(ufold, interestingUsersGroups));
|
||||
string perms = String.Join(", ", MyUtils.GetPermissionsFolder(ufold, currentUserSIDs));
|
||||
if (perms.Length > 0)
|
||||
Beaprint.BadPrint(" " + ufold + " : " + perms);
|
||||
else
|
||||
@ -661,10 +680,10 @@ namespace winPEAS
|
||||
proc_info["Product"] = ProcessesInfo.browserProcesses[proc_info["Name"]].ToString();
|
||||
}
|
||||
|
||||
List<string> file_rights = MyUtils.GetPermissionsFile(proc_info["ExecutablePath"], interestingUsersGroups);
|
||||
List<string> file_rights = MyUtils.GetPermissionsFile(proc_info["ExecutablePath"], currentUserSIDs);
|
||||
List<string> dir_rights = new List<string>();
|
||||
if (proc_info["ExecutablePath"] != null && proc_info["ExecutablePath"] != "")
|
||||
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(proc_info["ExecutablePath"]), interestingUsersGroups);
|
||||
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(proc_info["ExecutablePath"]), currentUserSIDs);
|
||||
|
||||
string formString = " {0}({1})[{2}]";
|
||||
if (proc_info["Product"] != null && proc_info["Product"].Length > 1)
|
||||
@ -708,26 +727,20 @@ namespace winPEAS
|
||||
/////////////////////////////////////////////////
|
||||
private static void PrintInfoServices()
|
||||
{
|
||||
/// Start finding Modifiable services so any function could use them
|
||||
Dictionary<string, string> mod_services = new Dictionary<string, string>();
|
||||
try
|
||||
{
|
||||
mod_services = ServicesInfo.GetModifiableServices();
|
||||
mod_services = ServicesInfo.GetModifiableServices(currentUserSIDs);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format("{0}", ex));
|
||||
}
|
||||
|
||||
|
||||
void PrintInterestingServices()
|
||||
{
|
||||
/* Colors Code
|
||||
* RED:
|
||||
* ---- Write privilege in path or path without quotes and some space
|
||||
* ---- Startmode = Auto
|
||||
* GREEN:
|
||||
* ---- No write privileges
|
||||
* ---- Startmode = Manual
|
||||
*/
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Interesting Services -non Microsoft-", "T1007");
|
||||
@ -740,11 +753,11 @@ namespace winPEAS
|
||||
|
||||
foreach (Dictionary<string, string> service_info in services_info)
|
||||
{
|
||||
List<string> file_rights = MyUtils.GetPermissionsFile(service_info["FilteredPath"], interestingUsersGroups);
|
||||
List<string> file_rights = MyUtils.GetPermissionsFile(service_info["FilteredPath"], currentUserSIDs);
|
||||
List<string> dir_rights = new List<string>();
|
||||
|
||||
if (service_info["FilteredPath"] != null && service_info["FilteredPath"] != "")
|
||||
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(service_info["FilteredPath"]), interestingUsersGroups);
|
||||
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(service_info["FilteredPath"]), currentUserSIDs);
|
||||
|
||||
bool no_quotes_and_space = MyUtils.CheckQuoteAndSpace(service_info["PathName"]);
|
||||
|
||||
@ -826,7 +839,7 @@ namespace winPEAS
|
||||
{
|
||||
Beaprint.MainPrint("Looking if you can modify any service registry", "");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
|
||||
List<Dictionary<string, string>> regPerms = ServicesInfo.GetWriteServiceRegs(interestingUsersGroups);
|
||||
List<Dictionary<string, string>> regPerms = ServicesInfo.GetWriteServiceRegs(currentUserSIDs);
|
||||
|
||||
Dictionary<string, string> colorsWR = new Dictionary<string, string>()
|
||||
{
|
||||
@ -891,8 +904,8 @@ namespace winPEAS
|
||||
{
|
||||
Beaprint.MainPrint("Current Active Window Application", "T1010&T1518");
|
||||
string title = ApplicationInfo.GetActiveWindowTitle();
|
||||
List<string> permsFile = MyUtils.GetPermissionsFile(title, interestingUsersGroups);
|
||||
List<string> permsFolder = MyUtils.GetPermissionsFolder(title, interestingUsersGroups);
|
||||
List<string> permsFile = MyUtils.GetPermissionsFile(title, currentUserSIDs);
|
||||
List<string> permsFolder = MyUtils.GetPermissionsFolder(title, currentUserSIDs);
|
||||
if (permsFile.Count > 0)
|
||||
{
|
||||
Beaprint.BadPrint(" " + title);
|
||||
@ -968,7 +981,7 @@ namespace winPEAS
|
||||
{
|
||||
Beaprint.MainPrint("Autorun Applications", "T1010");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup", "Check if you can modify other users AutoRuns binaries");
|
||||
List<Dictionary<string, string>> apps = ApplicationInfo.GetAutoRuns(interestingUsersGroups);
|
||||
List<Dictionary<string, string>> apps = ApplicationInfo.GetAutoRuns(currentUserSIDs);
|
||||
|
||||
foreach (Dictionary<string, string> app in apps)
|
||||
{
|
||||
@ -1028,8 +1041,8 @@ namespace winPEAS
|
||||
|
||||
foreach (Dictionary<string, string> sapp in scheduled_apps)
|
||||
{
|
||||
List<string> file_rights = MyUtils.GetPermissionsFile(sapp["Action"], interestingUsersGroups);
|
||||
List<string> dir_rights = MyUtils.GetPermissionsFolder(sapp["Action"], interestingUsersGroups);
|
||||
List<string> file_rights = MyUtils.GetPermissionsFile(sapp["Action"], currentUserSIDs);
|
||||
List<string> dir_rights = MyUtils.GetPermissionsFolder(sapp["Action"], currentUserSIDs);
|
||||
string formString = " ({0}) {1}: {2}";
|
||||
if (file_rights.Count > 0)
|
||||
formString += "\n Permissions file: {3}";
|
||||
@ -1183,8 +1196,8 @@ namespace winPEAS
|
||||
Beaprint.GrayPrint(" DENY rules:");
|
||||
foreach (Dictionary<string, string> rule in NetworkInfo.GetFirewallRules())
|
||||
{
|
||||
string file_perms = String.Join(", ", MyUtils.GetPermissionsFile(rule["AppName"], interestingUsersGroups));
|
||||
string folder_perms = String.Join(", ", MyUtils.GetPermissionsFolder(rule["AppName"], interestingUsersGroups));
|
||||
string file_perms = String.Join(", ", MyUtils.GetPermissionsFile(rule["AppName"], currentUserSIDs));
|
||||
string folder_perms = String.Join(", ", MyUtils.GetPermissionsFolder(rule["AppName"], currentUserSIDs));
|
||||
string formString = " ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}";
|
||||
if (file_perms.Length > 0)
|
||||
formString += "\n File Permissions: {8}";
|
||||
@ -1995,6 +2008,10 @@ namespace winPEAS
|
||||
[STAThread]
|
||||
static void Main(string[] args)
|
||||
{
|
||||
//WindowsIdentity identity = WindowsIdentity.GetCurrent();
|
||||
//foreach(IdentityReference group in identity.Groups)
|
||||
// System.Console.WriteLine(identity.Groups);
|
||||
|
||||
//Check parameters
|
||||
bool check_all = true;
|
||||
bool check_si = false;
|
||||
@ -2138,7 +2155,7 @@ namespace winPEAS
|
||||
* List Drivers ==> but how do I know if a driver is malicious?
|
||||
*/
|
||||
|
||||
//System.Console.ReadLine(); //For debugging
|
||||
System.Console.ReadLine(); //For debugging
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -15,9 +15,13 @@ namespace winPEAS
|
||||
{
|
||||
class ServicesInfo
|
||||
{
|
||||
///////////////////////////////////////////////
|
||||
//// Non Standard Services (Non Microsoft) ////
|
||||
///////////////////////////////////////////////
|
||||
public static List<Dictionary<string, string>> GetNonstandardServices()
|
||||
{
|
||||
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
|
||||
|
||||
try
|
||||
{
|
||||
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_service");
|
||||
@ -74,6 +78,7 @@ namespace winPEAS
|
||||
foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services"))
|
||||
{
|
||||
Dictionary<string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key);
|
||||
|
||||
if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath"))
|
||||
{
|
||||
string companyName = "";
|
||||
@ -146,99 +151,11 @@ namespace winPEAS
|
||||
return results;
|
||||
}
|
||||
|
||||
public static List<Dictionary<string, string>> GetWriteServiceRegs(List<string> NtAccountNames)
|
||||
{
|
||||
List<Dictionary<string,string>> results = new List<Dictionary<string, string>>();
|
||||
try
|
||||
{
|
||||
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
|
||||
foreach (string serviceRegName in regKey.GetSubKeyNames())
|
||||
{
|
||||
RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName);
|
||||
List<string> perms = MyUtils.CheckAccessReg(key, NtAccountNames);
|
||||
if (perms.Count > 0)
|
||||
{
|
||||
results.Add(new Dictionary<string, string> {
|
||||
{ "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName },
|
||||
{ "Permissions", string.Join(", ", perms) }
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
|
||||
public static List<Dictionary<string, string>> GetRegistryAutoRuns(List<string> NtAccountNames)
|
||||
{
|
||||
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
|
||||
try
|
||||
{
|
||||
string[] autorunLocations = new string[] {
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService",
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
|
||||
};
|
||||
|
||||
foreach (string autorunLocation in autorunLocations)
|
||||
{
|
||||
Dictionary<string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation);
|
||||
if ((settings != null) && (settings.Count != 0))
|
||||
{
|
||||
foreach (KeyValuePair<string, object> kvp in settings)
|
||||
{
|
||||
RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation);
|
||||
|
||||
string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
|
||||
string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", ""));
|
||||
results.Add(new Dictionary<string, string>() {
|
||||
{ "Reg", "HKLM\\"+autorunLocation },
|
||||
{ "Folder", folder },
|
||||
{ "File", filepath },
|
||||
{ "RegPermissions", string.Join(", ", MyUtils.CheckAccessReg(key, NtAccountNames)) },
|
||||
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups))},
|
||||
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups))},
|
||||
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
public static Dictionary<string, string> GetPathDLLHijacking()
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
try
|
||||
{
|
||||
var path_env = Environment.GetEnvironmentVariable("PATH");
|
||||
List<string> folders = path_env.Split(';').ToList();
|
||||
foreach (string folder in folders)
|
||||
{
|
||||
results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups));
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
|
||||
//////////////////////////////////////////
|
||||
/////// Find Modifiable Services ////////
|
||||
//////////////////////////////////////////
|
||||
/// Find services that you can modify using PS os sc for example
|
||||
[DllImport("advapi32.dll", SetLastError = true)]
|
||||
static extern bool QueryServiceObjectSecurity(
|
||||
IntPtr serviceHandle,
|
||||
@ -246,7 +163,7 @@ namespace winPEAS
|
||||
byte[] lpSecDesrBuf,
|
||||
uint bufSize,
|
||||
out uint bufSizeNeeded);
|
||||
public static Dictionary<string,string> GetModifiableServices()
|
||||
public static Dictionary<string, string> GetModifiableServices(Dictionary<string, string> SIDs)
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
|
||||
@ -291,17 +208,15 @@ namespace winPEAS
|
||||
RawAcl racl = rsd.DiscretionaryAcl;
|
||||
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
|
||||
|
||||
WindowsIdentity identity = WindowsIdentity.GetCurrent();
|
||||
|
||||
string permissions = "";
|
||||
|
||||
foreach (System.Security.AccessControl.CommonAce ace in dacl)
|
||||
{
|
||||
if (identity.Groups.Contains(ace.SecurityIdentifier))
|
||||
if (SIDs.ContainsKey(ace.SecurityIdentifier.ToString()))
|
||||
{
|
||||
int serviceRights = ace.AccessMask;
|
||||
|
||||
string current_perm_str = MyUtils.permInt2Str(serviceRights, true);
|
||||
string current_perm_str = MyUtils.PermInt2Str(serviceRights, true);
|
||||
if (!String.IsNullOrEmpty(current_perm_str))
|
||||
permissions += current_perm_str;
|
||||
}
|
||||
@ -309,7 +224,7 @@ namespace winPEAS
|
||||
|
||||
if (!String.IsNullOrEmpty(permissions))
|
||||
results.Add(sc.ServiceName, permissions);
|
||||
|
||||
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
@ -318,5 +233,113 @@ namespace winPEAS
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
//////////////////////////////////////////
|
||||
/////// Find Write reg. Services ////////
|
||||
//////////////////////////////////////////
|
||||
/// Find Services which Reg you have write or equivalent access
|
||||
public static List<Dictionary<string, string>> GetWriteServiceRegs(Dictionary<string,string> NtAccountNames)
|
||||
{
|
||||
List<Dictionary<string,string>> results = new List<Dictionary<string, string>>();
|
||||
try
|
||||
{
|
||||
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
|
||||
foreach (string serviceRegName in regKey.GetSubKeyNames())
|
||||
{
|
||||
RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName);
|
||||
List<string> perms = MyUtils.GetMyPermissionsR(key, NtAccountNames);
|
||||
if (perms.Count > 0)
|
||||
{
|
||||
results.Add(new Dictionary<string, string> {
|
||||
{ "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName },
|
||||
{ "Permissions", string.Join(", ", perms) }
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
//////////////////////////////////////
|
||||
/////// Get Autorun Registry ////////
|
||||
//////////////////////////////////////
|
||||
/// Find Autoru registry where you have write or equivalent access
|
||||
public static List<Dictionary<string, string>> GetRegistryAutoRuns(Dictionary<string,string> NtAccountNames)
|
||||
{
|
||||
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
|
||||
try
|
||||
{
|
||||
string[] autorunLocations = new string[] {
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService",
|
||||
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService",
|
||||
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
|
||||
};
|
||||
|
||||
foreach (string autorunLocation in autorunLocations)
|
||||
{
|
||||
Dictionary<string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation);
|
||||
if ((settings != null) && (settings.Count != 0))
|
||||
{
|
||||
foreach (KeyValuePair<string, object> kvp in settings)
|
||||
{
|
||||
RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation);
|
||||
|
||||
string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
|
||||
string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", ""));
|
||||
results.Add(new Dictionary<string, string>() {
|
||||
{ "Reg", "HKLM\\"+autorunLocation },
|
||||
{ "Folder", folder },
|
||||
{ "File", filepath },
|
||||
{ "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, NtAccountNames)) },
|
||||
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))},
|
||||
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs))},
|
||||
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
|
||||
//////////////////////////////////////
|
||||
//////// PATH DLL Hijacking /////////
|
||||
//////////////////////////////////////
|
||||
/// Look for write or equivalent permissions on ay folder in PATH
|
||||
public static Dictionary<string, string> GetPathDLLHijacking()
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
try
|
||||
{
|
||||
// grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives
|
||||
string path = MyUtils.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path");
|
||||
if (String.IsNullOrEmpty(path))
|
||||
path = Environment.GetEnvironmentVariable("PATH");
|
||||
|
||||
List<string> folders = path.Split(';').ToList();
|
||||
|
||||
foreach (string folder in folders)
|
||||
results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs));
|
||||
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return results;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -349,6 +349,53 @@ namespace winPEAS
|
||||
return myItems;
|
||||
}
|
||||
|
||||
|
||||
public static string SID2GroupName(string SID)
|
||||
{
|
||||
string groupName = "";
|
||||
ContextType ct = ContextType.Domain;
|
||||
if (Program.currentUserIsLocal)
|
||||
ct = ContextType.Machine;
|
||||
|
||||
try
|
||||
{
|
||||
groupName = GetSIDGroupName(SID, ct);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Checking using the other Principal Context", ex.Message));
|
||||
try
|
||||
{
|
||||
if (ct == ContextType.Machine)
|
||||
groupName = GetSIDGroupName(SID, ContextType.Domain);
|
||||
else
|
||||
groupName = GetSIDGroupName(SID, ContextType.Machine);
|
||||
}
|
||||
catch
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Checking using the other Principal Context"));
|
||||
}
|
||||
}
|
||||
return groupName;
|
||||
}
|
||||
|
||||
public static string GetSIDGroupName(string SID, ContextType ct)
|
||||
{
|
||||
string groupName = "";
|
||||
try
|
||||
{
|
||||
var ctx = new PrincipalContext(ct);
|
||||
var group = GroupPrincipal.FindByIdentity(ctx, IdentityType.Sid, SID);
|
||||
return group.SamAccountName.ToString();
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
|
||||
}
|
||||
return groupName;
|
||||
}
|
||||
|
||||
|
||||
public static UserPrincipal GetUser(string sUserName, string domain)
|
||||
{
|
||||
UserPrincipal user = null;
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -7,3 +7,12 @@ D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\o
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csproj.CopyComplete
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.pdb
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\winPEAS.exe.config
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\winPEAS.pdb
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\Microsoft.Win32.TaskScheduler.xml
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csprojAssemblyReference.cache
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csproj.Fody.CopyLocal.cache
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csproj.CopyComplete
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.pdb
|
||||
|
@ -1 +1 @@
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml
|
||||
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -11,7 +11,7 @@
|
||||
<StartArguments>cmd fast</StartArguments>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
|
||||
<StartArguments>help</StartArguments>
|
||||
<StartArguments>fast</StartArguments>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
|
||||
<StartArguments>
|
||||
|
Loading…
x
Reference in New Issue
Block a user