mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2026-02-04 19:56:33 +00:00
Brief description of your changes
This commit is contained in:
Jimmy
@@ -2,9 +2,9 @@
|
||||
|
||||
|
||||
|
||||
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
|
||||
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
|
||||
|
||||
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
|
||||
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
|
||||
|
||||
[](https://youtu.be/66gOwXMnxRI)
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications", "Check if you can modify installed software");
|
||||
SortedDictionary<string, Dictionary<string, string>> installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
|
||||
string format = " ==> {0} ({1})";
|
||||
|
||||
@@ -102,7 +102,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Autorun Applications");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
|
||||
List<Dictionary<string, string>> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
|
||||
|
||||
foreach (Dictionary<string, string> app in apps)
|
||||
@@ -189,7 +189,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users scheduled binaries");
|
||||
List<Dictionary<string, string>> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
|
||||
|
||||
foreach (Dictionary<string, string> sapp in scheduled_apps)
|
||||
@@ -239,7 +239,7 @@ namespace winPEAS.Checks
|
||||
{
|
||||
Beaprint.MainPrint("Device Drivers --Non Microsoft--");
|
||||
// this link is not very specific, but its the best on hacktricks
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
|
||||
|
||||
foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
|
||||
{
|
||||
|
||||
@@ -12,10 +12,10 @@ namespace winPEAS.Checks
|
||||
|
||||
Dictionary<string, string> colorsTraining = new Dictionary<string, string>()
|
||||
{
|
||||
{ "training.hacktricks.xyz", Beaprint.ansi_color_good },
|
||||
{ "training.hacktricks.wiki", Beaprint.ansi_color_good },
|
||||
{ "Learn & practice cloud hacking in", Beaprint.ansi_color_yellow },
|
||||
};
|
||||
Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.xyz", colorsTraining);
|
||||
Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.wiki", colorsTraining);
|
||||
|
||||
var cloudInfoList = new List<CloudInfoBase>
|
||||
{
|
||||
|
||||
@@ -151,7 +151,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Cloud Credentials");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||
List<Dictionary<string, string>> could_creds = KnownFileCredsInfo.ListCloudCreds();
|
||||
if (could_creds.Count != 0)
|
||||
{
|
||||
@@ -382,7 +382,7 @@ namespace winPEAS.Checks
|
||||
string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
|
||||
|
||||
Beaprint.MainPrint("Looking for possible regs with creds");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry");
|
||||
|
||||
string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
|
||||
if (!string.IsNullOrEmpty(winVnc4.Trim()))
|
||||
@@ -431,7 +431,7 @@ namespace winPEAS.Checks
|
||||
};
|
||||
|
||||
Beaprint.MainPrint("Looking for possible password files in users homes");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||
var fileInfos = SearchHelper.SearchUserCredsFiles();
|
||||
|
||||
foreach (var fileInfo in fileInfos)
|
||||
@@ -470,7 +470,7 @@ namespace winPEAS.Checks
|
||||
};
|
||||
|
||||
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||
List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
|
||||
|
||||
foreach (Dictionary<string, string> rec_file in recy_files)
|
||||
@@ -506,7 +506,7 @@ namespace winPEAS.Checks
|
||||
};
|
||||
|
||||
Beaprint.MainPrint("Searching known files that can contain creds in home");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||
|
||||
var files = SearchHelper.SearchUsersInterestingFiles();
|
||||
|
||||
|
||||
@@ -24,7 +24,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Interesting Processes -non Microsoft-");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
|
||||
List<Dictionary<string, string>> processesInfo = ProcessesInfo.GetProcInfo();
|
||||
|
||||
foreach (Dictionary<string, string> procInfo in processesInfo)
|
||||
@@ -93,7 +93,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Vulnerable Leaked Handlers");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers");
|
||||
|
||||
List<Dictionary<string, string>> vulnHandlers = new List<Dictionary<string, string>>();
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Interesting Services -non Microsoft-");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
|
||||
|
||||
List<Dictionary<string, string>> services_info = ServicesInfoHelper.GetNonstandardServices();
|
||||
|
||||
@@ -121,7 +121,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Modifiable Services");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can modify any service");
|
||||
if (modifiableServices.Count > 0)
|
||||
{
|
||||
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
|
||||
@@ -158,7 +158,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking if you can modify any service registry");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions", "Check if you can modify the registry of a service");
|
||||
List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
|
||||
|
||||
Dictionary<string, string> colorsWR = new Dictionary<string, string>()
|
||||
@@ -186,7 +186,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking", "Check for DLL Hijacking in PATH folders");
|
||||
Dictionary<string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking();
|
||||
foreach (KeyValuePair<string, string> entry in path_dllhijacking)
|
||||
{
|
||||
|
||||
@@ -98,7 +98,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Basic System Information");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits", "Check if the Windows versions is vulnerable to some known exploit");
|
||||
Dictionary<string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
|
||||
basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
|
||||
Dictionary<string, string> colorsSI = new Dictionary<string, string>
|
||||
@@ -337,7 +337,7 @@ namespace winPEAS.Checks
|
||||
static void PrintWdigest()
|
||||
{
|
||||
Beaprint.MainPrint("Wdigest");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest", "If enabled, plain-text crds could be stored in LSASS");
|
||||
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
|
||||
if (useLogonCredential == "1")
|
||||
Beaprint.BadPrint(" Wdigest is active");
|
||||
@@ -348,7 +348,7 @@ namespace winPEAS.Checks
|
||||
static void PrintLSAProtection()
|
||||
{
|
||||
Beaprint.MainPrint("LSA Protection");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
|
||||
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
|
||||
if (useLogonCredential == "1")
|
||||
Beaprint.GoodPrint(" LSA Protection is active");
|
||||
@@ -359,7 +359,7 @@ namespace winPEAS.Checks
|
||||
static void PrintCredentialGuard()
|
||||
{
|
||||
Beaprint.MainPrint("Credentials Guard");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard", "If enabled, a driver is needed to read LSASS memory");
|
||||
string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
|
||||
|
||||
if (lsaCfgFlags == "1")
|
||||
@@ -384,7 +384,7 @@ namespace winPEAS.Checks
|
||||
{
|
||||
try{
|
||||
Beaprint.MainPrint("Cached Creds");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
|
||||
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
|
||||
if (!string.IsNullOrEmpty(cachedlogonscount))
|
||||
{
|
||||
@@ -526,7 +526,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("UAC Status");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss", "If you are in the Administrators group check how to bypass the UAC");
|
||||
Dictionary<string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
|
||||
|
||||
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
|
||||
@@ -559,7 +559,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking WSUS");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus");
|
||||
string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
|
||||
string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
|
||||
string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
|
||||
@@ -594,7 +594,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking KrbRelayUp");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayupp");
|
||||
|
||||
if (Checks.CurrentAdDomainName.Length > 0)
|
||||
{
|
||||
@@ -640,7 +640,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking AlwaysInstallElevated");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated");
|
||||
string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
|
||||
string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
|
||||
string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
|
||||
|
||||
@@ -78,7 +78,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Users");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups", "Check if you have some admin equivalent privileges");
|
||||
|
||||
List<string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
|
||||
|
||||
@@ -109,7 +109,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Current Token privileges");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation", "Check if you can escalate privilege using some enabled token");
|
||||
Dictionary<string, string> tokenPrivs = Token.GetTokenGroupPrivs();
|
||||
Beaprint.DictPrint(tokenPrivs, ColorsU(), false);
|
||||
}
|
||||
|
||||
@@ -48,7 +48,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking Windows Vault");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault");
|
||||
var vaultCreds = VaultCli.DumpVault();
|
||||
|
||||
var colorsC = new Dictionary<string, string>()
|
||||
@@ -68,7 +68,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking Credential manager");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault");
|
||||
|
||||
var colorsC = new Dictionary<string, string>()
|
||||
{
|
||||
@@ -153,7 +153,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking for DPAPI Master Keys");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi");
|
||||
var masterKeys = KnownFileCredsInfo.ListMasterKeys();
|
||||
|
||||
if (masterKeys.Count != 0)
|
||||
@@ -181,7 +181,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking for DPAPI Credential Files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi");
|
||||
var credFiles = KnownFileCredsInfo.GetCredFiles();
|
||||
Beaprint.DictPrint(credFiles, false);
|
||||
|
||||
@@ -201,7 +201,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Checking for RDCMan Settings Files");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager",
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager",
|
||||
"Dump credentials from Remote Desktop Connection Manager");
|
||||
var rdcFiles = RemoteDesktop.GetRDCManFiles();
|
||||
Beaprint.DictPrint(rdcFiles, false);
|
||||
@@ -222,7 +222,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking for Kerberos tickets");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html");
|
||||
var kerberosTickets = Kerberos.ListKerberosTickets();
|
||||
|
||||
Beaprint.DictPrint(kerberosTickets, false);
|
||||
@@ -307,7 +307,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking AppCmd.exe");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe");
|
||||
|
||||
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
|
||||
|
||||
@@ -368,7 +368,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking SSClient.exe");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm");
|
||||
|
||||
if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
|
||||
{
|
||||
|
||||
@@ -81,7 +81,7 @@ namespace winPEAS.Helpers
|
||||
/---------------------------------------------------------------------------------\
|
||||
| {1}Do you like PEASS?{0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz{0} |
|
||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.wiki{0} |
|
||||
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
|
||||
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
@@ -104,7 +104,7 @@ namespace winPEAS.Helpers
|
||||
|
||||
PrintLegend();
|
||||
Console.WriteLine();
|
||||
Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
|
||||
Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html");
|
||||
}
|
||||
|
||||
static void PrintLegend()
|
||||
|
||||
@@ -112,7 +112,7 @@ namespace winPEAS.Info.UserInfo
|
||||
{ "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
|
||||
{ "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain.
|
||||
{ "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned.
|
||||
{ "525", "Protected Users" }, //https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#protected-users
|
||||
{ "525", "Protected Users" }, //https://book.hacktricks.wiki/en/windows-hardening/stealing-credentials/credentials-protections.html#protected-users
|
||||
{ "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
|
||||
{ "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
|
||||
{ "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
|
||||
|
||||
@@ -27,7 +27,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking for Chrome DBs");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||
Dictionary<string, string> chromeDBs = GetChromeDbs();
|
||||
|
||||
if (chromeDBs.ContainsKey("userChromeCookiesPath"))
|
||||
@@ -59,7 +59,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking for GET credentials in Chrome history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||
Dictionary<string, List<string>> chromeHistBook = GetChromeHistBook();
|
||||
List<string> history = chromeHistBook["history"];
|
||||
List<string> bookmarks = chromeHistBook["bookmarks"];
|
||||
|
||||
@@ -28,7 +28,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking for Firefox DBs");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||
List<string> firefoxDBs = GetFirefoxDbs();
|
||||
if (firefoxDBs.Count > 0)
|
||||
{
|
||||
@@ -55,7 +55,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking for GET credentials in Firefox history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||
List<string> history = GetFirefoxHistory();
|
||||
if (history.Count > 0)
|
||||
{
|
||||
|
||||
@@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Browsers
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Current IE tabs");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||
List<string> urls = GetCurrentIETabs();
|
||||
|
||||
Dictionary<string, string> colorsB = new Dictionary<string, string>()
|
||||
@@ -50,7 +50,7 @@ namespace winPEAS.KnownFileCreds.Browsers
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking for GET credentials in IE history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||
Dictionary<string, List<string>> ieHistoryBook = GetIEHistFav();
|
||||
List<string> history = ieHistoryBook["history"];
|
||||
List<string> favorites = ieHistoryBook["favorites"];
|
||||
|
||||
@@ -57,7 +57,7 @@ namespace winPEAS.KnownFileCreds
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("SSH keys in registry");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
|
||||
|
||||
string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys");
|
||||
if (ssh_reg.Length == 0)
|
||||
|
||||
Reference in New Issue
Block a user