PenTest/privilege-escalation-awesome-scripts-suite
1
0
Fork 0
mirror of https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git synced 2025-12-10 18:59:02 +00:00
Code Issues Projects Releases Wiki Activity

- refactoring & cleanup

Browse Source 
- TODO: first version of AppLocker implementation
- CredentialManager implementation
- added check of LsaCompatiblityLevel
- updated GetAutoRunsFolder
- updated PrintTranscriptPS
This commit is contained in:
makikvues
2021-01-17 23:38:39 +01:00
parent 448a1aaf5b
commit e16234b773
37 changed files with 2229 additions and 385 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@@ -252,20 +252,27 @@ namespace winPEAS.Checks
{ {
try try
{ {
string[] pass_reg_hkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" }; string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" };
string[] pass_reg_hklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
Beaprint.MainPrint("Looking for possible regs with creds"); Beaprint.MainPrint("Looking for possible regs with creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry");
string winVNC4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "passwword"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "passwword");
if (!string.IsNullOrEmpty(winVNC4.Trim())) if (!string.IsNullOrEmpty(winVnc4.Trim()))
Beaprint.BadPrint(winVNC4); {
Beaprint.BadPrint(winVnc4);
}
foreach (string reg_hkcu in pass_reg_hkcu) foreach (string regHkcu in passRegHkcu)
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", reg_hkcu), false); {
foreach (string reg_hklm in pass_reg_hklm) Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", reg_hklm), false); }
foreach (string regHklm in passRegHklm)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false);
}
} }
catch (Exception ex) catch (Exception ex)
{ {
@@ -277,11 +284,7 @@ namespace winPEAS.Checks
{ {
try try
{ {
string patterns = "*credential*;*password*";
string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]"; string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";
var valid_extensions = new List<string>() { ".txt", ".conf", ".cnf", ".yml", ".yaml", ".doc", ".docx", ".xlsx", ".json", ".xml" };
var validExtensions = new HashSet<string> var validExtensions = new HashSet<string>
{ {
".cnf", ".cnf",
@@ -303,12 +306,10 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Looking for possible password files in users homes"); Beaprint.MainPrint("Looking for possible password files in users homes");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
string searchPath = $"{Environment.GetEnvironmentVariable("SystemDrive") + "\\Users"}\\"; var fileInfos = SearchHelper.SearchUserCredsFiles();
List<CustomFileInfo> fileInfos = SearchHelper.SearchUserCredsFiles();
foreach (var fileInfo in fileInfos) foreach (var fileInfo in fileInfos)
{ {
// if (!Path.GetFileName(file_path).Contains("."))
if (!fileInfo.Filename.Contains(".")) if (!fileInfo.Filename.Contains("."))
{ {
Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF); Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF);
@@ -321,14 +322,6 @@ namespace winPEAS.Checks
{ {
Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF); Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF);
} }
//foreach (string ext in valid_extensions)
//{
// if (file_path.Contains(ext))
// {
// Beaprint.AnsiPrint(" " + file_path, colorF);
// }
//}
} }
} }
} }
@@ -345,7 +338,6 @@ namespace winPEAS.Checks
//string pattern_bin = _patternsFileCreds + ";*password*;*credential*"; //string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*"; string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
Dictionary<string, string> colorF = new Dictionary<string, string>() Dictionary<string, string> colorF = new Dictionary<string, string>()
{ {
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
@@ -405,8 +397,8 @@ namespace winPEAS.Checks
try try
{ {
Beaprint.MainPrint("Looking for documents --limit 100--"); Beaprint.MainPrint("Looking for documents --limit 100--");
List<string> doc_files = InterestingFiles.InterestingFiles.ListUsersDocs(); List<string> docFiles = InterestingFiles.InterestingFiles.ListUsersDocs();
Beaprint.ListPrint(doc_files.GetRange(0, doc_files.Count <= 100 ? doc_files.Count : 100)); Beaprint.ListPrint(docFiles.GetRange(0, docFiles.Count <= 100 ? docFiles.Count : 100));
} }
catch (Exception ex) catch (Exception ex)
{ {
@@ -432,7 +424,6 @@ namespace winPEAS.Checks
{ {
Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF); Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF);
} }
} }
else else
{ {

147
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@@ -1,7 +1,10 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO; using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.Helpers.AppLocker;
using winPEAS._3rdParty.Watson; using winPEAS._3rdParty.Watson;
namespace winPEAS.Checks namespace winPEAS.Checks
@@ -36,6 +39,8 @@ namespace winPEAS.Checks
PrintDrivesInfo, PrintDrivesInfo,
PrintWSUS, PrintWSUS,
PrintAlwaysInstallElevated, PrintAlwaysInstallElevated,
PrintLsaCompatiblityLevel,
PrintApplockerPolicy
}.ForEach(action => CheckRunner.Run(action, isDebug)); }.ForEach(action => CheckRunner.Run(action, isDebug));
} }
@@ -90,19 +95,60 @@ namespace winPEAS.Checks
Beaprint.MainPrint("PS default transcripts history"); Beaprint.MainPrint("PS default transcripts history");
Beaprint.InfoPrint("Read the PS history inside these files (if any)"); Beaprint.InfoPrint("Read the PS history inside these files (if any)");
string drive = Path.GetPathRoot(Environment.SystemDirectory); string drive = Path.GetPathRoot(Environment.SystemDirectory);
string path = drive + @"transcripts\"; string transcriptsPath = drive + @"transcripts\";
if (Directory.Exists(path)) string usersPath = $"{drive}users";
{
string[] fileEntries = Directory.GetFiles(path); string[] users = Directory.GetDirectories(usersPath, "*", SearchOption.TopDirectoryOnly);
List<string> fileEntriesl = new List<string>(fileEntries); string powershellTranscriptFilter = "powershell_transcript*";
if (fileEntries.Length > 0)
{ var colors = new Dictionary<string, string>()
Dictionary<string, string> colors = new Dictionary<string, string>()
{ {
{ "^.*", Beaprint.ansi_color_bad }, { "^.*", Beaprint.ansi_color_bad },
}; };
Beaprint.ListPrint(fileEntriesl, colors);
var results = new List<string>();
var dict = new Dictionary<string, string>()
{
// check \\transcripts\ folder
{transcriptsPath, "*"},
};
foreach (var user in users)
{
// check the users directories
dict.Add($"{user}\\Documents", powershellTranscriptFilter);
} }
foreach (var kvp in dict)
{
var path = kvp.Key;
var filter = kvp.Value;
if (Directory.Exists(path))
{
try
{
var files = Directory.GetFiles(path, filter, SearchOption.TopDirectoryOnly).ToList();
foreach (var file in files)
{
var fileInfo = new FileInfo(file);
var humanReadableSize = MyUtils.ConvertBytesToHumanReadable(fileInfo.Length);
var item = $"[{humanReadableSize}] - {file}";
results.Add(item);
}
}
catch (UnauthorizedAccessException) { }
catch (PathTooLongException) { }
catch (DirectoryNotFoundException) { }
}
}
if (results.Count > 0)
{
Beaprint.ListPrint(results, colors);
} }
} }
catch (Exception ex) catch (Exception ex)
@@ -425,5 +471,88 @@ namespace winPEAS.Checks
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
} }
} }
private void PrintLsaCompatiblityLevel()
{
try
{
string hive = "HKLM";
string path = "SYSTEM\\CurrentControlSet\\Control\\Lsa\\";
string key = "LmCompatibilityLevel";
Beaprint.MainPrint($"Checking {hive}\\{path}{key}");
string lmCompatibilityLevelValue = RegistryHelper.GetRegValue(hive, path, key);
Dictionary<int, string> dict = new Dictionary<int, string>()
{
{ 0, "Send LM & NTLM responses" },
{ 1, "Send LM & NTLM responses, use NTLMv2 session security if negotiated" },
{ 2, "Send NTLM response only" },
{ 3, "Send NTLMv2 response only" },
{ 4, "Send NTLMv2 response only, refuse LM" },
{ 5, "Send NTLMv2 response only, refuse LM & NTLM" },
};
if (!string.IsNullOrEmpty(lmCompatibilityLevelValue))
{
if (int.TryParse(lmCompatibilityLevelValue, out int lmCompatibilityLevel))
{
string color = lmCompatibilityLevel == 5 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
if (dict.TryGetValue(lmCompatibilityLevel, out string description))
{
Beaprint.ColorPrint($" value: {lmCompatibilityLevel}, description: {description}", color);
}
else
{
throw new Exception($"Unable to get value description for value '{lmCompatibilityLevel}'");
}
}
else
{
throw new Exception($"Unable to parse {key} value '{lmCompatibilityLevelValue}'");
}
}
else
{
Beaprint.ColorPrint(" The registry key does not exist", Beaprint.ansi_color_yellow);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintApplockerPolicy()
{
Beaprint.MainPrint("Checking AppLocker effective policy");
try
{
string[] ruleTypes = new string[] { "All" };
string ldapPath = "";
bool allowOnly = false;
bool denyOnly = false;
string applockerSettings = SharpAppLocker.GetAppLockerPolicy(SharpAppLocker.PolicyType.Effective, ruleTypes, ldapPath, allowOnly, denyOnly);
var colors = new Dictionary<string, string>()
{
{ "/>", Beaprint.DGRAY },
{ "<", Beaprint.DGRAY },
{ "NotConfigured", Beaprint.ansi_color_bad },
};
Beaprint.AnsiPrint(applockerSettings, colors);
}
catch (COMException ex)
{
Beaprint.ColorPrint(" AppLocker unsupported on this Windows version.", Beaprint.ansi_color_yellow);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
} }
} }

4
winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
View File

@@ -225,7 +225,7 @@ namespace winPEAS.Checks
{ {
Beaprint.MainPrint("Looking for AutoLogon credentials"); Beaprint.MainPrint("Looking for AutoLogon credentials");
bool ban = false; bool ban = false;
Dictionary<string, string> autologon = Info.UserInfo.UserInfoHelper.GetAutoLogon(); Dictionary<string, string> autologon = UserInfoHelper.GetAutoLogon();
if (autologon.Count > 0) if (autologon.Count > 0)
{ {
foreach (KeyValuePair<string, string> entry in autologon) foreach (KeyValuePair<string, string> entry in autologon)
@@ -234,7 +234,7 @@ namespace winPEAS.Checks
{ {
if (!ban) if (!ban)
{ {
Beaprint.BadPrint(" Some AutoLogon credentials were found!!"); Beaprint.BadPrint(" Some AutoLogon credentials were found");
ban = true; ban = true;
} }
Beaprint.AnsiPrint(string.Format(" {0,-30}: {1}", entry.Key, entry.Value), ColorsU()); Beaprint.AnsiPrint(string.Format(" {0,-30}: {1}", entry.Key, entry.Value), ColorsU());

32
winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
View File

@@ -3,6 +3,7 @@ using System.Collections.Generic;
using System.IO; using System.IO;
using System.Xml; using System.Xml;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.Helpers.CredentialManager;
using winPEAS.KnownFileCreds; using winPEAS.KnownFileCreds;
using winPEAS.KnownFileCreds.Kerberos; using winPEAS.KnownFileCreds.Kerberos;
using winPEAS.KnownFileCreds.Vault; using winPEAS.KnownFileCreds.Vault;
@@ -70,15 +71,40 @@ namespace winPEAS.Checks
} }
else else
{ {
Beaprint.GrayPrint(" This function is not yet implemented."); var colorsC = new Dictionary<string, string>()
Beaprint.InfoPrint("If you want to list credentials inside Credential Manager use 'cmdkey /list'"); {
{ "Warning:", Beaprint.YELLOW },
};
Beaprint.AnsiPrint(" [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string\n\n", colorsC);
var keywords = new HashSet<string>
{
nameof(Credential.Password),
nameof(Credential.Username),
nameof(Credential.Target),
nameof(Credential.PersistenceType),
nameof(Credential.LastWriteTime),
};
colorsC = new Dictionary<string, string>()
{
{ CredentialManager.UnicodeInfoText, Beaprint.LBLUE }
};
foreach (var keyword in keywords)
{
colorsC.Add($"{keyword}:", Beaprint.ansi_color_bad);
}
var credentials = CredentialManager.GetCredentials();
Beaprint.ListPrint(credentials, colorsC);
} }
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
} }
} }
static void PrintSavedRDPInfo() static void PrintSavedRDPInfo()

676
winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerRules.cs Normal file
View File

@@ -0,0 +1,676 @@
using System.Collections.Generic;
namespace winPEAS.Helpers.AppLocker
{
// NOTE: Generated code may require at least .NET Framework 4.5 or .NET Core/Standard 2.0.
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
[System.Xml.Serialization.XmlRootAttribute(Namespace = "", IsNullable = false)]
public partial class AppLockerPolicy
{
private AppLockerPolicyRuleCollection[] ruleCollectionField;
private byte versionField;
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute("RuleCollection")]
public AppLockerPolicyRuleCollection[] RuleCollection
{
get
{
return this.ruleCollectionField;
}
set
{
this.ruleCollectionField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public byte Version
{
get
{
return this.versionField;
}
set
{
this.versionField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollection
{
private List<AppLockerPolicyRuleCollectionFileHashRule> fileHashRuleField;
private List<AppLockerPolicyRuleCollectionFilePathRule> filePathRuleField;
private List<AppLockerPolicyRuleCollectionFilePublisherRule> filePublisherRuleField;
private string typeField;
private string enforcementModeField;
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute("FileHashRule")]
public List<AppLockerPolicyRuleCollectionFileHashRule> FileHashRule
{
get
{
return this.fileHashRuleField;
}
set
{
this.fileHashRuleField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute("FilePathRule")]
public List<AppLockerPolicyRuleCollectionFilePathRule> FilePathRule
{
get
{
return this.filePathRuleField;
}
set
{
this.filePathRuleField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute("FilePublisherRule")]
public List<AppLockerPolicyRuleCollectionFilePublisherRule> FilePublisherRule
{
get
{
return this.filePublisherRuleField;
}
set
{
this.filePublisherRuleField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Type
{
get
{
return this.typeField;
}
set
{
this.typeField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string EnforcementMode
{
get
{
return this.enforcementModeField;
}
set
{
this.enforcementModeField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFileHashRule
{
private AppLockerPolicyRuleCollectionFileHashRuleFileHashCondition[] conditionsField;
private string idField;
private string nameField;
private string descriptionField;
private string userOrGroupSidField;
private string actionField;
/// <remarks/>
[System.Xml.Serialization.XmlArrayItemAttribute("FileHashCondition", IsNullable = false)]
public AppLockerPolicyRuleCollectionFileHashRuleFileHashCondition[] Conditions
{
get
{
return this.conditionsField;
}
set
{
this.conditionsField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Id
{
get
{
return this.idField;
}
set
{
this.idField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Name
{
get
{
return this.nameField;
}
set
{
this.nameField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Description
{
get
{
return this.descriptionField;
}
set
{
this.descriptionField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string UserOrGroupSid
{
get
{
return this.userOrGroupSidField;
}
set
{
this.userOrGroupSidField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Action
{
get
{
return this.actionField;
}
set
{
this.actionField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFileHashRuleFileHashCondition
{
private AppLockerPolicyRuleCollectionFileHashRuleFileHashConditionFileHash fileHashField;
/// <remarks/>
public AppLockerPolicyRuleCollectionFileHashRuleFileHashConditionFileHash FileHash
{
get
{
return this.fileHashField;
}
set
{
this.fileHashField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFileHashRuleFileHashConditionFileHash
{
private string typeField;
private string dataField;
private string sourceFileNameField;
private uint sourceFileLengthField;
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Type
{
get
{
return this.typeField;
}
set
{
this.typeField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Data
{
get
{
return this.dataField;
}
set
{
this.dataField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string SourceFileName
{
get
{
return this.sourceFileNameField;
}
set
{
this.sourceFileNameField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public uint SourceFileLength
{
get
{
return this.sourceFileLengthField;
}
set
{
this.sourceFileLengthField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFilePathRule
{
private AppLockerPolicyRuleCollectionFilePathRuleFilePathCondition[] conditionsField;
private string idField;
private string nameField;
private string descriptionField;
private string userOrGroupSidField;
private string actionField;
/// <remarks/>
[System.Xml.Serialization.XmlArrayItemAttribute("FilePathCondition", IsNullable = false)]
public AppLockerPolicyRuleCollectionFilePathRuleFilePathCondition[] Conditions
{
get
{
return this.conditionsField;
}
set
{
this.conditionsField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Id
{
get
{
return this.idField;
}
set
{
this.idField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Name
{
get
{
return this.nameField;
}
set
{
this.nameField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Description
{
get
{
return this.descriptionField;
}
set
{
this.descriptionField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string UserOrGroupSid
{
get
{
return this.userOrGroupSidField;
}
set
{
this.userOrGroupSidField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Action
{
get
{
return this.actionField;
}
set
{
this.actionField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFilePathRuleFilePathCondition
{
private string pathField;
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Path
{
get
{
return this.pathField;
}
set
{
this.pathField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFilePublisherRule
{
private AppLockerPolicyRuleCollectionFilePublisherRuleFilePublisherCondition[] conditionsField;
private string idField;
private string nameField;
private string descriptionField;
private string userOrGroupSidField;
private string actionField;
/// <remarks/>
[System.Xml.Serialization.XmlArrayItemAttribute("FilePublisherCondition", IsNullable = false)]
public AppLockerPolicyRuleCollectionFilePublisherRuleFilePublisherCondition[] Conditions
{
get
{
return this.conditionsField;
}
set
{
this.conditionsField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Id
{
get
{
return this.idField;
}
set
{
this.idField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Name
{
get
{
return this.nameField;
}
set
{
this.nameField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Description
{
get
{
return this.descriptionField;
}
set
{
this.descriptionField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string UserOrGroupSid
{
get
{
return this.userOrGroupSidField;
}
set
{
this.userOrGroupSidField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string Action
{
get
{
return this.actionField;
}
set
{
this.actionField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFilePublisherRuleFilePublisherCondition
{
private AppLockerPolicyRuleCollectionFilePublisherRuleFilePublisherConditionBinaryVersionRange binaryVersionRangeField;
private string publisherNameField;
private string productNameField;
private string binaryNameField;
/// <remarks/>
public AppLockerPolicyRuleCollectionFilePublisherRuleFilePublisherConditionBinaryVersionRange BinaryVersionRange
{
get
{
return this.binaryVersionRangeField;
}
set
{
this.binaryVersionRangeField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string PublisherName
{
get
{
return this.publisherNameField;
}
set
{
this.publisherNameField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string ProductName
{
get
{
return this.productNameField;
}
set
{
this.productNameField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string BinaryName
{
get
{
return this.binaryNameField;
}
set
{
this.binaryNameField = value;
}
}
}
/// <remarks/>
[System.SerializableAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true)]
public partial class AppLockerPolicyRuleCollectionFilePublisherRuleFilePublisherConditionBinaryVersionRange
{
private string lowSectionField;
private string highSectionField;
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string LowSection
{
get
{
return this.lowSectionField;
}
set
{
this.lowSectionField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlAttributeAttribute()]
public string HighSection
{
get
{
return this.highSectionField;
}
set
{
this.highSectionField = value;
}
}
}
}

83
winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/IAppIdPolicyHandler.cs Normal file
View File

@@ -0,0 +1,83 @@
using System;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
namespace winPEAS.Helpers.AppLocker
{
[Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
[TypeLibType(TypeLibTypeFlags.FDual | TypeLibTypeFlags.FNonExtensible | TypeLibTypeFlags.FDispatchable)]
[ComImport]
public interface IAppIdPolicyHandler
{
// Token: 0x06000001 RID: 1
[DispId(1)]
[MethodImpl(MethodImplOptions.InternalCall)]
void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
// Token: 0x06000002 RID: 2
[DispId(2)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
// Token: 0x06000003 RID: 3
[DispId(3)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
string GetEffectivePolicy();
// Token: 0x06000004 RID: 4
[DispId(4)]
[MethodImpl(MethodImplOptions.InternalCall)]
int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
// Token: 0x06000005 RID: 5
[DispId(5)]
[MethodImpl(MethodImplOptions.InternalCall)]
int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
}
// Token: 0x02000003 RID: 3
[CoClass(typeof(AppIdPolicyHandlerClass))]
[Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
[ComImport]
public interface AppIdPolicyHandler : IAppIdPolicyHandler
{
}
// Token: 0x02000004 RID: 4
[Guid("F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3")]
[ClassInterface(ClassInterfaceType.None)]
[TypeLibType(TypeLibTypeFlags.FCanCreate)]
[ComImport]
public class AppIdPolicyHandlerClass : IAppIdPolicyHandler, AppIdPolicyHandler
{
// Token: 0x06000007 RID: 7
[DispId(1)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
// Token: 0x06000008 RID: 8
[DispId(2)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
public virtual extern string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
// Token: 0x06000009 RID: 9
[DispId(3)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
public virtual extern string GetEffectivePolicy();
// Token: 0x0600000A RID: 10
[DispId(4)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
// Token: 0x0600000B RID: 11
[DispId(5)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
}
}

160
winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/SharpAppLocker.cs Normal file
View File

@@ -0,0 +1,160 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
namespace winPEAS.Helpers.AppLocker
{
// https://github.com/Flangvik/SharpAppLocker
public class SharpAppLocker
{
public enum PolicyType
{
Local,
Domain,
Effective
}
public static T DeserializeToObject<T>(string xmlData) where T : class
{
System.Xml.Serialization.XmlSerializer ser = new System.Xml.Serialization.XmlSerializer(typeof(T));
using (StreamReader sr = new StreamReader(new MemoryStream(Encoding.UTF8.GetBytes(xmlData))))
{
return (T)ser.Deserialize(sr);
}
}
public static string GetAppLockerPolicy(PolicyType policyType, string[] appLockerRuleTypes, string ldapPath = "", bool allowOnly = false, bool denyOnly = false)
{
// Create IAppIdPolicyHandler COM interface
IAppIdPolicyHandler IAppHandler = new AppIdPolicyHandlerClass();
string policies;
switch (policyType)
{
case PolicyType.Local:
case PolicyType.Domain:
policies = IAppHandler.GetPolicy(ldapPath);
break;
case PolicyType.Effective:
policies = IAppHandler.GetEffectivePolicy();
break;
default:
throw new InvalidOperationException();
};
/*
var objectHolder = DeserializeToObject<AppLockerPolicy>(policies);
AppLockerPolicy appLockerPolicyFiltered = DeserializeToObject<AppLockerPolicy>(policies);
if (objectHolder?.RuleCollection?.Count() > 0)
{
//Null them all out to emtpy lists
for (int i = 0; i < appLockerPolicyFiltered.RuleCollection.Length; i++)
{
appLockerPolicyFiltered.RuleCollection[i].FileHashRule = new List<AppLockerPolicyRuleCollectionFileHashRule>() { };
appLockerPolicyFiltered.RuleCollection[i].FilePathRule = new List<AppLockerPolicyRuleCollectionFilePathRule>() { };
appLockerPolicyFiltered.RuleCollection[i].FilePublisherRule = new List<AppLockerPolicyRuleCollectionFilePublisherRule>() { };
}
for (int i = 0; i < objectHolder?.RuleCollection.Count(); i++)
{
if (objectHolder?.RuleCollection[i].FilePathRule != null)
{
if (appLockerRuleTypes.Contains("All", StringComparer.InvariantCultureIgnoreCase) || appLockerRuleTypes.Contains("FilePathRule", StringComparer.InvariantCultureIgnoreCase))
{
foreach (var pathRule in objectHolder?.RuleCollection[i].FilePathRule)
{
if (allowOnly || denyOnly)
{
if (pathRule.Action.Equals(allowOnly ? "Allow" : "Deny"))
{
appLockerPolicyFiltered.RuleCollection[i].FilePathRule.Add(pathRule);
//outputBuilder.Append(JsonConvert.SerializeObject(pathRule, Newtonsoft.Json.Formatting.Indented));
}
}
else
{
appLockerPolicyFiltered.RuleCollection[i].FilePathRule.Add(pathRule);
//outputBuilder.Append(JsonConvert.SerializeObject(pathRule, Newtonsoft.Json.Formatting.Indented));
}
}
}
}
if (objectHolder?.RuleCollection[i].FileHashRule != null)
{
if (appLockerRuleTypes.Contains("All", StringComparer.InvariantCultureIgnoreCase) || appLockerRuleTypes.Contains("FileHashRule", StringComparer.InvariantCultureIgnoreCase))
{
foreach (var hashRule in objectHolder?.RuleCollection[i].FileHashRule)
{
if (allowOnly || denyOnly)
{
if (hashRule.Action.Equals(allowOnly ? "Allow" : "Deny"))
{
appLockerPolicyFiltered.RuleCollection[i].FileHashRule.Add(hashRule);
//outputBuilder.Append(JsonConvert.SerializeObject(pathRule, Newtonsoft.Json.Formatting.Indented));
}
}
else
{
appLockerPolicyFiltered.RuleCollection[i].FileHashRule.Add(hashRule);
//outputBuilder.Append(JsonConvert.SerializeObject(pathRule, Newtonsoft.Json.Formatting.Indented));
}
}
}
}
if (objectHolder?.RuleCollection[i].FilePublisherRule != null)
{
if (appLockerRuleTypes.Contains("All", StringComparer.InvariantCultureIgnoreCase) || appLockerRuleTypes.Contains("FilePublisherRule", StringComparer.InvariantCultureIgnoreCase))
{
foreach (var pubRile in objectHolder?.RuleCollection[i].FilePublisherRule.ToArray())
{
if (allowOnly || denyOnly)
{
if (pubRile.Action.Equals(allowOnly ? "Allow" : "Deny"))
{
appLockerPolicyFiltered.RuleCollection[i].FilePublisherRule.Add(pubRile);
//outputBuilder.Append(JsonConvert.SerializeObject(pathRule, Newtonsoft.Json.Formatting.Indented));
}
}
else
{
appLockerPolicyFiltered.RuleCollection[i].FilePublisherRule.Add(pubRile);
//outputBuilder.Append(JsonConvert.SerializeObject(pathRule, Newtonsoft.Json.Formatting.Indented));
}
}
}
}
}
//Remove all the empty stuff
appLockerPolicyFiltered.RuleCollection = appLockerPolicyFiltered.RuleCollection.Where(x =>
x.FilePublisherRule.Count() > 0 ||
x.FilePathRule.Count() > 0 ||
x.FileHashRule.Count() > 0
).ToArray();
return JsonConvert.SerializeObject(appLockerPolicyFiltered, Newtonsoft.Json.Formatting.Indented);
}
return JsonConvert.SerializeObject(objectHolder, Newtonsoft.Json.Formatting.Indented);
*/
policies = policies.Replace("><", ">\n<");
return policies;
}
}
}

15
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@@ -43,7 +43,7 @@ namespace winPEAS.Helpers
///////////////////////////////// /////////////////////////////////
public static void PrintBanner() public static void PrintBanner()
{ {
Console.WriteLine(BLUE + String.Format(@" Console.WriteLine(BLUE + string.Format(@"
{0}*((,.,/((((((((((((((((((((/, */ {0}*((,.,/((((((((((((((((((((/, */
{0},/*,..*((((((((((((((((((((((((((((((((((, {0},/*,..*((((((((((((((((((((((((((((((((((,
{0},*/((((((((((((((((((/, .*//((//**, .*(((((((* {0},*/((((((((((((((((((/, .*//((//**, .*(((((((*
@@ -173,6 +173,11 @@ namespace winPEAS.Helpers
Console.WriteLine(RED + to_print + NOCOLOR); Console.WriteLine(RED + to_print + NOCOLOR);
} }
public static void ColorPrint(string to_print, string color)
{
Console.WriteLine(color + to_print + NOCOLOR);
}
public static void GrayPrint(string to_print) public static void GrayPrint(string to_print)
{ {
Console.WriteLine(DGRAY + to_print + NOCOLOR); Console.WriteLine(DGRAY + to_print + NOCOLOR);
@@ -203,7 +208,9 @@ namespace winPEAS.Helpers
{ {
string new_line = line; string new_line = line;
foreach (KeyValuePair<string, string> color in ansi_colors_regexp) foreach (KeyValuePair<string, string> color in ansi_colors_regexp)
{
new_line = Regexansi(new_line, color.Value, color.Key); new_line = Regexansi(new_line, color.Value, color.Key);
}
Console.WriteLine(new_line); Console.WriteLine(new_line);
} }
@@ -227,7 +234,7 @@ namespace winPEAS.Helpers
{ {
foreach (KeyValuePair<string, string> entry in dicprint) foreach (KeyValuePair<string, string> entry in dicprint)
{ {
if (delete_nulls && String.IsNullOrEmpty(entry.Value.Trim())) if (delete_nulls && string.IsNullOrEmpty(entry.Value.Trim()))
{ {
continue; continue;
} }
@@ -259,7 +266,7 @@ namespace winPEAS.Helpers
{ {
foreach (KeyValuePair<string, string> entry in dicprint) foreach (KeyValuePair<string, string> entry in dicprint)
{ {
if (delete_nulls && String.IsNullOrEmpty(entry.Value)) if (delete_nulls && string.IsNullOrEmpty(entry.Value))
{ {
continue; continue;
} }
@@ -296,7 +303,7 @@ namespace winPEAS.Helpers
Dictionary<string, string> results = new Dictionary<string, string>(); Dictionary<string, string> results = new Dictionary<string, string>();
foreach (KeyValuePair<string, object> entry in dicprint) foreach (KeyValuePair<string, object> entry in dicprint)
{ {
results[entry.Key] = String.Format("{0}", entry.Value); results[entry.Key] = string.Format("{0}", entry.Value);
} }
DictPrint(results, delete_nulls); DictPrint(results, delete_nulls);

397
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/Credential.cs Normal file
View File

@@ -0,0 +1,397 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Text;
namespace winPEAS.Helpers.CredentialManager
{
/// <summary>
/// Class Credential, wrapper for native CREDENTIAL structure.
/// See CREDENTIAL structure
/// <see href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa374788(v=vs.85).aspx">documentation.</see>
/// See Credential Manager
/// <see href="http://windows.microsoft.com/en-us/windows7/what-is-credential-manager">documentation.</see>
/// </summary>
internal class Credential : IDisposable
{
/// <summary>
/// The lock object
/// </summary>
private static readonly object LockObject = new object();
/// <summary>
/// The unmanaged code permission
/// </summary>
private static readonly SecurityPermission UnmanagedCodePermission;
/// <summary>
/// The credential description
/// </summary>
private string description;
/// <summary>
/// The disposed flag
/// </summary>
private bool disposed;
/// <summary>
/// The last write time
/// </summary>
private DateTime lastWriteTime;
/// <summary>
/// The password
/// </summary>
private SecureString password;
/// <summary>
/// The persistence type
/// </summary>
private PersistenceType persistenceType;
/// <summary>
/// The string that contains the name of the credential
/// </summary>
private string target;
/// <summary>
/// The credential type
/// </summary>
private CredentialType type;
/// <summary>
/// The username
/// </summary>
private string username;
/// <summary>
/// Initializes UnmanagedCodePermission for the <see cref="Credential" /> class.
/// </summary>
static Credential()
{
lock (LockObject)
{
UnmanagedCodePermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="Credential" /> class.
/// </summary>
public Credential()
: this(null)
{ }
/// <summary>
/// Initializes a new instance of the <see cref="Credential" /> class.
/// </summary>
/// <param name="username">The username.</param>
public Credential(string username)
: this(username, null)
{ }
/// <summary>
/// Initializes a new instance of the <see cref="Credential" /> class.
/// </summary>
/// <param name="username">The username.</param>
/// <param name="password">The password.</param>
public Credential(string username, string password)
: this(username, password, null)
{ }
/// <summary>
/// Initializes a new instance of the <see cref="Credential" /> class.
/// </summary>
/// <param name="username">The username.</param>
/// <param name="password">The password.</param>
/// <param name="target">The string that contains the name of the credential.</param>
public Credential(string username, string password, string target)
: this(username, password, target, CredentialType.Generic)
{ }
/// <summary>
/// Initializes a new instance of the <see cref="Credential" /> class.
/// </summary>
/// <param name="username">The username.</param>
/// <param name="password">The password.</param>
/// <param name="target">The string that contains the name of the credential.</param>
/// <param name="type">The credential type.</param>
public Credential(string username, string password, string target, CredentialType type)
{
Username = username;
Password = password;
Target = target;
Type = type;
PersistenceType = PersistenceType.Session;
lastWriteTime = DateTime.MinValue;
}
/// <summary>
/// Gets or sets the username.
/// </summary>
/// <value>The user name of the account used to connect to TargetName.</value>
public string Username
{
get
{
CheckNotDisposed();
return username;
}
set
{
CheckNotDisposed();
username = value;
}
}
/// <summary>
/// Gets or sets the password.
/// </summary>
/// <value>The decoded secure string password.</value>
public string Password
{
get { return SecureStringHelper.CreateString(SecurePassword); }
set
{
CheckNotDisposed();
SecurePassword =
SecureStringHelper.CreateSecureString(string.IsNullOrEmpty(value) ? string.Empty : value);
}
}
/// <summary>
/// Gets or sets the secure password.
/// </summary>
/// <value>The secure password of the account used to connect to TargetName.</value>
public SecureString SecurePassword
{
get
{
CheckNotDisposed();
UnmanagedCodePermission.Demand();
return null == password ? new SecureString() : password.Copy();
}
set
{
CheckNotDisposed();
if (null != password)
{
password.Clear();
password.Dispose();
}
password = null == value ? new SecureString() : value.Copy();
}
}
/// <summary>
/// Gets or sets the target.
/// </summary>
/// <value>
/// The name of the credential. The TargetName and Type members uniquely identify the credential. This member cannot
/// be changed after the credential is created. Instead, the credential with the old name should be deleted and the
/// credential with the new name created.
/// </value>
public string Target
{
get
{
CheckNotDisposed();
return target;
}
set
{
CheckNotDisposed();
target = value;
}
}
/// <summary>
/// Gets or sets the description.
/// </summary>
/// <value>
/// The string comment from the user that describes this credential. This member cannot be longer than
/// CRED_MAX_STRING_LENGTH (256) characters.
/// </value>
public string Description
{
get
{
CheckNotDisposed();
return description;
}
set
{
CheckNotDisposed();
description = value;
}
}
/// <summary>
/// Gets the last write time.
/// </summary>
/// <value>The last write time.</value>
public DateTime LastWriteTime
{
get { return LastWriteTimeUtc.ToLocalTime(); }
}
/// <summary>
/// Gets the last write time UTC.
/// </summary>
/// <value>The last write time UTC.</value>
public DateTime LastWriteTimeUtc
{
get
{
CheckNotDisposed();
return lastWriteTime;
}
private set { lastWriteTime = value; }
}
/// <summary>
/// Gets or sets the type.
/// </summary>
/// <value>The type of the credential. This member cannot be changed after the credential is created.</value>
public CredentialType Type
{
get
{
CheckNotDisposed();
return type;
}
set
{
CheckNotDisposed();
type = value;
}
}
/// <summary>
/// Gets or sets the type of the persistence.
/// </summary>
/// <value>Defines the persistence of this credential. This member can be read and written.</value>
public PersistenceType PersistenceType
{
get
{
CheckNotDisposed();
return persistenceType;
}
set
{
CheckNotDisposed();
persistenceType = value;
}
}
/// <summary>
/// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.
/// </summary>
public void Dispose()
{
Dispose(true);
// Prevent GC Collection since we have already disposed of this object
GC.SuppressFinalize(this);
}
/// <summary>
/// Finalizes an instance of the <see cref="Credential" /> class.
/// </summary>
~Credential()
{
Dispose(false);
}
/// <summary>
/// Releases unmanaged and - optionally - managed resources.
/// </summary>
/// <param name="disposing">
/// <c>true</c> to release both managed and unmanaged resources; <c>false</c> to release only
/// unmanaged resources.
/// </param>
private void Dispose(bool disposing)
{
if (!disposed)
{
if (disposing)
{
SecurePassword.Clear();
SecurePassword.Dispose();
}
}
disposed = true;
}
/// <summary>
/// Ensures this instance is not disposed.
/// </summary>
/// <exception cref="System.ObjectDisposedException">Credential object is already disposed.</exception>
private void CheckNotDisposed()
{
if (disposed)
{
throw new ObjectDisposedException("Credential object is already disposed.");
}
}
/// <summary>
/// Loads this instance.
/// </summary>
/// <returns><c>true</c> if credential is load properly, <c>false</c> otherwise.</returns>
public bool Load()
{
CheckNotDisposed();
UnmanagedCodePermission.Demand();
IntPtr credPointer;
var result = NativeMethods.CredRead(Target, Type, 0, out credPointer);
if (!result)
return false;
using (var credentialHandle = new NativeMethods.CriticalCredentialHandle(credPointer))
{
LoadInternal(credentialHandle.GetCredential());
}
return true;
}
/// <summary>
/// Loads all credentials
/// </summary>
public static IEnumerable<Credential> LoadAll()
{
UnmanagedCodePermission.Demand();
return NativeMethods.CredEnumerate()
.Select(c => new Credential(c.UserName, null, c.TargetName))
.Where(c => c.Load());
}
/// <summary>
/// Loads the internal.
/// </summary>
/// <param name="credential">The credential.</param>
internal void LoadInternal(NativeMethods.CREDENTIAL credential)
{
Username = credential.UserName;
if (credential.CredentialBlobSize > 0)
{
Password = Marshal.PtrToStringUni(credential.CredentialBlob, credential.CredentialBlobSize / 2);
}
Target = credential.TargetName;
Type = (CredentialType)credential.Type;
PersistenceType = (PersistenceType)credential.Persist;
Description = credential.Comment;
LastWriteTimeUtc = DateTime.FromFileTimeUtc(credential.LastWritten);
}
}
}

43
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/CredentialManager.cs Normal file
View File

@@ -0,0 +1,43 @@
using System.Collections.Generic;
using System.Text;
namespace winPEAS.Helpers.CredentialManager
{
internal static class CredentialManager
{
// thanks to
// https://github.com/spolnik/Simple.CredentialsManager
public static string UnicodeInfoText = "(Unicode Base64 encoded)";
internal static List<string> GetCredentials()
{
var result = new List<string>();
var credentials = Credential.LoadAll();
foreach (var credential in credentials)
{
var isUnicode = MyUtils.IsUnicode(credential.Password);
string clearTextPassword = credential.Password;
string unicodeInfo = string.Empty;
if (isUnicode)
{
clearTextPassword = System.Convert.ToBase64String(Encoding.Unicode.GetBytes(credential.Password));
unicodeInfo = UnicodeInfoText;
}
string item = $"\nUsername: {credential.Username}\n" +
$"Password:{unicodeInfo} {clearTextPassword}\n" +
$"Target: {credential.Target}\n" +
$"PersistenceType: {credential.PersistenceType}\n" +
$"LastWriteTime: {credential.LastWriteTime}\n" +
"-------------------------------------------------------";
result.Add(item);
}
return result;
}
}
}

39
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/CredentialType.cs Normal file
View File

@@ -0,0 +1,39 @@
namespace winPEAS.Helpers.CredentialManager
{
/// <summary>
/// Enum CredentialType
///
/// The type of the credential. This member cannot be changed after the credential is created.
/// </summary>
public enum CredentialType : uint
{
/// <summary>
/// The lack of credential type
/// </summary>
None = 0,
/// <summary>
/// Generic credential type
///
/// The credential is a generic credential. The credential will not be used by any particular authentication package.
/// The credential will be stored securely but has no other significant characteristics.
/// </summary>
Generic = 1,
/// <summary>
/// Domain password credential type
///
/// The credential is a password credential and is specific to Microsoft's authentication packages.
/// The NTLM, Kerberos, and Negotiate authentication packages will automatically use this credential when connecting to the named target.
/// </summary>
DomainPassword = 2,
/// <summary>
/// Domain certificate credential type
///
/// The credential is a certificate credential and is specific to Microsoft's authentication packages.
/// The Kerberos, Negotiate, and Schannel authentication packages automatically use this credential when connecting to the named target.
/// </summary>
DomainCertificate = 3
}
}

209
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/NativeMethods.cs Normal file
View File

@@ -0,0 +1,209 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using Microsoft.Win32.SafeHandles;
namespace winPEAS.Helpers.CredentialManager
{
/// <summary>
/// Wrapper for advapi32.dll library.
/// Advanced Services
/// Provide access to functionality additional to the kernel.
/// Included are things like the Windows registry, shutdown/restart the system (or abort),
/// start/stop/create a Windows service, manage user accounts.
/// These functions reside in advapi32.dll on 32-bit Windows.
/// </summary>
public class NativeMethods
{
/// <summary>
/// The CredRead function reads a credential from the user's credential set.
/// The credential set used is the one associated with the logon session of the current token.
/// The token must not have the user's SID disabled.
/// </summary>
/// <remarks>
/// If the value of the Type member of the CREDENTIAL structure specified by the Credential parameter is
/// CRED_TYPE_DOMAIN_EXTENDED, a namespace must be specified in the target name. This function can return only one
/// credential of the specified type.
/// </remarks>
/// <param name="target">Pointer to a null-terminated string that contains the name of the credential to read.</param>
/// <param name="type">Type of the credential to read. Type must be one of the CRED_TYPE_* defined types.</param>
/// <param name="reservedFlag">Currently reserved and must be zero.</param>
/// <param name="credentialPtr">
/// Pointer to a single allocated block buffer to return the credential.
/// Any pointers contained within the buffer are pointers to locations within this single allocated block.
/// The single returned buffer must be freed by calling CredFree.
/// </param>
/// <returns>The function returns TRUE on success and FALSE on failure.</returns>
[DllImport("Advapi32.dll", EntryPoint = "CredReadW", CharSet = CharSet.Unicode, SetLastError = true)]
internal static extern bool CredRead(string target, CredentialType type, int reservedFlag,
out IntPtr credentialPtr);
/// <summary>
/// The CredWrite function creates a new credential or modifies an existing credential in the user's credential set.
/// The new credential is associated with the logon session of the current token.
/// The token must not have the user's security identifier (SID) disabled.
/// </summary>
/// <remarks>
/// This function creates a credential if a credential with the specified TargetName and Type does not exist. If a
/// credential with the specified TargetName and Type exists, the new specified credential replaces the existing one.
/// When this function writes a CRED_TYPE_CERTIFICATE credential, the Credential->CredentialBlob member specifies the
/// PIN protecting the private key of the certificate specified by the Credential->UserName member. The credential
/// manager does not maintain the PIN. Rather, the PIN is passed to the cryptographic service provider (CSP) indicated
/// on the certificate for later use by the CSP and the authentication packages. The CSP defines the lifetime of the
/// PIN. Most CSPs flush the PIN when the smart card removal from the smart card reader.
/// If the value of the Type member of the CREDENTIAL structure specified by the Credential parameter is
/// CRED_TYPE_DOMAIN_EXTENDED, a namespace must be specified in the target name. This function does not support writing
/// to target names that contain wildcards.
/// </remarks>
/// <param name="userCredential">A pointer to the CREDENTIAL structure to be written.</param>
/// <param name="flags">Flags that control the function's operation. The following flag is defined.</param>
/// <returns>If the function succeeds, the function returns TRUE, if the function fails, it returns FALSE. </returns>
[DllImport("Advapi32.dll", EntryPoint = "CredWriteW", CharSet = CharSet.Unicode, SetLastError = true)]
internal static extern bool CredWrite([In] ref CREDENTIAL userCredential, [In] UInt32 flags);
/// <summary>
/// The CredFree function frees a buffer returned by any of the credentials management functions.
/// </summary>
/// <param name="cred">Pointer to the buffer to be freed.</param>
[DllImport("Advapi32.dll", EntryPoint = "CredFree", SetLastError = true)]
internal static extern void CredFree([In] IntPtr cred);
/// <summary>
/// The CredDelete function deletes a credential from the user's credential set.
/// The credential set used is the one associated with the logon session of the current token.
/// The token must not have the user's SID disabled.
/// </summary>
/// <param name="target">Pointer to a null-terminated string that contains the name of the credential to delete.</param>
/// <param name="type">
/// Type of the credential to delete. Must be one of the CRED_TYPE_* defined types.
/// For a list of the defined types, see the Type member of the CREDENTIAL structure.
/// If the value of this parameter is CRED_TYPE_DOMAIN_EXTENDED,
/// this function can delete a credential that specifies a user name when there are multiple credentials for the same
/// target. The value of the TargetName parameter must specify the user name as Target|UserName.
/// </param>
/// <param name="flags">Reserved and must be zero.</param>
/// <returns>The function returns TRUE on success and FALSE on failure.</returns>
[DllImport("Advapi32.dll", EntryPoint = "CredDeleteW", CharSet = CharSet.Unicode)]
internal static extern bool CredDelete(StringBuilder target, CredentialType type, int flags);
/// <summary>
/// Enumerate credentials in the credential store
/// signature: BOOL CredEnumerate (
/// _In_ LPCTSTR Filter,
/// _In_ DWORD Flags,
/// _Out_ DWORD *Count,
/// _Out_ PCREDENTIAL **Credentials
///);
/// <param name="filter">[in]
/// Pointer to a null-terminated string that contains the filter for the returned credentials.Only credentials with a TargetName matching the filter will be returned.The filter specifies a name prefix followed by an asterisk.For instance, the filter "FRED*" will return all credentials with a TargetName beginning with the string "FRED".
/// If NULL is specified, all credentials will be returned.</param>
/// <param name="flag">[in]
/// The value of this parameter can be zero or more of the following values combined with a bitwise-OR operation.
/// Value Meaning
/// CRED_ENUMERATE_ALL_CREDENTIALS 0x1
/// This function enumerates all of the credentials in the user's credential set. The target name of each credential is returned in the "namespace:attribute=target" format. If this flag is set and the Filter parameter is not NULL, the function fails and returns ERROR_INVALID_FLAGS.
/// Windows Server 2003 and Windows XP: This flag is not supported.
///</param>
/// <param name="count">[out] Count of the credentials returned in the Credentials array.</param>
/// <param name="pCredentials"> [out]
/// Pointer to an array of pointers to credentials.The returned credential is a single allocated block. Any pointers contained within the buffer are pointers to locations within this single allocated block.The single returned buffer must be freed by calling CredFree.
/// Return value
/// </param>
/// <returns>
/// The function returns TRUE on success and FALSE on failure. The GetLastError function can be called to get a more specific status code.The following status codes can be returned.
/// Return code/value Description
/// ERROR_NOT_FOUND
/// 1168 (0x490)
/// No credential exists matching the specified Filter.
/// ERROR_NO_SUCH_LOGON_SESSION
/// 1312 (0x520)
/// The logon session does not exist or there is no credential set associated with this logon session. Network logon sessions do not have an associated credential set.
/// ERROR_INVALID_FLAGS
/// 1004 (0x3EC)
/// A flag that is not valid was specified for the Flags parameter, or CRED_ENUMERATE_ALL_CREDENTIALS is specified for the Flags parameter and the Filter parameter is not NULL.
/// </returns>
/// </summary>
[DllImport("Advapi32.dll", EntryPoint = "CredEnumerate", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr pCredentials);
/// <summary>
/// The CREDENTIAL structure contains an individual credential.
///
/// See CREDENTIAL structure <see href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa374788(v=vs.85).aspx">documentation.</see>
/// </summary>
[StructLayout(LayoutKind.Sequential)]
internal struct CREDENTIAL
{
public int Flags;
public int Type;
[MarshalAs(UnmanagedType.LPWStr)] public string TargetName;
[MarshalAs(UnmanagedType.LPWStr)] public string Comment;
public long LastWritten;
public int CredentialBlobSize;
public IntPtr CredentialBlob;
public int Persist;
public int AttributeCount;
public IntPtr Attributes;
[MarshalAs(UnmanagedType.LPWStr)] public string TargetAlias;
[MarshalAs(UnmanagedType.LPWStr)] public string UserName;
}
internal static IEnumerable<CREDENTIAL> CredEnumerate()
{
int count;
IntPtr pCredentials;
var ret = CredEnumerate(null, 0, out count, out pCredentials);
if (ret == false)
throw new Exception("Failed to enumerate credentials");
var credentials = new IntPtr[count];
for (var n = 0; n < count; n++)
credentials[n] = Marshal.ReadIntPtr(pCredentials,
n * Marshal.SizeOf(typeof(IntPtr)));
return credentials.Select(ptr => (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL)));
}
internal sealed class CriticalCredentialHandle : CriticalHandleZeroOrMinusOneIsInvalid
{
// Set the handle.
internal CriticalCredentialHandle(IntPtr preexistingHandle)
{
SetHandle(preexistingHandle);
}
internal CREDENTIAL GetCredential()
{
if (!IsInvalid)
{
// Get the Credential from the mem location
return (CREDENTIAL)Marshal.PtrToStructure(handle, typeof(CREDENTIAL));
}
throw new InvalidOperationException("Invalid CriticalHandle!");
}
// Perform any specific actions to release the handle in the ReleaseHandle method.
// Often, you need to use P/Invoke to make a call into the Win32 API to release the
// handle. In this case, however, we can use the Marshal class to release the unmanaged memory.
protected override bool ReleaseHandle()
{
// If the handle was set, free it. Return success.
if (!IsInvalid)
{
// NOTE: We should also ZERO out the memory allocated to the handle, before free'ing it
// so there are no traces of the sensitive data left in memory.
CredFree(handle);
// Mark the handle as invalid for future users.
SetHandleAsInvalid();
return true;
}
// Return false.
return false;
}
}
}
}

35
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/PersistenceType.cs Normal file
View File

@@ -0,0 +1,35 @@
namespace winPEAS.Helpers.CredentialManager
{
/// <summary>
/// Enum PersistenceType
/// Defines the persistence of this credential. This member can be read and written.
/// </summary>
public enum PersistenceType : uint
{
/// <summary>
/// The session persistence type
/// The credential persists for the life of the logon session.
/// It will not be visible to other logon sessions of this same user.
/// It will not exist after this user logs off and back on.
/// </summary>
Session = 1,
/// <summary>
/// The local computer persistence type
/// The credential persists for all subsequent logon sessions on this same computer.
/// It is visible to other logon sessions of this same user on this same computer
/// and not visible to logon sessions for this user on other computers.
/// </summary>
LocalComputer = 2,
/// <summary>
/// The enterprise persistence type
/// The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon
/// sessions of this same user on this same computer and to logon sessions for this user on other computers.
/// this option can be implemented as locally persisted credential if the administrator or user configures the user
/// account to not have roam-able state. For instance, if the user has no roaming profile, the credential will only
/// persist locally.
/// </summary>
Enterprise = 3
}
}

48
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/SecureStringHelper.cs Normal file
View File

@@ -0,0 +1,48 @@
using System;
using System.Runtime.InteropServices;
using System.Security;
namespace winPEAS.Helpers.CredentialManager
{
[SuppressUnmanagedCodeSecurity]
internal static class SecureStringHelper
{
internal static unsafe SecureString CreateSecureString(string plainString)
{
if (string.IsNullOrEmpty(plainString))
return new SecureString();
SecureString str;
fixed (char* str2 = plainString)
{
var chPtr = str2;
str = new SecureString(chPtr, plainString.Length);
str.MakeReadOnly();
}
return str;
}
internal static string CreateString(SecureString secureString)
{
if ((secureString == null) || (secureString.Length == 0))
return string.Empty;
string str;
var zero = IntPtr.Zero;
try
{
zero = Marshal.SecureStringToBSTR(secureString);
str = Marshal.PtrToStringBSTR(zero);
}
finally
{
if (zero != IntPtr.Zero)
Marshal.ZeroFreeBSTR(zero);
}
return str;
}
}
}

2
winPEAS/winPEASexe/winPEAS/Helpers/DomainHelper.cs
View File

@@ -54,7 +54,7 @@ namespace winPEAS.Helpers
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Trying to check if domain is joined using WMI", ex.Message)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}\n Trying to check if domain is joined using WMI", ex.Message));
return IsDomainJoinedWmi(); return IsDomainJoinedWmi();
} }
return ""; return "";

22
winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs
View File

@@ -15,31 +15,15 @@ namespace winPEAS.Helpers
string memoryStats = $"{process.ProcessName} - Memory Stats\n" + string memoryStats = $"{process.ProcessName} - Memory Stats\n" +
$"-------------------------------------\n" + $"-------------------------------------\n" +
$" Physical memory usage : {ToSize(process.WorkingSet64)}\n" + $" Physical memory usage : {MyUtils.ConvertBytesToHumanReadable(process.WorkingSet64)}\n" +
$" Paged system memory size : {ToSize(process.PagedSystemMemorySize64)}\n" + $" Paged system memory size : {MyUtils.ConvertBytesToHumanReadable(process.PagedSystemMemorySize64)}\n" +
$" Paged memory size : {ToSize(process.PagedMemorySize64)}\n"; $" Paged memory size : {MyUtils.ConvertBytesToHumanReadable(process.PagedMemorySize64)}\n";
Beaprint.PrintDebugLine(memoryStats); Beaprint.PrintDebugLine(memoryStats);
} }
} }
} }
private static string[] suffixes = new[] { " B", " KB", " MB", " GB", " TB", " PB" };
private static string ToSize(double number, int precision = 2)
{
// unit's number of bytes
const double unit = 1024;
// suffix counter
int i = 0;
// as long as we're bigger than a unit, keep going
while (number > unit)
{
number /= unit;
i++;
}
// apply precision and current suffix
return Math.Round(number, precision) + suffixes[i];
}
} }
} }

51
winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
View File

@@ -5,6 +5,7 @@ using System.IO;
using System.Linq; using System.Linq;
using System.Reflection; using System.Reflection;
using System.Security.Principal; using System.Security.Principal;
using System.Text;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
namespace winPEAS.Helpers namespace winPEAS.Helpers
@@ -13,7 +14,8 @@ namespace winPEAS.Helpers
{ {
public static string GetCLSIDBinPath(string CLSID) public static string GetCLSIDBinPath(string CLSID)
{ {
return RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Classes\CLSID\" + CLSID + @"\InprocServer32", ""); //To get the default object you need to use an empty string return RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Classes\CLSID\" + CLSID + @"\InprocServer32",
""); //To get the default object you need to use an empty string
} }
//////////////////////////////////// ////////////////////////////////////
@@ -24,7 +26,8 @@ namespace winPEAS.Helpers
bool isDotNet = false; bool isDotNet = false;
FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path); FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
string companyName = myFileVersionInfo.CompanyName; string companyName = myFileVersionInfo.CompanyName;
if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) if ((string.IsNullOrEmpty(companyName)) ||
(!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{ {
try try
{ {
@@ -37,7 +40,9 @@ namespace winPEAS.Helpers
} }
catch (System.BadImageFormatException exception) catch (System.BadImageFormatException exception)
{ {
if (Regex.IsMatch(exception.Message, ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*", RegexOptions.IgnoreCase)) if (Regex.IsMatch(exception.Message,
".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
RegexOptions.IgnoreCase))
{ {
isDotNet = true; isDotNet = true;
} }
@@ -47,13 +52,15 @@ namespace winPEAS.Helpers
// System.Console.WriteLine("The assembly has already been loaded."); // System.Console.WriteLine("The assembly has already been loaded.");
} }
} }
return isDotNet; return isDotNet;
} }
public static string GetExecutableFromPath(string path) public static string GetExecutableFromPath(string path)
{ {
string binaryPath = ""; string binaryPath = "";
Match match_path = Regex.Match(path, @"^\W*([a-z]:\\.+?(\.exe|\.dll|\.sys))\W*", RegexOptions.RightToLeft | RegexOptions.IgnoreCase); Match match_path = Regex.Match(path, @"^\W*([a-z]:\\.+?(\.exe|\.dll|\.sys))\W*",
RegexOptions.RightToLeft | RegexOptions.IgnoreCase);
if (match_path.Groups.Count > 1) if (match_path.Groups.Count > 1)
{ {
binaryPath = match_path.Groups[1].ToString(); binaryPath = match_path.Groups[1].ToString();
@@ -72,6 +79,7 @@ namespace winPEAS.Helpers
{ {
binaryPath = binaryPathdll32[1].Trim(); binaryPath = binaryPathdll32[1].Trim();
} }
return binaryPath; return binaryPath;
} }
@@ -101,6 +109,7 @@ namespace winPEAS.Helpers
} }
} }
} }
return binaryPath; return binaryPath;
} }
@@ -111,6 +120,7 @@ namespace winPEAS.Helpers
if (path.Contains(" ")) if (path.Contains(" "))
return true; return true;
} }
return false; return false;
} }
@@ -143,12 +153,13 @@ namespace winPEAS.Helpers
if (Regex.Match(haystack, regex, RegexOptions.IgnoreCase).Success) if (Regex.Match(haystack, regex, RegexOptions.IgnoreCase).Success)
return true; return true;
} }
return false; return false;
} }
// From https://stackoverflow.com/questions/206323/how-to-execute-command-line-in-c-get-std-out-results // From https://stackoverflow.com/questions/206323/how-to-execute-command-line-in-c-get-std-out-results
public static string ExecCMD(string args, string alternative_binary="") public static string ExecCMD(string args, string alternative_binary = "")
{ {
//Create process //Create process
Process pProcess = new Process(); Process pProcess = new Process();
@@ -157,10 +168,10 @@ namespace winPEAS.Helpers
pProcess.StartInfo.CreateNoWindow = true; pProcess.StartInfo.CreateNoWindow = true;
//strCommand is path and file name of command to run //strCommand is path and file name of command to run
pProcess.StartInfo.FileName = (String.IsNullOrEmpty(alternative_binary)) ? "cmd.exe" : alternative_binary; pProcess.StartInfo.FileName = (string.IsNullOrEmpty(alternative_binary)) ? "cmd.exe" : alternative_binary;
//strCommandParameters are parameters to pass to program //strCommandParameters are parameters to pass to program
pProcess.StartInfo.Arguments = (String.IsNullOrEmpty(alternative_binary)) ? "/C " + args : args; pProcess.StartInfo.Arguments = (string.IsNullOrEmpty(alternative_binary)) ? "/C " + args : args;
pProcess.StartInfo.UseShellExecute = false; pProcess.StartInfo.UseShellExecute = false;
@@ -178,5 +189,31 @@ namespace winPEAS.Helpers
return strOutput; return strOutput;
} }
private static string[] suffixes = new[] {" B", " KB", " MB", " GB", " TB", " PB"};
public static string ConvertBytesToHumanReadable(double number, int precision = 2)
{
// unit's number of bytes
const double unit = 1024;
// suffix counter
int i = 0;
// as long as we're bigger than a unit, keep going
while (number > unit)
{
number /= unit;
i++;
}
// apply precision and current suffix
return Math.Round(number, precision) + suffixes[i];
}
public static bool IsUnicode(string input)
{
var asciiBytesCount = Encoding.ASCII.GetByteCount(input);
var unicodBytesCount = Encoding.UTF8.GetByteCount(input);
return asciiBytesCount != unicodBytesCount;
}
} }
} }

18
winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
View File

@@ -53,14 +53,14 @@ namespace winPEAS.Helpers
try try
{ {
path = path.Trim(); path = path.Trim();
if (String.IsNullOrEmpty(path)) if (string.IsNullOrEmpty(path))
{ {
return results; return results;
} }
path = GetFolderFromString(path); path = GetFolderFromString(path);
if (String.IsNullOrEmpty(path)) if (string.IsNullOrEmpty(path))
{ {
return results; return results;
} }
@@ -96,7 +96,7 @@ namespace winPEAS.Helpers
// If the rule is interesting, check if any of my SIDs is in the rule // If the rule is interesting, check if any of my SIDs is in the rule
if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower()) if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower())
{ {
string SID_name = String.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value; string SID_name = string.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value;
if (container.ContainsKey(SID_name)) if (container.ContainsKey(SID_name))
{ {
@@ -108,13 +108,13 @@ namespace winPEAS.Helpers
else else
container[SID_name] = current_perm_str; container[SID_name] = current_perm_str;
string to_add = String.Format("{0} [{1}]", SID_name, current_perm_str); string to_add = string.Format("{0} [{1}]", SID_name, current_perm_str);
} }
} }
} }
foreach (KeyValuePair<string, string> SID_input in container) foreach (KeyValuePair<string, string> SID_input in container)
{ {
string to_add = String.Format("{0} [{1}]", SID_input.Key, SID_input.Value); string to_add = string.Format("{0} [{1}]", SID_input.Key, SID_input.Value);
results.Add(to_add); results.Add(to_add);
} }
return results; return results;
@@ -143,7 +143,7 @@ namespace winPEAS.Helpers
// If the rule is interesting, check if any of my SIDs is in the rule // If the rule is interesting, check if any of my SIDs is in the rule
if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower()) if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower())
{ {
string SID_name = String.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value; string SID_name = string.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value;
if (container.ContainsKey(SID_name)) if (container.ContainsKey(SID_name))
{ {
@@ -153,13 +153,13 @@ namespace winPEAS.Helpers
else else
container[SID_name] = current_perm_str; container[SID_name] = current_perm_str;
string to_add = String.Format("{0} [{1}]", SID_name, current_perm_str); string to_add = string.Format("{0} [{1}]", SID_name, current_perm_str);
} }
} }
} }
foreach (KeyValuePair<string, string> SID_input in container) foreach (KeyValuePair<string, string> SID_input in container)
{ {
string to_add = String.Format("{0} [{1}]", SID_input.Key, SID_input.Value); string to_add = string.Format("{0} [{1}]", SID_input.Key, SID_input.Value);
results.Add(to_add); results.Add(to_add);
} }
} }
@@ -263,7 +263,7 @@ namespace winPEAS.Helpers
try try
{ {
results[path] = String.Join(", ", GetPermissionsFolder(path, Checks.Checks.CurrentUserSiDs)); results[path] = String.Join(", ", GetPermissionsFolder(path, Checks.Checks.CurrentUserSiDs));
if (String.IsNullOrEmpty(results[path])) if (string.IsNullOrEmpty(results[path]))
{ {
foreach (string d in Directory.GetDirectories(path)) foreach (string d in Directory.GetDirectories(path))
{ {

6
winPEAS/winPEASexe/winPEAS/Helpers/RegistryHelper.cs
View File

@@ -21,7 +21,7 @@ namespace winPEAS.Helpers
var regKey = Registry.CurrentUser.OpenSubKey(path); var regKey = Registry.CurrentUser.OpenSubKey(path);
if (regKey != null) if (regKey != null)
{ {
regKeyValue = String.Format("{0}", regKey.GetValue(value)); regKeyValue = string.Format("{0}", regKey.GetValue(value));
} }
return regKeyValue; return regKeyValue;
} }
@@ -30,7 +30,7 @@ namespace winPEAS.Helpers
var regKey = Registry.Users.OpenSubKey(path); var regKey = Registry.Users.OpenSubKey(path);
if (regKey != null) if (regKey != null)
{ {
regKeyValue = String.Format("{0}", regKey.GetValue(value)); regKeyValue = string.Format("{0}", regKey.GetValue(value));
} }
return regKeyValue; return regKeyValue;
} }
@@ -39,7 +39,7 @@ namespace winPEAS.Helpers
var regKey = Registry.LocalMachine.OpenSubKey(path); var regKey = Registry.LocalMachine.OpenSubKey(path);
if (regKey != null) if (regKey != null)
{ {
regKeyValue = String.Format("{0}", regKey.GetValue(value)); regKeyValue = string.Format("{0}", regKey.GetValue(value));
} }
return regKeyValue; return regKeyValue;
} }

31
winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
View File

@@ -22,12 +22,7 @@ namespace winPEAS.Helpers.Search
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null) public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
{ {
ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>(); ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
// ConcurrentBag<string> files = new ConcurrentBag<string>();
//Beaprint.InfoPrint($"[*] folder 1: '{folder}'");
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern); IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>(); IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>();
if (excludedDirs != null) if (excludedDirs != null)
@@ -41,16 +36,9 @@ namespace winPEAS.Helpers.Search
{ {
if (Regex.IsMatch(startDirLower, excludedDirPattern, RegexOptions.IgnoreCase)) if (Regex.IsMatch(startDirLower, excludedDirPattern, RegexOptions.IgnoreCase))
{ {
//files2.Add(file + $" [pattern: '{pattern}']");
shouldAdd = false; shouldAdd = false;
break; break;
} }
//if (startDirLower.StartsWith(excludedDir))
//{
// shouldAdd = false;
// break;
//}
} }
if (shouldAdd) if (shouldAdd)
@@ -58,30 +46,18 @@ namespace winPEAS.Helpers.Search
startDirsExcluded.Add(startDir); startDirsExcluded.Add(startDir);
} }
} }
//startDirsExcluded =
// (from startDir in startDirs
// from excludedDir in excludedDirs
// where !startDir.FullName.Contains(excludedDir)
// select startDir).ToList();
} }
else else
{ {
startDirsExcluded = startDirs.ToList(); startDirsExcluded = startDirs.ToList();
} }
// !!!! TODO
// probably we need to exclude the excluded dirs here - not in parallel processing
Parallel.ForEach(startDirsExcluded, (d) => Parallel.ForEach(startDirsExcluded, (d) =>
{ {
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) => Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) =>
{ {
GetFiles(dir.FullName, pattern).ForEach( GetFiles(dir.FullName, pattern).ForEach(
(f) => (f) =>
//files.Add(f.FullName)
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName)) files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName))
); );
}); });
@@ -154,7 +130,6 @@ namespace winPEAS.Helpers.Search
foreach (var f in dirInfo.GetFiles(pattern)) foreach (var f in dirInfo.GetFiles(pattern))
{ {
//files.Add(f.FullName);
files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName)); files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName));
} }
@@ -165,15 +140,15 @@ namespace winPEAS.Helpers.Search
return new List<DirectoryInfo>(); return new List<DirectoryInfo>();
} }
catch (UnauthorizedAccessException ex) catch (UnauthorizedAccessException)
{ {
return new List<DirectoryInfo>(); return new List<DirectoryInfo>();
} }
catch (PathTooLongException ex) catch (PathTooLongException)
{ {
return new List<DirectoryInfo>(); return new List<DirectoryInfo>();
} }
catch (DirectoryNotFoundException ex) catch (DirectoryNotFoundException)
{ {
return new List<DirectoryInfo>(); return new List<DirectoryInfo>();
} }

42
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
View File

@@ -6,7 +6,6 @@ using System.Management;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
using Microsoft.Win32; using Microsoft.Win32;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.KnownFileCreds;
namespace winPEAS.Info.ApplicationInfo namespace winPEAS.Info.ApplicationInfo
{ {
@@ -16,11 +15,13 @@ namespace winPEAS.Info.ApplicationInfo
{ {
var result = new List<Dictionary<string, string>>(); var result = new List<Dictionary<string, string>>();
var regAutoRuns = GetRegistryAutoRuns(NtAccountNames); var regAutoRuns = GetRegistryAutoRuns(NtAccountNames);
var fileAutoRuns = GetAutoRunsFolder(); var folderAutoRuns = GetAutoRunsFolder();
//var fileAutoRuns = GetAutoRunsFiles();
var wmicAutoRuns = GetAutoRunsWMIC(); var wmicAutoRuns = GetAutoRunsWMIC();
result.AddRange(regAutoRuns); result.AddRange(regAutoRuns);
result.AddRange(fileAutoRuns); result.AddRange(folderAutoRuns);
//result.AddRange(fileAutoRuns);
result.AddRange(wmicAutoRuns); result.AddRange(wmicAutoRuns);
return result; return result;
@@ -66,6 +67,10 @@ namespace winPEAS.Info.ApplicationInfo
new List<string> {"HKCU","Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"}, new List<string> {"HKCU","Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"},
new List<string> {"HKCU","Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"}, new List<string> {"HKCU","Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx"},
//RunServicesOnce
new List<string> {"HKCU","Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce"},
new List<string> {"HKLM","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce"},
//Startup Path //Startup Path
new List<string> {"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup"}, new List<string> {"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders", "Common Startup"},
new List<string> {"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup"}, new List<string> {"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Common Startup"},
@@ -76,6 +81,8 @@ namespace winPEAS.Info.ApplicationInfo
new List<string> {"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit"}, new List<string> {"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit"},
new List<string> {"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell"}, new List<string> {"HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell"},
new List<string> { "HKCU", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "load"},
//Policy Settings //Policy Settings
new List<string> {"HKLM", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"}, new List<string> {"HKLM", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"},
new List<string> {"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"}, new List<string> {"HKCU", @"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "Run"},
@@ -251,9 +258,31 @@ namespace winPEAS.Info.ApplicationInfo
{ {
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>(); List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
List<string> autorunLocations = new List<string>(); List<string> autorunLocations = new List<string>();
autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup")); // displays startup for current user
//autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"));
autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup")); autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"));
//string usersPath = Environment.GetEnvironmentVariable("USERPROFILE") + "\\..\\";
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
usersPath = Directory.GetParent(usersPath).FullName;
try
{
var userDirs = Directory.GetDirectories(usersPath);
foreach (var userDir in userDirs)
{
string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";
if (Directory.Exists(startupPath))
{
autorunLocations.Add(startupPath);
}
}
}
catch (Exception e)
{
}
foreach (string path in autorunLocations) foreach (string path in autorunLocations)
{ {
foreach (string filepath in Directory.GetFiles(path, "*", SearchOption.TopDirectoryOnly)) foreach (string filepath in Directory.GetFiles(path, "*", SearchOption.TopDirectoryOnly))
@@ -317,5 +346,10 @@ namespace winPEAS.Info.ApplicationInfo
} }
return results; return results;
} }
private static IEnumerable<Dictionary<string, string>> GetAutoRunsFiles()
{
throw new NotImplementedException();
}
} }
} }

2
winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs
View File

@@ -77,7 +77,7 @@ namespace winPEAS.Info.ProcessInfo
{ {
// Not enough privileges // Not enough privileges
} }
if ((String.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) if ((string.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{ {
Dictionary<string, string> to_add = new Dictionary<string, string>(); Dictionary<string, string> to_add = new Dictionary<string, string>();
to_add["Name"] = itm.Proc.ProcessName; to_add["Name"] = itm.Proc.ProcessName;

63
winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs
View File

@@ -46,18 +46,20 @@ namespace winPEAS.Info.ServicesInfo
// Not enough privileges // Not enough privileges
} }
if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{ {
Dictionary<string, string> toadd = new Dictionary<string, string>(); Dictionary<string, string> toadd = new Dictionary<string, string>
toadd["Name"] = String.Format("{0}", result["Name"]); {
toadd["DisplayName"] = String.Format("{0}", result["DisplayName"]); ["Name"] = string.Format("{0}", result["Name"]),
toadd["CompanyName"] = companyName; ["DisplayName"] = string.Format("{0}", result["DisplayName"]),
toadd["State"] = String.Format("{0}", result["State"]); ["CompanyName"] = companyName,
toadd["StartMode"] = String.Format("{0}", result["StartMode"]); ["State"] = string.Format("{0}", result["State"]),
toadd["PathName"] = String.Format("{0}", result["PathName"]); ["StartMode"] = string.Format("{0}", result["StartMode"]),
toadd["FilteredPath"] = binaryPath; ["PathName"] = string.Format("{0}", result["PathName"]),
toadd["isDotNet"] = isDotNet; ["FilteredPath"] = binaryPath,
toadd["Description"] = String.Format("{0}", result["Description"]); ["isDotNet"] = isDotNet,
["Description"] = result["Description"].ToString()
};
results.Add(toadd); results.Add(toadd);
} }
} }
@@ -84,7 +86,7 @@ namespace winPEAS.Info.ServicesInfo
{ {
string companyName = ""; string companyName = "";
string isDotNet = ""; string isDotNet = "";
string pathName = Environment.ExpandEnvironmentVariables(String.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\")); string pathName = Environment.ExpandEnvironmentVariables(string.Format("{0}", key_values["ImagePath"]).Replace("\\SystemRoot\\", "%SystemRoot%\\"));
string binaryPath = MyUtils.ReconstructExecPath(pathName); string binaryPath = MyUtils.ReconstructExecPath(pathName);
if (binaryPath != "") if (binaryPath != "")
{ {
@@ -100,9 +102,9 @@ namespace winPEAS.Info.ServicesInfo
} }
} }
string displayName = String.Format("{0}", key_values["DisplayName"]); string displayName = string.Format("{0}", key_values["DisplayName"]);
string imagePath = String.Format("{0}", key_values["ImagePath"]); string imagePath = string.Format("{0}", key_values["ImagePath"]);
string description = key_values.ContainsKey("Description") ? String.Format("{0}", key_values["Description"]) : ""; string description = key_values.ContainsKey("Description") ? string.Format("{0}", key_values["Description"]) : "";
string startMode = ""; string startMode = "";
if (key_values.ContainsKey("Start")) if (key_values.ContainsKey("Start"))
{ {
@@ -128,18 +130,20 @@ namespace winPEAS.Info.ServicesInfo
break; break;
} }
} }
if (String.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase))) if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{ {
Dictionary<string, string> toadd = new Dictionary<string, string>(); Dictionary<string, string> toadd = new Dictionary<string, string>
toadd["Name"] = String.Format("{0}", displayName); {
toadd["DisplayName"] = String.Format("{0}", displayName); ["Name"] = displayName,
toadd["CompanyName"] = companyName; ["DisplayName"] = displayName,
toadd["State"] = ""; ["CompanyName"] = companyName,
toadd["StartMode"] = startMode; ["State"] = "",
toadd["PathName"] = pathName; ["StartMode"] = startMode,
toadd["FilteredPath"] = binaryPath; ["PathName"] = pathName,
toadd["isDotNet"] = isDotNet; ["FilteredPath"] = binaryPath,
toadd["Description"] = description; ["isDotNet"] = isDotNet,
["Description"] = description
};
results.Add(toadd); results.Add(toadd);
} }
} }
@@ -181,8 +185,7 @@ namespace winPEAS.Info.ServicesInfo
IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights); IntPtr handle = (IntPtr)GetServiceHandle.Invoke(sc, readRights);
ServiceControllerStatus status = sc.Status; ServiceControllerStatus status = sc.Status;
byte[] psd = new byte[0]; byte[] psd = new byte[0];
uint bufSizeNeeded; bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out uint bufSizeNeeded);
bool ok = QueryServiceObjectSecurity(handle, SecurityInfos.DiscretionaryAcl, psd, 0, out bufSizeNeeded);
if (!ok) if (!ok)
{ {
int err = Marshal.GetLastWin32Error(); int err = Marshal.GetLastWin32Error();
@@ -218,7 +221,7 @@ namespace winPEAS.Info.ServicesInfo
int serviceRights = ace.AccessMask; int serviceRights = ace.AccessMask;
string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, true, true); string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, true, true);
if (!String.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str)) if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
permissions.Add(current_perm_str); permissions.Add(current_perm_str);
} }
} }
@@ -281,7 +284,7 @@ namespace winPEAS.Info.ServicesInfo
{ {
// grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives // grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives
string path = RegistryHelper.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path"); string path = RegistryHelper.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path");
if (String.IsNullOrEmpty(path)) if (string.IsNullOrEmpty(path))
path = Environment.GetEnvironmentVariable("PATH"); path = Environment.GetEnvironmentVariable("PATH");
List<string> folders = path.Split(';').ToList(); List<string> folders = path.Split(';').ToList();

51
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
View File

@@ -151,22 +151,24 @@ namespace winPEAS.Info.SystemInfo
try try
{ {
whitelistpaths = String.Join("\n ", RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths").Keys); whitelistpaths = String.Join("\n ", RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths").Keys);
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct"); using (ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct"))
ManagementObjectCollection data = wmiData.Get(); {
foreach (ManagementObject virusChecker in wmiData.Get())
foreach (ManagementObject virusChecker in data)
{ {
results["Name"] = (string)virusChecker["displayName"]; results["Name"] = (string)virusChecker["displayName"];
results["ProductEXE"] = (string)virusChecker["pathToSignedProductExe"]; results["ProductEXE"] = (string)virusChecker["pathToSignedProductExe"];
results["pathToSignedReportingExe"] = (string)virusChecker["pathToSignedReportingExe"]; results["pathToSignedReportingExe"] = (string)virusChecker["pathToSignedReportingExe"];
} }
} }
}
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
} }
if (!String.IsNullOrEmpty(whitelistpaths)) if (!string.IsNullOrEmpty(whitelistpaths))
{
results["whitelistpaths"] = " " + whitelistpaths; //Add this info the last results["whitelistpaths"] = " " + whitelistpaths; //Add this info the last
}
return results; return results;
} }
@@ -179,35 +181,16 @@ namespace winPEAS.Info.SystemInfo
try try
{ {
string ConsentPromptBehaviorAdmin = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "ConsentPromptBehaviorAdmin"); string ConsentPromptBehaviorAdmin = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "ConsentPromptBehaviorAdmin");
switch (ConsentPromptBehaviorAdmin) results["ConsentPromptBehaviorAdmin"] = ConsentPromptBehaviorAdmin switch
{ {
case "0": "0" => $"{ConsentPromptBehaviorAdmin} - No prompting",
results["ConsentPromptBehaviorAdmin"] = $"{ConsentPromptBehaviorAdmin} - No prompting"; "1" => $"{ConsentPromptBehaviorAdmin} - PromptOnSecureDesktop",
break; "2" => $"{ConsentPromptBehaviorAdmin} - PromptPermitDenyOnSecureDesktop",
case "1": "3" => $"{ConsentPromptBehaviorAdmin} - PromptForCredsNotOnSecureDesktop",
results["ConsentPromptBehaviorAdmin"] = $"{ConsentPromptBehaviorAdmin} - PromptOnSecureDesktop"; "4" => $"{ConsentPromptBehaviorAdmin} - PromptForPermitDenyNotOnSecureDesktop",
break; "5" => $"{ConsentPromptBehaviorAdmin} - PromptForNonWindowsBinaries",
case "2": _ => $"{ConsentPromptBehaviorAdmin} - PromptForNonWindowsBinaries",
results["ConsentPromptBehaviorAdmin"] = $"{ConsentPromptBehaviorAdmin} - PromptPermitDenyOnSecureDesktop"; };
break;
case "3":
results["ConsentPromptBehaviorAdmin"] =
$"{ConsentPromptBehaviorAdmin} - PromptForCredsNotOnSecureDesktop";
break;
case "4":
results["ConsentPromptBehaviorAdmin"] =
$"{ConsentPromptBehaviorAdmin} - PromptForPermitDenyNotOnSecureDesktop";
break;
case "5":
results["ConsentPromptBehaviorAdmin"] =
$"{ConsentPromptBehaviorAdmin} - PromptForNonWindowsBinaries";
break;
default:
results["ConsentPromptBehaviorAdmin"] =
$"{ConsentPromptBehaviorAdmin} - PromptForNonWindowsBinaries";
break;
}
string EnableLUA = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "EnableLUA"); string EnableLUA = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "EnableLUA");
results["EnableLUA"] = EnableLUA; results["EnableLUA"] = EnableLUA;
@@ -248,7 +231,7 @@ namespace winPEAS.Info.SystemInfo
{ {
foreach (KeyValuePair<string, object> kvp in transcriptionSettingsCU) foreach (KeyValuePair<string, object> kvp in transcriptionSettingsCU)
{ {
results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); results["Transcription Settings CU"] += string.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value);
} }
} }

2
winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/SamServer.cs
View File

@@ -133,7 +133,7 @@ namespace winPEAS.Info.UserInfo.SAM
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
Buffer = IntPtr.Zero; Buffer = IntPtr.Zero;
} }

38
winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs
View File

@@ -40,7 +40,7 @@ namespace winPEAS.Info.UserInfo
catch (Exception ex) catch (Exception ex)
{ {
//If error, check inside the other one //If error, check inside the other one
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Checking using the other Principal Context", ex.Message)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}\n Checking using the other Principal Context", ex.Message));
try try
{ {
groupName = GetSIDGroupName(SID, ct == ContextType.Machine ? ContextType.Domain : ContextType.Machine); groupName = GetSIDGroupName(SID, ct == ContextType.Machine ? ContextType.Domain : ContextType.Machine);
@@ -53,7 +53,7 @@ namespace winPEAS.Info.UserInfo
} }
//If nothing, check inside the other one //If nothing, check inside the other one
if (String.IsNullOrEmpty(groupName)) if (string.IsNullOrEmpty(groupName))
{ {
try try
{ {
@@ -233,11 +233,11 @@ namespace winPEAS.Info.UserInfo
if (si.pUserName == null || si.pUserName == "") if (si.pUserName == null || si.pUserName == "")
continue; continue;
rdp_session["SessionID"] = String.Format("{0}", si.SessionID); rdp_session["SessionID"] = string.Format("{0}", si.SessionID);
rdp_session["pSessionName"] = String.Format("{0}", si.pSessionName); rdp_session["pSessionName"] = string.Format("{0}", si.pSessionName);
rdp_session["pUserName"] = String.Format("{0}", si.pUserName); rdp_session["pUserName"] = string.Format("{0}", si.pUserName);
rdp_session["pDomainName"] = String.Format("{0}", si.pDomainName); rdp_session["pDomainName"] = string.Format("{0}", si.pDomainName);
rdp_session["State"] = String.Format("{0}", si.State); rdp_session["State"] = string.Format("{0}", si.State);
rdp_session["SourceIP"] = ""; rdp_session["SourceIP"] = "";
// Now use WTSQuerySessionInformation to get the remote IP (if any) for the connection // Now use WTSQuerySessionInformation to get the remote IP (if any) for the connection
@@ -249,8 +249,8 @@ namespace winPEAS.Info.UserInfo
if (address.Address[2] != 0) if (address.Address[2] != 0)
{ {
string sourceIP = String.Format("{0}.{1}.{2}.{3}", address.Address[2], address.Address[3], address.Address[4], address.Address[5]); string sourceIP = string.Format("{0}.{1}.{2}.{3}", address.Address[2], address.Address[3], address.Address[4], address.Address[5]);
rdp_session["SourceIP"] = String.Format("{0}", sourceIP); rdp_session["SourceIP"] = string.Format("{0}", sourceIP);
} }
results.Add(rdp_session); results.Add(rdp_session);
} }
@@ -259,7 +259,7 @@ namespace winPEAS.Info.UserInfo
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
finally finally
{ {
@@ -284,19 +284,19 @@ namespace winPEAS.Info.UserInfo
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{ "Domain", domain }, { "Domain", domain },
{ "SID", String.Format("{0}", sid) }, { "SID", string.Format("{0}", sid) },
{ "MaxPasswordAge", String.Format("{0}", pi.MaxPasswordAge) }, { "MaxPasswordAge", string.Format("{0}", pi.MaxPasswordAge) },
{ "MinPasswordAge", String.Format("{0}", pi.MinPasswordAge) }, { "MinPasswordAge", string.Format("{0}", pi.MinPasswordAge) },
{ "MinPasswordLength", String.Format("{0}", pi.MinPasswordLength) }, { "MinPasswordLength", string.Format("{0}", pi.MinPasswordLength) },
{ "PasswordHistoryLength", String.Format("{0}", pi.PasswordHistoryLength) }, { "PasswordHistoryLength", string.Format("{0}", pi.PasswordHistoryLength) },
{ "PasswordProperties", String.Format("{0}", pi.PasswordProperties) }, { "PasswordProperties", string.Format("{0}", pi.PasswordProperties) },
}); });
} }
} }
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
return results; return results;
} }
@@ -333,11 +333,11 @@ namespace winPEAS.Info.UserInfo
c = $"{Clipboard.GetFileDropList()}"; c = $"{Clipboard.GetFileDropList()}";
//else if (Clipboard.ContainsImage()) //No system.Drwing import //else if (Clipboard.ContainsImage()) //No system.Drwing import
//c = String.Format("{0}", Clipboard.GetImage()); //c = string.Format("{0}", Clipboard.GetImage());
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
return c; return c;
} }

25
winPEAS/winPEASexe/winPEAS/InterestingFiles/InterestingFiles.cs
View File

@@ -98,37 +98,12 @@ namespace winPEAS.InterestingFiles
List<string> results = new List<string>(); List<string> results = new List<string>();
try try
{ {
// returns files (w/ modification dates) that match the given pattern below
string patterns = "*diagram*;*.pdf;*.vsd;*.doc;*docx;*.xls;*.xlsx";
if (MyUtils.IsHighIntegrity()) if (MyUtils.IsHighIntegrity())
{ {
string searchPath = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\Users\\";
//List<string> files = SearchHelper.FindFiles(searchPath, patterns);
//foreach (string file in files)
//{
// //DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
// //DateTime lastModified = System.IO.File.GetLastWriteTime(file);
// results.Add(file);
//}
results = SearchHelper.SearchUsersDocs(); results = SearchHelper.SearchUsersDocs();
} }
else else
{ {
string searchPath = Environment.GetEnvironmentVariable("USERPROFILE");
//List<string> files = SearchHelper.FindFiles(searchPath, patterns);
//foreach (string file in files)
//{
// //DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
// //DateTime lastModified = System.IO.File.GetLastWriteTime(file);
// results.Add(file);
//}
results = SearchHelper.SearchCurrentUserDocs(); results = SearchHelper.SearchCurrentUserDocs();
} }
} }

10
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome.cs
View File

@@ -195,27 +195,27 @@ namespace winPEAS.KnownFileCreds.Browsers
{ {
Console.WriteLine("\r\n\r\n=== Chrome (All Users) ==="); Console.WriteLine("\r\n\r\n=== Chrome (All Users) ===");
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
{ {
string[] parts = dir.Split('\\'); string[] parts = dir.Split('\\');
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
string userChromeHistoryPath = String.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", dir); string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", dir);
results["history"] = ParseChromeHistory(userChromeHistoryPath); results["history"] = ParseChromeHistory(userChromeHistoryPath);
string userChromeBookmarkPath = String.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", dir); string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", dir);
results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath); results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath);
} }
} }
} }
else else
{ {
string userChromeHistoryPath = String.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", System.Environment.GetEnvironmentVariable("USERPROFILE")); string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", System.Environment.GetEnvironmentVariable("USERPROFILE"));
results["history"] = ParseChromeHistory(userChromeHistoryPath); results["history"] = ParseChromeHistory(userChromeHistoryPath);
string userChromeBookmarkPath = String.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", System.Environment.GetEnvironmentVariable("USERPROFILE")); string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", System.Environment.GetEnvironmentVariable("USERPROFILE"));
results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath); results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath);
} }

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox.cs
View File

@@ -190,7 +190,7 @@ namespace winPEAS.KnownFileCreds.Browsers
string[] directories = Directory.GetDirectories(path); string[] directories = Directory.GetDirectories(path);
foreach (string directory in directories) foreach (string directory in directories)
{ {
string firefoxHistoryFile = String.Format("{0}\\{1}", directory, "places.sqlite"); string firefoxHistoryFile = string.Format("{0}\\{1}", directory, "places.sqlite");
Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?"); Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?");
try try

16
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs
View File

@@ -96,12 +96,12 @@ namespace winPEAS.KnownFileCreds.Browsers
{ {
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes")) if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
{ {
Dictionary<string, object> settings = RegistryHelper.GetRegValues("HKU", String.Format("{0}\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs", SID)); Dictionary<string, object> settings = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs", SID));
if ((settings != null) && (settings.Count > 1)) if ((settings != null) && (settings.Count > 1))
{ {
foreach (KeyValuePair<string, object> kvp in settings) foreach (KeyValuePair<string, object> kvp in settings)
{ {
byte[] timeBytes = RegistryHelper.GetRegValueBytes("HKU", String.Format("{0}\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime", SID), kvp.Key.ToString().Trim()); byte[] timeBytes = RegistryHelper.GetRegValueBytes("HKU", string.Format("{0}\\SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime", SID), kvp.Key.ToString().Trim());
if (timeBytes != null) if (timeBytes != null)
{ {
long timeLong = (long)(BitConverter.ToInt64(timeBytes, 0)); long timeLong = (long)(BitConverter.ToInt64(timeBytes, 0));
@@ -116,7 +116,7 @@ namespace winPEAS.KnownFileCreds.Browsers
} }
} }
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
{ {
@@ -124,7 +124,7 @@ namespace winPEAS.KnownFileCreds.Browsers
string userName = parts[parts.Length - 1]; string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
string userIEBookmarkPath = String.Format("{0}\\Favorites\\", dir); string userIEBookmarkPath = string.Format("{0}\\Favorites\\", dir);
if (Directory.Exists(userIEBookmarkPath)) if (Directory.Exists(userIEBookmarkPath))
{ {
@@ -174,7 +174,7 @@ namespace winPEAS.KnownFileCreds.Browsers
} }
} }
string userIEBookmarkPath = String.Format("{0}\\Favorites\\", System.Environment.GetEnvironmentVariable("USERPROFILE")); string userIEBookmarkPath = string.Format("{0}\\Favorites\\", System.Environment.GetEnvironmentVariable("USERPROFILE"));
string[] bookmarkPaths = Directory.GetFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories); string[] bookmarkPaths = Directory.GetFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories);
@@ -200,7 +200,7 @@ namespace winPEAS.KnownFileCreds.Browsers
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
return results; return results;
} }
@@ -240,7 +240,7 @@ namespace winPEAS.KnownFileCreds.Browsers
// ensure we have a site address // ensure we have a site address
if (Regex.IsMatch(locationURL.ToString(), @"(^https?://.+)|(^ftp://)")) if (Regex.IsMatch(locationURL.ToString(), @"(^https?://.+)|(^ftp://)"))
{ {
results.Add(String.Format("{0}", locationURL)); results.Add(string.Format("{0}", locationURL));
} }
Marshal.ReleaseComObject(item); Marshal.ReleaseComObject(item);
item = null; item = null;
@@ -257,7 +257,7 @@ namespace winPEAS.KnownFileCreds.Browsers
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
return results; return results;
} }

40
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Kerberos/Kerberos.cs
View File

@@ -150,9 +150,9 @@ namespace winPEAS.KnownFileCreds.Kerberos
{ "UserPrincipalName", upn }, { "UserPrincipalName", upn },
{ "serverName", serverName }, { "serverName", serverName },
{ "RealmName", realmName }, { "RealmName", realmName },
{ "StartTime", String.Format("{0}", startTime) }, { "StartTime", string.Format("{0}", startTime) },
{ "EndTime", String.Format("{0}", endTime) }, { "EndTime", string.Format("{0}", endTime) },
{ "RenewTime", String.Format("{0}", renewTime) }, { "RenewTime", string.Format("{0}", renewTime) },
{ "EncryptionType", encryptionType }, { "EncryptionType", encryptionType },
{ "TicketFlags", ticketFlags }, { "TicketFlags", ticketFlags },
}); });
@@ -247,9 +247,9 @@ namespace winPEAS.KnownFileCreds.Kerberos
{ {
{ "serverName", serverName }, { "serverName", serverName },
{ "RealmName", realmName }, { "RealmName", realmName },
{ "StartTime", String.Format("{0}", startTime) }, { "StartTime", string.Format("{0}", startTime) },
{ "EndTime", String.Format("{0}", endTime) }, { "EndTime", string.Format("{0}", endTime) },
{ "RenewTime", String.Format("{0}", renewTime) }, { "RenewTime", string.Format("{0}", renewTime) },
{ "EncryptionType", encryptionType }, { "EncryptionType", encryptionType },
{ "TicketFlags", ticketFlags }, { "TicketFlags", ticketFlags },
}); });
@@ -423,15 +423,15 @@ namespace winPEAS.KnownFileCreds.Kerberos
{ "ClientName", clientName }, { "ClientName", clientName },
{ "DomainName", domainName }, { "DomainName", domainName },
{ "TargetDomainName", targetDomainName }, { "TargetDomainName", targetDomainName },
{ "SessionKeyType", String.Format("{0}", sessionKeyType) }, { "SessionKeyType", string.Format("{0}", sessionKeyType) },
{ "Base64SessionKey", base64SessionKey }, { "Base64SessionKey", base64SessionKey },
{ "KeyExpirationTime", String.Format("{0}", keyExpirationTime) }, { "KeyExpirationTime", string.Format("{0}", keyExpirationTime) },
{ "TicketFlags", ticketFlags }, { "TicketFlags", ticketFlags },
{ "StartTime", String.Format("{0}", startTime) }, { "StartTime", string.Format("{0}", startTime) },
{ "EndTime", String.Format("{0}", endTime) }, { "EndTime", string.Format("{0}", endTime) },
{ "RenewUntil", String.Format("{0}", renewUntil) }, { "RenewUntil", string.Format("{0}", renewUntil) },
{ "TimeSkew", String.Format("{0}", timeSkew) }, { "TimeSkew", string.Format("{0}", timeSkew) },
{ "EncodedTicketSize", String.Format("{0}", encodedTicketSize) }, { "EncodedTicketSize", string.Format("{0}", encodedTicketSize) },
{ "Base64EncodedTicket", base64TGT }, { "Base64EncodedTicket", base64TGT },
}); });
totalTicketCount++; totalTicketCount++;
@@ -543,15 +543,15 @@ namespace winPEAS.KnownFileCreds.Kerberos
{ "ClientName", clientName }, { "ClientName", clientName },
{ "DomainName", domainName }, { "DomainName", domainName },
{ "TargetDomainName", targetDomainName }, { "TargetDomainName", targetDomainName },
{ "SessionKeyType", String.Format("{0}", sessionKeyType) }, { "SessionKeyType", string.Format("{0}", sessionKeyType) },
{ "Base64SessionKey", base64SessionKey }, { "Base64SessionKey", base64SessionKey },
{ "KeyExpirationTime", String.Format("{0}", keyExpirationTime) }, { "KeyExpirationTime", string.Format("{0}", keyExpirationTime) },
{ "TicketFlags", ticketFlags }, { "TicketFlags", ticketFlags },
{ "StartTime", String.Format("{0}", startTime) }, { "StartTime", string.Format("{0}", startTime) },
{ "EndTime", String.Format("{0}", endTime) }, { "EndTime", string.Format("{0}", endTime) },
{ "RenewUntil", String.Format("{0}", renewUntil) }, { "RenewUntil", string.Format("{0}", renewUntil) },
{ "TimeSkew", String.Format("{0}", timeSkew) }, { "TimeSkew", string.Format("{0}", timeSkew) },
{ "EncodedTicketSize", String.Format("{0}", encodedTicketSize) }, { "EncodedTicketSize", string.Format("{0}", encodedTicketSize) },
{ "Base64EncodedTicket", base64TGT }, { "Base64EncodedTicket", base64TGT },
}); });

168
winPEAS/winPEASexe/winPEAS/KnownFileCreds/KnownFileCredsInfo.cs
View File

@@ -23,7 +23,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes")) if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
{ {
results = RegistryHelper.GetRegValues("HKU", String.Format("{0}\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU", SID)); results = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU", SID));
} }
} }
} }
@@ -43,7 +43,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (MyUtils.IsHighIntegrity()) if (MyUtils.IsHighIntegrity())
{ {
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
{ {
@@ -51,7 +51,7 @@ namespace winPEAS.KnownFileCreds
string userName = parts[parts.Length - 1]; string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
string awsKeyFile = String.Format("{0}\\.aws\\credentials", dir); string awsKeyFile = string.Format("{0}\\.aws\\credentials", dir);
if (System.IO.File.Exists(awsKeyFile)) if (System.IO.File.Exists(awsKeyFile))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(awsKeyFile); DateTime lastAccessed = System.IO.File.GetLastAccessTime(awsKeyFile);
@@ -60,12 +60,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", awsKeyFile }, { "file", awsKeyFile },
{ "Description", "AWS credentials file" }, { "Description", "AWS credentials file" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string computeCredsDb = String.Format("{0}\\AppData\\Roaming\\gcloud\\credentials.db", dir); string computeCredsDb = string.Format("{0}\\AppData\\Roaming\\gcloud\\credentials.db", dir);
if (System.IO.File.Exists(computeCredsDb)) if (System.IO.File.Exists(computeCredsDb))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeCredsDb); DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeCredsDb);
@@ -74,12 +74,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", computeCredsDb }, { "file", computeCredsDb },
{ "Description", "GC Compute creds" }, { "Description", "GC Compute creds" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string computeLegacyCreds = String.Format("{0}\\AppData\\Roaming\\gcloud\\legacy_credentials", dir); string computeLegacyCreds = string.Format("{0}\\AppData\\Roaming\\gcloud\\legacy_credentials", dir);
if (System.IO.File.Exists(computeLegacyCreds)) if (System.IO.File.Exists(computeLegacyCreds))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeLegacyCreds); DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeLegacyCreds);
@@ -88,12 +88,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", computeLegacyCreds }, { "file", computeLegacyCreds },
{ "Description", "GC Compute creds legacy" }, { "Description", "GC Compute creds legacy" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string computeAccessTokensDb = String.Format("{0}\\AppData\\Roaming\\gcloud\\access_tokens.db", dir); string computeAccessTokensDb = string.Format("{0}\\AppData\\Roaming\\gcloud\\access_tokens.db", dir);
if (System.IO.File.Exists(computeAccessTokensDb)) if (System.IO.File.Exists(computeAccessTokensDb))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeAccessTokensDb); DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeAccessTokensDb);
@@ -102,12 +102,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", computeAccessTokensDb }, { "file", computeAccessTokensDb },
{ "Description", "GC Compute tokens" }, { "Description", "GC Compute tokens" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string azureTokens = String.Format("{0}\\.azure\\accessTokens.json", dir); string azureTokens = string.Format("{0}\\.azure\\accessTokens.json", dir);
if (System.IO.File.Exists(azureTokens)) if (System.IO.File.Exists(azureTokens))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureTokens); DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureTokens);
@@ -116,12 +116,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", azureTokens }, { "file", azureTokens },
{ "Description", "Azure tokens" }, { "Description", "Azure tokens" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string azureProfile = String.Format("{0}\\.azure\\azureProfile.json", dir); string azureProfile = string.Format("{0}\\.azure\\azureProfile.json", dir);
if (System.IO.File.Exists(azureProfile)) if (System.IO.File.Exists(azureProfile))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureProfile); DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureProfile);
@@ -130,9 +130,9 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", azureProfile }, { "file", azureProfile },
{ "Description", "Azure profile" }, { "Description", "Azure profile" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
} }
@@ -140,7 +140,7 @@ namespace winPEAS.KnownFileCreds
} }
else else
{ {
string awsKeyFile = String.Format("{0}\\.aws\\credentials", System.Environment.GetEnvironmentVariable("USERPROFILE")); string awsKeyFile = string.Format("{0}\\.aws\\credentials", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(awsKeyFile)) if (System.IO.File.Exists(awsKeyFile))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(awsKeyFile); DateTime lastAccessed = System.IO.File.GetLastAccessTime(awsKeyFile);
@@ -149,12 +149,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", awsKeyFile }, { "file", awsKeyFile },
{ "Description", "AWS keys file" }, { "Description", "AWS keys file" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string computeCredsDb = String.Format("{0}\\AppData\\Roaming\\gcloud\\credentials.db", System.Environment.GetEnvironmentVariable("USERPROFILE")); string computeCredsDb = string.Format("{0}\\AppData\\Roaming\\gcloud\\credentials.db", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(computeCredsDb)) if (System.IO.File.Exists(computeCredsDb))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeCredsDb); DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeCredsDb);
@@ -163,12 +163,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", computeCredsDb }, { "file", computeCredsDb },
{ "Description", "GC Compute creds" }, { "Description", "GC Compute creds" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string computeLegacyCreds = String.Format("{0}\\AppData\\Roaming\\gcloud\\legacy_credentials", System.Environment.GetEnvironmentVariable("USERPROFILE")); string computeLegacyCreds = string.Format("{0}\\AppData\\Roaming\\gcloud\\legacy_credentials", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(computeLegacyCreds)) if (System.IO.File.Exists(computeLegacyCreds))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeLegacyCreds); DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeLegacyCreds);
@@ -177,12 +177,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", computeLegacyCreds }, { "file", computeLegacyCreds },
{ "Description", "GC Compute creds legacy" }, { "Description", "GC Compute creds legacy" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string computeAccessTokensDb = String.Format("{0}\\AppData\\Roaming\\gcloud\\access_tokens.db", System.Environment.GetEnvironmentVariable("USERPROFILE")); string computeAccessTokensDb = string.Format("{0}\\AppData\\Roaming\\gcloud\\access_tokens.db", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(computeAccessTokensDb)) if (System.IO.File.Exists(computeAccessTokensDb))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeAccessTokensDb); DateTime lastAccessed = System.IO.File.GetLastAccessTime(computeAccessTokensDb);
@@ -191,12 +191,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", computeAccessTokensDb }, { "file", computeAccessTokensDb },
{ "Description", "GC Compute tokens" }, { "Description", "GC Compute tokens" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string azureTokens = String.Format("{0}\\.azure\\accessTokens.json", System.Environment.GetEnvironmentVariable("USERPROFILE")); string azureTokens = string.Format("{0}\\.azure\\accessTokens.json", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(azureTokens)) if (System.IO.File.Exists(azureTokens))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureTokens); DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureTokens);
@@ -205,12 +205,12 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", azureTokens }, { "file", azureTokens },
{ "Description", "Azure tokens" }, { "Description", "Azure tokens" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
string azureProfile = String.Format("{0}\\.azure\\azureProfile.json", System.Environment.GetEnvironmentVariable("USERPROFILE")); string azureProfile = string.Format("{0}\\.azure\\azureProfile.json", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(azureProfile)) if (System.IO.File.Exists(azureProfile))
{ {
DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureProfile); DateTime lastAccessed = System.IO.File.GetLastAccessTime(azureProfile);
@@ -219,16 +219,16 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() { results.Add(new Dictionary<string, string>() {
{ "file", azureProfile }, { "file", azureProfile },
{ "Description", "Azure profile" }, { "Description", "Azure profile" },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) } { "Size", string.Format("{0}", size) }
}); });
} }
} }
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
return results; return results;
} }
@@ -249,7 +249,7 @@ namespace winPEAS.KnownFileCreds
if (MyUtils.IsHighIntegrity()) if (MyUtils.IsHighIntegrity())
{ {
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
{ {
@@ -258,7 +258,7 @@ namespace winPEAS.KnownFileCreds
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
string recentPath = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", dir); string recentPath = string.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", dir);
try try
{ {
string[] recentFiles = Directory.GetFiles(recentPath, "*.lnk", SearchOption.AllDirectories); string[] recentFiles = Directory.GetFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
@@ -281,7 +281,7 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{ "Target", TargetPath.ToString() }, { "Target", TargetPath.ToString() },
{ "Accessed", String.Format("{0}", lastAccessed) } { "Accessed", string.Format("{0}", lastAccessed) }
}); });
} }
Marshal.ReleaseComObject(shortcut); Marshal.ReleaseComObject(shortcut);
@@ -296,7 +296,7 @@ namespace winPEAS.KnownFileCreds
} }
else else
{ {
string recentPath = String.Format("{0}\\Microsoft\\Windows\\Recent\\", System.Environment.GetEnvironmentVariable("APPDATA")); string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", System.Environment.GetEnvironmentVariable("APPDATA"));
string[] recentFiles = Directory.GetFiles(recentPath, "*.lnk", SearchOption.AllDirectories); string[] recentFiles = Directory.GetFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
@@ -318,7 +318,7 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{ "Target", TargetPath.ToString() }, { "Target", TargetPath.ToString() },
{ "Accessed", String.Format("{0}", lastAccessed) } { "Accessed", string.Format("{0}", lastAccessed) }
}); });
} }
Marshal.ReleaseComObject(shortcut); Marshal.ReleaseComObject(shortcut);
@@ -332,7 +332,7 @@ namespace winPEAS.KnownFileCreds
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex)); Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
} }
return results; return results;
} }
@@ -345,7 +345,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (MyUtils.IsHighIntegrity()) if (MyUtils.IsHighIntegrity())
{ {
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
{ {
@@ -354,8 +354,8 @@ namespace winPEAS.KnownFileCreds
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
List<string> userDPAPIBasePaths = new List<string>(); List<string> userDPAPIBasePaths = new List<string>();
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE"))); userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE"))); userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
foreach (string userDPAPIBasePath in userDPAPIBasePaths) foreach (string userDPAPIBasePath in userDPAPIBasePaths)
{ {
@@ -376,8 +376,8 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{ "MasterKey", file }, { "MasterKey", file },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
}); });
} }
} }
@@ -391,8 +391,8 @@ namespace winPEAS.KnownFileCreds
{ {
string userName = Environment.GetEnvironmentVariable("USERNAME"); string userName = Environment.GetEnvironmentVariable("USERNAME");
List<string> userDPAPIBasePaths = new List<string>(); List<string> userDPAPIBasePaths = new List<string>();
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE"))); userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userDPAPIBasePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE"))); userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
foreach (string userDPAPIBasePath in userDPAPIBasePaths) foreach (string userDPAPIBasePath in userDPAPIBasePaths)
{ {
@@ -413,8 +413,8 @@ namespace winPEAS.KnownFileCreds
results.Add(new Dictionary<string, string>() results.Add(new Dictionary<string, string>()
{ {
{ "MasterKey", file }, { "MasterKey", file },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
}); });
} }
} }
@@ -438,7 +438,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (MyUtils.IsHighIntegrity()) if (MyUtils.IsHighIntegrity())
{ {
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
@@ -448,8 +448,8 @@ namespace winPEAS.KnownFileCreds
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
List<string> userCredFilePaths = new List<string>(); List<string> userCredFilePaths = new List<string>();
userCredFilePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir)); userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir));
userCredFilePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir)); userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir));
foreach (string userCredFilePath in userCredFilePaths) foreach (string userCredFilePath in userCredFilePaths)
{ {
@@ -484,10 +484,10 @@ namespace winPEAS.KnownFileCreds
{ {
{ "CredFile", file }, { "CredFile", file },
{ "Description", desc }, { "Description", desc },
{ "MasterKey", String.Format("{0}", guidMasterKey) }, { "MasterKey", string.Format("{0}", guidMasterKey) },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) }, { "Size", string.Format("{0}", size) },
}); });
} }
} }
@@ -496,7 +496,7 @@ namespace winPEAS.KnownFileCreds
} }
} }
string systemFolder = String.Format("{0}\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials", Environment.GetEnvironmentVariable("SystemRoot")); string systemFolder = string.Format("{0}\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials", Environment.GetEnvironmentVariable("SystemRoot"));
string[] files = Directory.GetFiles(systemFolder); string[] files = Directory.GetFiles(systemFolder);
if ((files != null) && (files.Length != 0)) if ((files != null) && (files.Length != 0))
{ {
@@ -526,10 +526,10 @@ namespace winPEAS.KnownFileCreds
{ {
{ "CredFile", file }, { "CredFile", file },
{ "Description", desc }, { "Description", desc },
{ "MasterKey", String.Format("{0}", guidMasterKey) }, { "MasterKey", string.Format("{0}", guidMasterKey) },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) }, { "Size", string.Format("{0}", size) },
}); });
} }
} }
@@ -538,8 +538,8 @@ namespace winPEAS.KnownFileCreds
{ {
string userName = Environment.GetEnvironmentVariable("USERNAME"); string userName = Environment.GetEnvironmentVariable("USERNAME");
List<string> userCredFilePaths = new List<string>(); List<string> userCredFilePaths = new List<string>();
userCredFilePaths.Add(String.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE"))); userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userCredFilePaths.Add(String.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE"))); userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
foreach (string userCredFilePath in userCredFilePaths) foreach (string userCredFilePath in userCredFilePaths)
{ {
@@ -573,10 +573,10 @@ namespace winPEAS.KnownFileCreds
{ {
{ "CredFile", file }, { "CredFile", file },
{ "Description", desc }, { "Description", desc },
{ "MasterKey", String.Format("{0}", guidMasterKey) }, { "MasterKey", string.Format("{0}", guidMasterKey) },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ "Size", String.Format("{0}", size) }, { "Size", string.Format("{0}", size) },
}); });
} }
} }

8
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs
View File

@@ -86,7 +86,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes")) if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
{ {
string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", String.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID)); string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID));
foreach (string sessionName in subKeys) foreach (string sessionName in subKeys)
{ {
@@ -117,7 +117,7 @@ namespace winPEAS.KnownFileCreds
}; };
foreach (string key in keys) foreach (string key in keys)
putty_sess[key] = RegistryHelper.GetRegValue("HKU", String.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\{1}", SID, sessionName), key); putty_sess[key] = RegistryHelper.GetRegValue("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\{1}", SID, sessionName), key);
results.Add(putty_sess); results.Add(putty_sess);
} }
@@ -155,7 +155,7 @@ namespace winPEAS.KnownFileCreds
}; };
foreach (string key in keys) foreach (string key in keys)
putty_sess[key] = RegistryHelper.GetRegValue("HKCU", String.Format("Software\\SimonTatham\\PuTTY\\Sessions\\{0}", sessionName), key); putty_sess[key] = RegistryHelper.GetRegValue("HKCU", string.Format("Software\\SimonTatham\\PuTTY\\Sessions\\{0}", sessionName), key);
results.Add(putty_sess); results.Add(putty_sess);
} }
@@ -176,7 +176,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes")) if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
{ {
Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", String.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID)); Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
if ((hostKeys != null) && (hostKeys.Count != 0)) if ((hostKeys != null) && (hostKeys.Count != 0))
{ {
Dictionary<string, string> putty_ssh = new Dictionary<string, string>(); Dictionary<string, string> putty_ssh = new Dictionary<string, string>();

20
winPEAS/winPEASexe/winPEAS/KnownFileCreds/RemoteDesktop.cs
View File

@@ -23,13 +23,13 @@ namespace winPEAS.KnownFileCreds
{ {
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes")) if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
{ {
string[] subkeys = RegistryHelper.GetRegSubkeys("HKU", String.Format("{0}\\Software\\Microsoft\\Terminal Server Client\\Servers", SID)); string[] subkeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\Microsoft\\Terminal Server Client\\Servers", SID));
if (subkeys != null) if (subkeys != null)
{ {
//Console.WriteLine("\r\n\r\n=== Saved RDP Connection Information ({0}) ===", SID); //Console.WriteLine("\r\n\r\n=== Saved RDP Connection Information ({0}) ===", SID);
foreach (string host in subkeys) foreach (string host in subkeys)
{ {
string usernameHint = RegistryHelper.GetRegValue("HKCU", String.Format("Software\\Microsoft\\Terminal Server Client\\Servers\\{0}", host), "UsernameHint"); string usernameHint = RegistryHelper.GetRegValue("HKCU", string.Format("Software\\Microsoft\\Terminal Server Client\\Servers\\{0}", host), "UsernameHint");
Dictionary<string, string> rdp_info = new Dictionary<string, string>() { Dictionary<string, string> rdp_info = new Dictionary<string, string>() {
{ "SID", SID }, { "SID", SID },
{ "Host", host }, { "Host", host },
@@ -48,7 +48,7 @@ namespace winPEAS.KnownFileCreds
{ {
foreach (string host in subkeys) foreach (string host in subkeys)
{ {
string usernameHint = RegistryHelper.GetRegValue("HKCU", String.Format("Software\\Microsoft\\Terminal Server Client\\Servers\\{0}", host), "UsernameHint"); string usernameHint = RegistryHelper.GetRegValue("HKCU", string.Format("Software\\Microsoft\\Terminal Server Client\\Servers\\{0}", host), "UsernameHint");
Dictionary<string, string> rdp_info = new Dictionary<string, string>() { Dictionary<string, string> rdp_info = new Dictionary<string, string>() {
{ "SID", "" }, { "SID", "" },
{ "Host", host }, { "Host", host },
@@ -69,7 +69,7 @@ namespace winPEAS.KnownFileCreds
{ {
if (MyUtils.IsHighIntegrity()) if (MyUtils.IsHighIntegrity())
{ {
string userFolder = String.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive")); string userFolder = string.Format("{0}\\Users\\", Environment.GetEnvironmentVariable("SystemDrive"));
string[] dirs = Directory.GetDirectories(userFolder); string[] dirs = Directory.GetDirectories(userFolder);
foreach (string dir in dirs) foreach (string dir in dirs)
@@ -78,7 +78,7 @@ namespace winPEAS.KnownFileCreds
string userName = parts[parts.Length - 1]; string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users"))) if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{ {
string userRDManFile = String.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", dir); string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", dir);
if (System.IO.File.Exists(userRDManFile)) if (System.IO.File.Exists(userRDManFile))
{ {
XmlDocument xmlDoc = new XmlDocument(); XmlDocument xmlDoc = new XmlDocument();
@@ -93,8 +93,8 @@ namespace winPEAS.KnownFileCreds
DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile); DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
Dictionary<string, string> rdg = new Dictionary<string, string>(){ Dictionary<string, string> rdg = new Dictionary<string, string>(){
{ "RDCManFile", userRDManFile }, { "RDCManFile", userRDManFile },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ ".RDG Files", "" }, { ".RDG Files", "" },
}; };
@@ -109,7 +109,7 @@ namespace winPEAS.KnownFileCreds
else else
{ {
string userName = Environment.GetEnvironmentVariable("USERNAME"); string userName = Environment.GetEnvironmentVariable("USERNAME");
string userRDManFile = String.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", System.Environment.GetEnvironmentVariable("USERPROFILE")); string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", System.Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(userRDManFile)) if (System.IO.File.Exists(userRDManFile))
{ {
@@ -125,8 +125,8 @@ namespace winPEAS.KnownFileCreds
DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile); DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
Dictionary<string, string> rdg = new Dictionary<string, string>(){ Dictionary<string, string> rdg = new Dictionary<string, string>(){
{ "RDCManFile", userRDManFile }, { "RDCManFile", userRDManFile },
{ "Accessed", String.Format("{0}", lastAccessed) }, { "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", String.Format("{0}", lastModified) }, { "Modified", string.Format("{0}", lastModified) },
{ ".RDG Files", "" }, { ".RDG Files", "" },
}; };

12
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/VaultCli.cs
View File

@@ -114,7 +114,7 @@ namespace winPEAS.KnownFileCreds.Vault
for (int j = 1; j <= vaultItemCount; j++) for (int j = 1; j <= vaultItemCount; j++)
{ {
Dictionary<string, string> vault_cred = new Dictionary<string, string>() { Dictionary<string, string> vault_cred = new Dictionary<string, string>() {
{ "GUID", String.Format("{0}", vaultGuid) }, { "GUID", string.Format("{0}", vaultGuid) },
{ "Type", vaultType }, { "Type", vaultType },
{ "Resource", "" }, { "Resource", "" },
{ "Identity", "" }, { "Identity", "" },
@@ -172,19 +172,19 @@ namespace winPEAS.KnownFileCreds.Vault
object resource = GetVaultElementValue(pResourceElement); object resource = GetVaultElementValue(pResourceElement);
if (resource != null) if (resource != null)
{ {
vault_cred["Resource"] = String.Format("{0}", resource); vault_cred["Resource"] = string.Format("{0}", resource);
} }
object identity = GetVaultElementValue(pIdentityElement); object identity = GetVaultElementValue(pIdentityElement);
if (identity != null) if (identity != null)
{ {
vault_cred["Identity"] = String.Format("{0}", identity); vault_cred["Identity"] = string.Format("{0}", identity);
} }
if (packageSid != null) if (packageSid != null)
{ {
vault_cred["PacakgeSid"] = String.Format("{0}", packageSid); vault_cred["PacakgeSid"] = string.Format("{0}", packageSid);
} }
vault_cred["Credential"] = String.Format("{0}", cred); vault_cred["Credential"] = string.Format("{0}", cred);
vault_cred["Last Modified"] = String.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified)); vault_cred["Last Modified"] = string.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
results.Add(vault_cred); results.Add(vault_cred);
} }
} }

2
winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskFolder.cs
View File

@@ -331,7 +331,7 @@ namespace winPEAS.TaskScheduler
break; break;
case TaskLogonType.ServiceAccount: case TaskLogonType.ServiceAccount:
flags &= ~(TaskFlags.Interactive | TaskFlags.RunOnlyIfLoggedOn); flags &= ~(TaskFlags.Interactive | TaskFlags.RunOnlyIfLoggedOn);
definition.v1Task.SetAccountInformation((String.IsNullOrEmpty(userId) || user.IsSystem) ? String.Empty : user.Name, IntPtr.Zero); definition.v1Task.SetAccountInformation((string.IsNullOrEmpty(userId) || user.IsSystem) ? String.Empty : user.Name, IntPtr.Zero);
break; break;
case TaskLogonType.InteractiveTokenOrPassword: case TaskLogonType.InteractiveTokenOrPassword:
flags |= TaskFlags.Interactive; flags |= TaskFlags.Interactive;

10
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@@ -26,6 +26,7 @@
<WarningLevel>4</WarningLevel> <WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit> <Prefer32Bit>false</Prefer32Bit>
<LangVersion>8.0</LangVersion> <LangVersion>8.0</LangVersion>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget> <PlatformTarget>AnyCPU</PlatformTarget>
@@ -116,6 +117,15 @@
<Compile Include="Checks\SystemInfo.cs" /> <Compile Include="Checks\SystemInfo.cs" />
<Compile Include="Checks\UserInfo.cs" /> <Compile Include="Checks\UserInfo.cs" />
<Compile Include="Checks\WindowsCreds.cs" /> <Compile Include="Checks\WindowsCreds.cs" />
<Compile Include="Helpers\AppLocker\AppLockerRules.cs" />
<Compile Include="Helpers\AppLocker\IAppIdPolicyHandler.cs" />
<Compile Include="Helpers\AppLocker\SharpAppLocker.cs" />
<Compile Include="Helpers\CredentialManager\Credential.cs" />
<Compile Include="Helpers\CredentialManager\CredentialManager.cs" />
<Compile Include="Helpers\CredentialManager\CredentialType.cs" />
<Compile Include="Helpers\CredentialManager\NativeMethods.cs" />
<Compile Include="Helpers\CredentialManager\PersistenceType.cs" />
<Compile Include="Helpers\CredentialManager\SecureStringHelper.cs" />
<Compile Include="Helpers\CustomFileInfo.cs" /> <Compile Include="Helpers\CustomFileInfo.cs" />
<Compile Include="Helpers\MemoryHelper.cs" /> <Compile Include="Helpers\MemoryHelper.cs" />
<Compile Include="Helpers\PermissionsHelper.cs" /> <Compile Include="Helpers\PermissionsHelper.cs" />