Update FileAnalysis.cs

Fix small typo in /parser/README.md

linPEAS/README.md

@@ -47,6 +47,12 @@ chmod +x linpeas_linux_amd64
 ./linpeas_linux_amd64
 ```
 
+```bash
+# Execute from memory in Penelope session
+# From: https://github.com/brightio/penelope
+> run peass-ng
+```
+
 ## Firmware Analysis
 If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.
 

linPEAS/builder/linpeas_parts/2_container.sh

@@ -77,7 +77,7 @@ enumerateDockerSockets() {
   dockerVersion="$(echo_not_found)"
   if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
     SEARCHED_DOCKER_SOCKETS="1"
-    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -n -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
+    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
       if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
         if echo "$int_sock" | grep -Eq "docker"; then
           dock_sock="$int_sock"

parsers/README.md

@@ -3,7 +3,7 @@
 These scripts allows you to transform the output of linpeas/macpeas/winpeas to JSON and then to PDF and HTML.
 
 ```python3
-python3 peass2json.py </path/to/executed_peass.out> </path/to/peass.json>
+python3 peas2json.py </path/to/executed_peass.out> </path/to/peass.json>
 python3 json2pdf.py </path/to/peass.json> </path/to/peass.pdf>
 python3 json2html.py </path/to/peass.json> </path/to/peass.html>
 ```

winPEAS/README.md

@@ -22,4 +22,4 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
-By Polop<sup>(TM)</sup>
+By Polop

winPEAS/winPEASexe/README.md

@@ -85,6 +85,7 @@ searchpf             Search credentials via regex also in Program Files folders
 wait                 Wait for user input between checks
 debug                Display debugging information - memory usage, method execution time
 log[=logfile]        Log all output to file defined as logfile, or to "out.txt" if not specified
+MaxRegexFileSize=1000000        Max file size (in Bytes) to search regex in. Default: 1000000B
 
 Additional checks (slower):
 -lolbas              Run additional LOLBAS check
@@ -285,4 +286,4 @@ If you find any issue, please report it using **[github issues](https://github.c
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
 
-By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)
+By Polop

winPEAS/winPEASexe/winPEAS/App.config

@@ -3,4 +3,7 @@
     <startup useLegacyV2RuntimeActivationPolicy="true"> 
         
     <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
+    <runtime>
+		<AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
+	</runtime>
 </configuration>

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -35,6 +35,9 @@ namespace winPEAS.Checks
         public static string PaintActiveUsersNoAdministrator = "";
         public static string PaintDisabledUsers = "";
         public static string PaintDisabledUsersNoAdministrator = "";
+        public static bool IsLongPath = false;
+        public static bool WarningIsLongPath = false;
+        public static int MaxRegexFileSize = 1000000;
         //static string paint_lockoutUsers = "";
         public static string PaintAdminUsers = "";
         public static YamlConfig YamlConfig;
@@ -159,6 +162,16 @@ namespace winPEAS.Checks
                     SearchProgramFiles = true;
                 }
 
+                if (string.Equals(arg, "max-regex-file-size", StringComparison.CurrentCultureIgnoreCase))
+                {
+                    var parts = arg.Split('=');
+                    if (parts.Length >= 2 && !string.IsNullOrEmpty(parts[1]))
+                    {
+                        MaxRegexFileSize = Int32.Parse(parts[1]);
+                    }
+                        
+                }
+
                 if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
                 {
                     IsLolbas = true;
@@ -206,6 +219,8 @@ namespace winPEAS.Checks
                         CheckRegANSI();
                     }
 
+                    CheckLongPath();
+
                     Beaprint.PrintInit();
 
                     CheckRunner.Run(CreateDynamicLists, IsDebug);
@@ -404,6 +419,24 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void CheckLongPath()
+        {
+            try
+            {
+                if (RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\FileSystem", "LongPathsEnabled") != "1")
+                {
+                    System.Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
+                    IsLongPath = false;
+                }
+                else
+                    IsLongPath = true;
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while checking LongPathsEnabled registry: " + ex);
+            }
+        }
+
         private static void WaitInput()
         {
             Console.Write("\n -- Press a key to continue... ");

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Text.RegularExpressions;
@@ -70,6 +71,9 @@ namespace winPEAS.Checks
 
         private static bool[] Search(List<CustomFileInfo> files, string fileName, FileSettings fileSettings, ref int resultsCount, string searchName, bool somethingFound)
         {
+            if (Checks.IsDebug)
+                Beaprint.PrintDebugLine($"Searching for {fileName}");
+
             bool isRegexSearch = fileName.Contains("*");
             bool isFolder = fileSettings.files != null;
             string pattern = string.Empty;
@@ -139,6 +143,7 @@ namespace winPEAS.Checks
                 }
             }
 
+           
             return new bool[] { false, somethingFound };
         }
 
@@ -149,15 +154,39 @@ namespace winPEAS.Checks
             try
             {
                 Regex rgx;
+                bool is_re_match = false;
+                try
+                {
+                    // Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
                     if (caseinsensitive)
+                    {
+                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
                         rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
+                    }
                     else
+                    {
+                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
                         rgx = new Regex(regex_str.Trim());
+                    }
+                }
+                catch (RegexMatchTimeoutException e)
+                {
+                    if (Checks.IsDebug)
+                    {
+                        Beaprint.GrayPrint($"The regex {regex_str} had a timeout (ReDoS avoided but regex unchecked in a file)");
+                    }
+                    return foundMatches;
+                }
+                
+                if (!is_re_match)
+                {
+                    return foundMatches;
+                }
 
                 int cont = 0;
                 foreach (Match match in rgx.Matches(text))
                 {
-                    if (cont > 4) break;
+                    if (cont > 10) break;
                     
                     if (match.Value.Length < 400 && match.Value.Trim().Length > 2)
                         foundMatches.Add(match.Value);
@@ -232,7 +261,7 @@ namespace winPEAS.Checks
                     ".txt", ".text", ".md", ".markdown", ".toml", ".rtf",
 
                     // config
-                    ".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml", 
+                    ".cnf", ".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml", 
 
                     // dev
                     ".py", ".js", ".html", ".c", ".cpp", ".pl", ".rb", ".smali", ".java", ".php", ".bat", ".ps1",
@@ -246,11 +275,30 @@ namespace winPEAS.Checks
                     "eula.rtf", "changelog.md"
                 };
 
-                // No dirs, less thatn 1MB, only interesting extensions and not false positives files.
+                if (Checks.IsDebug)
-                var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < 1000000).ToList();
+                    Beaprint.PrintDebugLine("Looking for secrets inside files via regexes");
+
+                // No dirs, less than 1MB, only interesting extensions and not false positives files.
+                var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < Checks.MaxRegexFileSize).ToList();
                 var config = Checks.RegexesYamlConfig; // Get yaml info
                 Dictionary<string, Dictionary<string, Dictionary<string, List<string>>>> foundRegexes = new Dictionary<string, Dictionary<string, Dictionary<string, List<string>>>> { };
 
+                if (Checks.IsDebug)
+                {
+                    Beaprint.PrintDebugLine($"Searching regexes in {files.Count} files");
+                    valid_extensions.ForEach(ext =>
+                    {
+                        int cont = 0;
+                        files.ForEach(f =>
+                        {
+                            if (f.Extension.ToLower() == ext.ToLower())
+                                cont++;
+                        });
+                        Beaprint.PrintDebugLine($"Found {cont} files with ext {ext}");
+                    });
+
+                }
+
                 /*
                  * Useful for debbugging purposes to see the common file extensions found
                 Dictionary <string, int> dict_str = new Dictionary<string, int>();
@@ -283,8 +331,7 @@ namespace winPEAS.Checks
 
                         Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
                         {
-                        //foreach (var f in files)
+
-                        //{
                             foreach (var regex_obj in config.regular_expresions)
                             {
                                 foreach (var regex in regex_obj.regexes)
@@ -296,6 +343,13 @@ namespace winPEAS.Checks
 
                                     List<string> results = new List<string> { };
 
+                                    var timer = new Stopwatch();
+                                    if (Checks.IsDebug)
+                                    {
+                                        timer.Start();
+                                    }
+                                    
+
                                     try
                                     {
                                         string text = System.IO.File.ReadAllText(f.FullPath);
@@ -313,12 +367,20 @@ namespace winPEAS.Checks
                                     {
                                         // Cannot read the file
                                     }
+
+                                    if (Checks.IsDebug)
+                                    {
+                                        timer.Stop();
+
+                                        TimeSpan timeTaken = timer.Elapsed;
+                                        if (timeTaken.TotalMilliseconds > 20000)
+                                            Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
+                                    }
                                 }
                             }
                             pb += (double)100 / files.Count;
                             progress.Report(pb / 100); //Value must be in [0..1] range
                         });
-                        //}
                     }, Checks.IsDebug);
                 }
 

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -105,7 +105,7 @@ namespace winPEAS.Helpers
 
             PrintLegend();
             Console.WriteLine();
-            LinkPrint("https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
+            Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: "+YELLOW+"https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
         }
 
         static void PrintLegend()
@@ -122,29 +122,31 @@ namespace winPEAS.Helpers
         public static void PrintUsage()
         {
             Console.WriteLine(YELLOW + "  [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        domain" + GRAY + "               Enumerate domain information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        domain" + GRAY + "               Enumerate domain information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        systeminfo" + GRAY + "           Search system information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        systeminfo" + GRAY + "           Search system information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        userinfo" + GRAY + "             Search user information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        userinfo" + GRAY + "             Search user information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        processinfo" + GRAY + "          Search processes information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        processinfo" + GRAY + "          Search processes information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        filesinfo" + GRAY + "            Search generic files that can contains credentials" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        filesinfo" + GRAY + "            Search generic files that can contains credentials" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        fileanalysis" + GRAY + "         Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        fileanalysis" + GRAY + "         Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        eventsinfo" + GRAY + "           Display interesting events information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        eventsinfo" + GRAY + "           Display interesting events information" + NOCOLOR);
             Console.WriteLine();
-            Console.WriteLine(LBLUE + "        quiet" + GRAY + "                Do not print banner" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        quiet" + GRAY + "                Do not print banner" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        notcolor" + GRAY + "             Don't use ansi colors (all white)" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        notcolor" + GRAY + "             Don't use ansi colors (all white)" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        searchpf" + GRAY + "             Search credentials via regex also in Program Files folders" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        searchpf" + GRAY + "             Search credentials via regex also in Program Files folders" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        wait" + GRAY + "                 Wait for user input between checks" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        wait" + GRAY + "                 Wait for user input between checks" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        debug" + GRAY + "                Display debugging information - memory usage, method execution time" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        debug" + GRAY + "                Display debugging information - memory usage, method execution time" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        log[=logfile]" + GRAY + $"        Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        log[=logfile]" + GRAY + $"        Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        max-regex-file-size=1000000" + GRAY + $"        Max file size (in Bytes) to search regex in. Default: {Checks.Checks.MaxRegexFileSize}B" + NOCOLOR);
+            
             Console.WriteLine();
-            Console.WriteLine(LCYAN + "        Additional checks (slower):");
+            Console.WriteLine(GREEN + "        Additional checks (slower):");
-            Console.WriteLine(LBLUE + "        -lolbas" + GRAY + $"              Run additional LOLBAS check" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        -lolbas" + GRAY + $"              Run additional LOLBAS check" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        -linpeas=[url]" + GRAY + $"       Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
+            Console.WriteLine(LCYAN + "        -linpeas=[url]" + GRAY + $"       Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
                                      $"                             (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
 
         }
@@ -213,9 +215,18 @@ namespace winPEAS.Helpers
             Console.WriteLine(DGRAY + to_print + NOCOLOR);
         }
 
+        public static void LongPathWarning(string path)
+        {
+            if (!Checks.Checks.WarningIsLongPath)
+            {
+                GrayPrint($"The path {path} is too large, try to enable LongPaths in the registry (no more warning about this will be shown)");
+                Checks.Checks.WarningIsLongPath = true;
+            }
+        }
+
         internal static void PrintDebugLine(string log)
         {
-            Console.WriteLine(YELLOW + "  [Debug]  " + log + NOCOLOR);
+            Console.WriteLine(DGRAY + "  [Debug]  " + log + NOCOLOR);
             Console.WriteLine();
         }
 

winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs

@@ -76,7 +76,7 @@ namespace winPEAS.Helpers.Search
                             if (!StaticExtensions.Contains(f.Extension.ToLower()))
                             {
                                 // It should always be lesss than 260, but some times it isn't so this will bypass that file
-                                if (f.FullName.Length <= 260)
+                                if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
                                 {
                                     CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
                                     files.Add(file_info);
@@ -88,6 +88,8 @@ namespace winPEAS.Helpers.Search
                                         files.Add(file_dir);
                                     }
                                 }
+                                else if (f.FullName.Length > 260)
+                                    Beaprint.LongPathWarning(f.FullName);
                             }
                         }
                         ) ;
@@ -169,14 +171,24 @@ namespace winPEAS.Helpers.Search
                     {
                         foreach (var directory in directories)
                         {
+                            if (Checks.Checks.IsLongPath || directory.FullName.Length <= 260)
                                 files.Add(new CustomFileInfo(directory.Name, null, directory.FullName, 0, true));
+
+                            else if (directory.FullName.Length > 260)
+                                Beaprint.LongPathWarning(directory.FullName);
                         }
                     }
 
                     foreach (var f in dirInfo.GetFiles(pattern))
                     {
                         if (!StaticExtensions.Contains(f.Extension.ToLower()))
+                        {
+                            if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
                                 files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false));
+
+                            else if (f.FullName.Length > 260)
+                                Beaprint.LongPathWarning(f.FullName);
+                        }
                     }
 
                     if (directories.Length > 1) return new List<DirectoryInfo>(directories);

winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user

@@ -5,7 +5,7 @@
     </StartArguments>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
-    <StartArguments>fileanalysis</StartArguments>
+    <StartArguments>fileanalysis debug</StartArguments>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
     <StartArguments>debug</StartArguments>