Fixed binding error (#577)

Co-authored-by: Martin <git@frandel.eu>

.github/codex/pr-merge-schema.json

@@ -0,0 +1,18 @@
+{
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "decision": {
+      "type": "string",
+      "enum": ["merge", "comment"]
+    },
+    "message": {
+      "type": "string"
+    },
+    "confidence": {
+      "type": "string",
+      "enum": ["low", "medium", "high"]
+    }
+  },
+  "required": ["decision", "message", "confidence"]
+}

.github/workflows/CI-PR_from_dev.yml

@@ -1,26 +0,0 @@
-name: CI-PR_from_dev
-
-on:
-  push:
-    branches:
-      - winpeas_dev
-      - linpeas_dev
-
-  workflow_dispatch:
-
-jobs:     
-  create_pull_request:
-    runs-on: ubuntu-latest
-    
-    steps:
-      # checkout
-      - name: Checkout
-        uses: actions/checkout@v2
-    
-      # PR     
-      - name: Pull Request
-        uses: repo-sync/pull-request@v2
-        with:
-          destination_branch: "master"
-          github_token: ${{ secrets.PULL_REQUEST_TOKEN }}
-      

.github/workflows/CI-master_tests.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       # checkout
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -36,11 +36,11 @@ jobs:
             
       # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
       - name: Setup MSBuild.exe
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@v2
        
       # Setup NuGet
       - name: Setup NuGet.exe
-        uses: nuget/setup-nuget@v1  
+        uses: nuget/setup-nuget@v2
         
       # Restore the packages for testing
       - name: Restore the application       
@@ -48,23 +48,23 @@ jobs:
         
       # build
       - name: run MSBuild
-        run: msbuild $env:Solution_Path
+        run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
         
       # Execute all unit tests in the solution
-      #- name: Execute unit tests
-      #  run: dotnet test $env:Solution_Path
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path --configuration $env:Configuration
         
       # Build & update all versions
       - name: Build all versions
         run: |
             echo "build x64"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
             
             echo "build x86"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
             
             echo "build Any CPU"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
       
       - name: Execute winPEAS -h
         shell: pwsh
@@ -220,6 +220,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.23'
+          cache: false
       - run: go version
       
       # Build linpeas
@@ -230,6 +231,9 @@ jobs:
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
           python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
           python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+
+      - name: Run linPEAS builder tests
+        run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
       
       # Build linpeas binaries
       - name: Build linpeas binaries 
@@ -362,7 +366,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
       
       # Build linpeas
       - name: Build macpeas
@@ -469,11 +473,11 @@ jobs:
     
     - name: Get current date
       id: date
-      run: echo "::set-output name=date::$(date +'%Y%m%d')"
+      run: echo "date=$(date +'%Y%m%d')" >> "$GITHUB_OUTPUT"
     
     - name: Generate random
       id: random_n
-      run: echo "::set-output name=some_rand::$(openssl rand -hex 4)"
+      run: echo "some_rand=$(openssl rand -hex 4)" >> "$GITHUB_OUTPUT"
     
     # Create the release
     - name: Create Release

.github/workflows/PR-tests.yml

@@ -8,6 +8,8 @@ on:
     paths-ignore:
       - '.github/**'
 
+  workflow_dispatch:
+
 jobs:
   Build_and_test_winpeas_pr:
     runs-on: windows-latest
@@ -20,7 +22,7 @@ jobs:
     steps:
       # checkout
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -30,11 +32,11 @@ jobs:
             
       # Add MSBuild to the PATH
       - name: Setup MSBuild.exe
-        uses: microsoft/setup-msbuild@v1.0.2
+        uses: microsoft/setup-msbuild@v2
        
       # Setup NuGet
       - name: Setup NuGet.exe
-        uses: nuget/setup-nuget@v1  
+        uses: nuget/setup-nuget@v2
         
       # Restore the packages for testing
       - name: Restore the application       
@@ -42,19 +44,23 @@ jobs:
         
       # build
       - name: run MSBuild
-        run: msbuild $env:Solution_Path
+        run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
+
+      # Execute unit tests in the solution
+      - name: Execute unit tests
+        run: dotnet test $env:Solution_Path --configuration $env:Configuration
         
       # Build all versions
       - name: Build all versions
         run: |
             echo "build x64"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
             
             echo "build x86"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
             
             echo "build Any CPU"
-            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
       
       - name: Execute winPEAS -h
         shell: pwsh
@@ -105,7 +111,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       
@@ -113,6 +119,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.23'
+          cache: false
       - run: go version
       
       # Build linpeas
@@ -123,6 +130,9 @@ jobs:
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
           python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
           python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+
+      - name: Run linPEAS builder tests
+        run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
       
       # Run linpeas help as quick test
       - name: Run linpeas help
@@ -161,7 +171,7 @@ jobs:
 
     steps:
       # Download repo
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       

.github/workflows/codex-pr-triage.yml

@@ -0,0 +1,167 @@
+name: Codex PR Triage
+
+on:
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
+
+jobs:
+  codex_triage:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+      pr_number: ${{ steps.gate.outputs.pr_number }}
+      pr_title: ${{ steps.gate.outputs.pr_title }}
+      pr_body: ${{ steps.gate.outputs.pr_body }}
+      base_ref: ${{ steps.gate.outputs.base_ref }}
+      head_ref: ${{ steps.gate.outputs.head_ref }}
+      base_sha: ${{ steps.gate.outputs.base_sha }}
+      head_sha: ${{ steps.gate.outputs.head_sha }}
+      decision: ${{ steps.parse.outputs.decision }}
+      message: ${{ steps.parse.outputs.message }}
+
+    steps:
+      - name: Resolve PR context
+        id: gate
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          pr_number="${{ github.event.workflow_run.pull_requests[0].number }}"
+          if [ -z "$pr_number" ]; then
+            echo "No pull request found for this workflow_run; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          author="$(gh pr view "$pr_number" --json author --jq .author.login)"
+          if [ "$author" != "carlospolop" ]; then
+            echo "PR author is $author; skipping."
+            echo "should_run=false" >> "$GITHUB_OUTPUT"
+            echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          pr_title="$(gh pr view "$pr_number" --json title --jq .title)"
+          pr_body="$(gh pr view "$pr_number" --json body --jq .body)"
+          base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)"
+          head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)"
+          base_sha="$(gh pr view "$pr_number" --json baseRefOid --jq .baseRefOid)"
+          head_sha="$(gh pr view "$pr_number" --json headRefOid --jq .headRefOid)"
+
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "pr_title<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_title" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "pr_body<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$pr_body" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
+          echo "head_ref=$head_ref" >> "$GITHUB_OUTPUT"
+          echo "base_sha=$base_sha" >> "$GITHUB_OUTPUT"
+          echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout PR merge ref
+        uses: actions/checkout@v5
+        with:
+          ref: refs/pull/${{ steps.gate.outputs.pr_number }}/merge
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+
+      - name: Pre-fetch base and head refs
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        run: |
+          git fetch --no-tags origin \
+            ${{ steps.gate.outputs.base_ref }} \
+            +refs/pull/${{ steps.gate.outputs.pr_number }}/head
+
+      - name: Run Codex
+        id: run_codex
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        uses: openai/codex-action@v1
+        with:
+          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          output-schema-file: .github/codex/pr-merge-schema.json
+          model: gpt-5.2-codex
+          prompt: |
+            You are reviewing PR #${{ steps.gate.outputs.pr_number }} for ${{ github.repository }}.
+
+            Decide whether to merge or comment. Merge only if all of the following are true:
+            - Changes are simple and safe (no DoS, no long operations, no backdoors).
+            - Changes follow common PEASS syntax and style without breaking anything and add useful checks or value.
+            - Changes simplify code or add new useful checks without breaking anything.
+
+            If you don't have any doubts, and all the previous conditions are met, decide to merge.
+            If you have serious doubts, choose "comment" and include your doubts or questions.
+            If you decide to merge, include a short rationale.
+
+            Pull request title and body:
+            ----
+            ${{ steps.gate.outputs.pr_title }}
+            ${{ steps.gate.outputs.pr_body }}
+
+            Review ONLY the changes introduced by the PR:
+              git log --oneline ${{ steps.gate.outputs.base_sha }}...${{ steps.gate.outputs.head_sha }}
+
+            Output JSON only, following the provided schema.
+
+      - name: Parse Codex decision
+        id: parse
+        if: ${{ steps.gate.outputs.should_run == 'true' }}
+        env:
+          CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
+        run: |
+          python3 - <<'PY'
+          import json
+          import os
+
+          data = json.loads(os.environ.get('CODEX_MESSAGE', '') or '{}')
+          decision = data.get('decision', 'comment')
+          message = data.get('message', '').strip() or 'Codex did not provide details.'
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as handle:
+            handle.write(f"decision={decision}\n")
+            handle.write("message<<EOF\n")
+            handle.write(message + "\n")
+            handle.write("EOF\n")
+          PY
+
+  merge_or_comment:
+    runs-on: ubuntu-latest
+    needs: codex_triage
+    if: ${{ github.event.workflow_run.conclusion == 'success' && needs.codex_triage.outputs.should_run == 'true' && needs.codex_triage.outputs.decision != '' }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Merge PR when approved
+        if: ${{ needs.codex_triage.outputs.decision == 'merge' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ needs.codex_triage.outputs.pr_number }}
+        run: |
+          gh api \
+            -X PUT \
+            -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \
+            -f merge_method=squash \
+            -f commit_title="Auto-merge PR #${PR_NUMBER} (Codex)"
+
+      - name: Comment with doubts
+        if: ${{ needs.codex_triage.outputs.decision == 'comment' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.codex_triage.outputs.pr_number }}
+          CODEX_MESSAGE: ${{ needs.codex_triage.outputs.message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CODEX_MESSAGE,
+            });

.github/workflows/pr-failure-codex-dispatch.yml

@@ -0,0 +1,193 @@
+name: PR Failure Codex Dispatch
+
+on:
+  workflow_run:
+    workflows: ["PR-tests"]
+    types: [completed]
+
+jobs:
+  resolve_pr_context:
+    if: >
+      ${{ github.event.workflow_run.conclusion == 'failure' &&
+          github.event.workflow_run.pull_requests &&
+          github.event.workflow_run.pull_requests[0] &&
+          !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+      issues: read
+    outputs:
+      number: ${{ steps.pr_context.outputs.number }}
+      author: ${{ steps.pr_context.outputs.author }}
+      head_repo: ${{ steps.pr_context.outputs.head_repo }}
+      head_branch: ${{ steps.pr_context.outputs.head_branch }}
+      should_run: ${{ steps.pr_context.outputs.should_run }}
+    steps:
+      - name: Resolve PR context
+        id: pr_context
+        env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          pr_author=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.user.login')
+          pr_head_repo=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.head.repo.full_name')
+          pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
+            --jq '.head.ref')
+          pr_labels=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/issues/${PR_NUMBER} \
+            --jq '.labels[].name')
+          if echo "$pr_labels" | grep -q "^codex-fix-attempted$"; then
+            echo "codex fix already attempted for PR #${PR_NUMBER}; skipping."
+            should_run=false
+          else
+            should_run=true
+          fi
+          {
+            echo "number=${PR_NUMBER}"
+            echo "author=${pr_author}"
+            echo "head_repo=${pr_head_repo}"
+            echo "head_branch=${pr_head_branch}"
+            echo "should_run=${should_run}"
+          } >> "$GITHUB_OUTPUT"
+
+  codex_on_failure:
+    needs: resolve_pr_context
+    if: ${{ needs.resolve_pr_context.outputs.author == 'carlospolop' && needs.resolve_pr_context.outputs.should_run == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: read
+    steps:
+      - name: Comment on PR with failure info
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const prNumber = Number(process.env.PR_NUMBER);
+            const body = `PR #${prNumber} had a failing workflow "${process.env.WORKFLOW_NAME}".\n\nRun: ${process.env.RUN_URL}\n\nLaunching Codex to attempt a fix.`;
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              body,
+            });
+
+      - name: Mark fix attempt
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/issues/${PR_NUMBER}/labels \
+            -f labels='["codex-fix-attempted"]'
+
+      - name: Checkout PR head
+        uses: actions/checkout@v5
+        with:
+          repository: ${{ needs.resolve_pr_context.outputs.head_repo }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 0
+          persist-credentials: true
+          token: ${{ secrets.CODEX_FIXER_TOKEN }}
+
+      - name: Configure git author
+        run: |
+          git config user.name "codex-action"
+          git config user.email "codex-action@users.noreply.github.com"
+
+      - name: Fetch failure summary
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/actions/runs/$RUN_ID/jobs \
+            --paginate > /tmp/jobs.json
+          python3 - <<'PY'
+          import json
+
+          data = json.load(open('/tmp/jobs.json'))
+          lines = []
+          for job in data.get('jobs', []):
+            if job.get('conclusion') == 'failure':
+              lines.append(f"Job: {job.get('name')} (id {job.get('id')})")
+              lines.append(f"URL: {job.get('html_url')}")
+              for step in job.get('steps', []):
+                if step.get('conclusion') == 'failure':
+                  lines.append(f"  Step: {step.get('name')}")
+              lines.append("")
+
+          summary = "\n".join(lines).strip() or "No failing job details found."
+          with open('codex_failure_summary.txt', 'w') as handle:
+            handle.write(summary)
+          PY
+
+      - name: Create Codex prompt
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          RUN_URL: ${{ github.event.workflow_run.html_url }}
+          HEAD_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
+        run: |
+          {
+            echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
+            echo "The failing workflow run is: ${RUN_URL}"
+            echo "The PR branch is: ${HEAD_BRANCH}"
+            echo ""
+            echo "Failure summary:"
+            cat codex_failure_summary.txt
+            echo ""
+            echo "Please identify the cause, apply a easy, simple and minimal fix, and update files accordingly."
+            echo "Run any fast checks you can locally (no network)."
+            echo "Leave the repo in a state ready to commit as when you finish, it'll be automatically committed and pushed."
+          } > codex_prompt.txt
+
+      - name: Run Codex
+        id: run_codex
+        uses: openai/codex-action@v1
+        with:
+          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          prompt-file: codex_prompt.txt
+          sandbox: workspace-write
+          model: gpt-5.2-codex
+
+      - name: Commit and push if changed
+        env:
+          TARGET_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+        run: |
+          if git diff --quiet; then
+            echo "No changes to commit."
+            exit 0
+          fi
+          rm -f codex_failure_summary.txt codex_prompt.txt
+          git add -A
+          git reset -- codex_failure_summary.txt codex_prompt.txt
+          git commit -m "Fix CI failures for PR #${PR_NUMBER}"
+          git push origin HEAD:${TARGET_BRANCH}
+
+      - name: Comment with Codex result
+        if: ${{ steps.run_codex.outputs.final-message != '' }}
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body: process.env.CODEX_MESSAGE,
+            });

README.md

@@ -28,7 +28,7 @@ Check the **[parsers](./parsers/)** directory to **transform PEASS outputs to JS
 
 If you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
 
-You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
+You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about the latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
 
 ## Let's improve PEASS together
 
@@ -37,4 +37,3 @@ If you want to **add something** and have **any cool idea** related to this proj
 ## Advisory
 
 All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
-

build_lists/sensitive_files.yaml

@@ -1705,7 +1705,7 @@ search:
           auto_check: True
           exec:
             - '( redis-server --version || echo_not_found "redis-server") 2>/dev/null'
-            - if [ "`redis-cli INFO 2>/dev/null`" ] && ! [ "`redis-cli INFO 2>/dev/null | grep -i NOAUTH`" ]; then echo "Redis isn't password protected" | sed -${E} "s,.*,${SED_RED},"; fi
+            - redis_info="$(if [ "$TIMEOUT" ]; then $TIMEOUT 2 redis-cli INFO 2>/dev/null; else redis-cli INFO 2>/dev/null; fi)"; if [ "$redis_info" ] && ! echo "$redis_info" | grep -i NOAUTH; then echo "Redis isn't password protected" | sed -${E} "s,.*,${SED_RED},"; fi
 
         files:
           - name: "redis.conf"
@@ -3352,7 +3352,7 @@ search:
 
           - name: "credentials.xml"
             value: 
-                bad_regex: "secret.*|password.*"
+                bad_regex: "secret.*|password.*|token.*|SecretKey.*|credentialId.*"
                 remove_empty_lines: True
                 type: f
                 search_in: 
@@ -3360,7 +3360,7 @@ search:
           
           - name: "config.xml"
             value: 
-                bad_regex: "secret.*|password.*"
+                bad_regex: "secret.*|password.*|token.*|SecretKey.*|credentialId.*"
                 only_bad_lines: True
                 type: f
                 search_in: 

linPEAS/README.md

@@ -6,6 +6,8 @@
 
 Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
 
+> **Dec 2025 update:** linpeas now inspects Linux kernels for CVE-2025-38352 (POSIX CPU timers race) by combining CONFIG_POSIX_CPU_TIMERS_TASK_WORK state with kernel build information, so you immediately know if publicly available PoCs might succeed.
+
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
 
 ## MacPEAS

linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh

@@ -30,10 +30,9 @@
 # Fat linpeas: 0
 # Small linpeas: 0
 
-if apt list --installed 2>/dev/null | grep -q 'polkit.*0\.105-26' || \
-   yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
-   rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
+if apt list --installed 2>/dev/null | grep -E 'polkit.*0\.105-26' | grep -qEv 'ubuntu1\.[1-9]' || \
+   yum list installed 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)' || \
+   rpm -qa 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)'; then
     echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi
-

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -30,7 +30,7 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks
 # Fat linpeas: 0
 # Small linpeas: 0
 
@@ -127,6 +127,22 @@ else
     if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
 fi
 
+print_list "protected_symlinks? ............ "$NC
+protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
+if [ -z "$protected_symlinks" ]; then
+    echo_not_found "/proc/sys/fs/protected_symlinks"
+else
+    if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
+print_list "protected_hardlinks? ........... "$NC
+protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
+if [ -z "$protected_hardlinks" ]; then
+    echo_not_found "/proc/sys/fs/protected_hardlinks"
+else
+    if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
+fi
+
 print_list "perf_event_paranoid? ........... "$NC
 perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
 if [ -z "$perf_event_paranoid" ]; then

linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38236.sh

@@ -0,0 +1,126 @@
+# Title: System Information - CVE_2025_38236
+# ID: SY_CVE_2025_38236
+# Author: HT Bot
+# Last Update: 17-12-2025
+# Description: Detect Linux kernels exposed to CVE-2025-38236 (AF_UNIX MSG_OOB UAF) that allow local privilege escalation:
+#   - Vulnerable scope:
+#     * Linux kernels 6.9+ before commit 32ca245464e1479bfea8592b9db227fdc1641705
+#     * AF_UNIX stream sockets with MSG_OOB enabled (CONFIG_AF_UNIX_OOB or implicit support)
+#   - Exploitation summary:
+#     * send/recv MSG_OOB pattern leaves zero-length SKBs in the receive queue
+#     * manage_oob() skips cleanup, freeing the OOB SKB while u->oob_skb still points to it
+#     * Subsequent recv(MSG_OOB) dereferences the dangling pointer → kernel UAF → LPE
+#   - Mitigations:
+#     * Update to a kernel that includes commit 32ca245464e1479bfea8592b9db227fdc1641705 (or newer)
+#     * Disable CONFIG_AF_UNIX_OOB or block MSG_OOB in sandboxed processes
+#     * Backport vendor fixes or follow Chrome's MSG_OOB filtering approach
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SED_RED_YELLOW, $SED_GREEN, $E
+# Initial Functions:
+# Generated Global Variables: $cve38236_kernel_release, $cve38236_kernel_version, $cve38236_oob_line, $cve38236_unix_line, $cve38236_oob_status, $CVE38236_CONFIG_SOURCE, $cve38236_conf_file, $cve38236_config_key, $cve38236_release, $cve38236_cfg, $cve38236_config_line
+# Fat linpeas: 0
+# Small linpeas: 1
+
+_cve38236_version_to_number() {
+    if [ -z "$1" ]; then
+        printf '0\n'
+        return
+    fi
+    echo "$1" | awk -F. '{
+        major=$1+0
+        if (NF>=2) minor=$2+0; else minor=0
+        if (NF>=3) patch=$3+0; else patch=0
+        printf "%d\n", (major*1000000)+(minor*1000)+patch
+    }'
+}
+
+_cve38236_version_ge() {
+    local v1 v2
+    v1=$(_cve38236_version_to_number "$1")
+    v2=$(_cve38236_version_to_number "$2")
+    [ "$v1" -ge "$v2" ]
+}
+
+_cve38236_cat_config_file() {
+    local cve38236_conf_file="$1"
+    if [ -z "$cve38236_conf_file" ] || ! [ -r "$cve38236_conf_file" ]; then
+        return 1
+    fi
+    if printf '%s' "$cve38236_conf_file" | grep -q '\\.gz$'; then
+        if command -v zcat >/dev/null 2>&1; then
+            zcat "$cve38236_conf_file" 2>/dev/null
+        elif command -v gzip >/dev/null 2>&1; then
+            gzip -dc "$cve38236_conf_file" 2>/dev/null
+        else
+            cat "$cve38236_conf_file" 2>/dev/null
+        fi
+    else
+        cat "$cve38236_conf_file" 2>/dev/null
+    fi
+}
+
+_cve38236_read_config_line() {
+    local cve38236_config_key="$1"
+    local cve38236_release cve38236_config_line cve38236_cfg
+    cve38236_release="$(uname -r 2>/dev/null)"
+    for cve38236_cfg in /proc/config.gz \
+        "/boot/config-${cve38236_release}" \
+        "/usr/lib/modules/${cve38236_release}/build/.config" \
+        "/lib/modules/${cve38236_release}/build/.config"; do
+        if [ -r "$cve38236_cfg" ]; then
+            cve38236_config_line=$(_cve38236_cat_config_file "$cve38236_cfg" | grep -E "^(${cve38236_config_key}=|# ${cve38236_config_key} is not set)" | head -n1)
+            if [ -n "$cve38236_config_line" ]; then
+                CVE38236_CONFIG_SOURCE="$cve38236_cfg"
+                printf '%s\n' "$cve38236_config_line"
+                return 0
+            fi
+        fi
+    done
+    return 1
+}
+
+
+if [ ! "$MACPEAS" ]; then
+    cve38236_kernel_release="$(uname -r 2>/dev/null)"
+    cve38236_kernel_version="$(printf '%s' "$cve38236_kernel_release" | sed 's/[^0-9.].*//')"
+
+    if [ -n "$cve38236_kernel_version" ] && _cve38236_version_ge "$cve38236_kernel_version" "6.9.0"; then
+        print_2title "CVE-2025-38236 - AF_UNIX MSG_OOB UAF"
+    
+        cve38236_oob_line=$(_cve38236_read_config_line "CONFIG_AF_UNIX_OOB")
+        cve38236_oob_status="unknown"
+    
+        if printf '%s' "$cve38236_oob_line" | grep -q '=y\|=m'; then
+            cve38236_oob_status="enabled"
+        elif printf '%s' "$cve38236_oob_line" | grep -q 'not set'; then
+            cve38236_oob_status="disabled"
+        fi
+    
+        if [ "$cve38236_oob_status" = "unknown" ]; then
+            cve38236_unix_line=$(_cve38236_read_config_line "CONFIG_UNIX")
+            if printf '%s' "$cve38236_unix_line" | grep -q 'not set'; then
+                cve38236_oob_status="disabled"
+            elif printf '%s' "$cve38236_unix_line" | grep -q '=y\|=m'; then
+                cve38236_oob_status="enabled"
+            fi
+        fi
+    
+        if [ "$cve38236_oob_status" = "disabled" ]; then
+            printf 'Kernel %s >= 6.9 but MSG_OOB support is disabled (%s).\n' "$cve38236_kernel_release" "${cve38236_oob_line:-CONFIG_AF_UNIX disabled}" | sed -${E} "s,.*,${SED_GREEN},"
+            print_info "CVE-2025-38236 requires AF_UNIX MSG_OOB; disabling CONFIG_AF_UNIX_OOB/CONFIG_UNIX mitigates it."
+        else
+            printf 'Kernel %s (parsed %s) may be vulnerable to CVE-2025-38236 - AF_UNIX MSG_OOB UAF.\n' "$cve38236_kernel_release" "$cve38236_kernel_version" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+            [ -n "$cve38236_oob_line" ] && print_info "Config hint: $cve38236_oob_line"
+            if [ "$cve38236_oob_status" = "unknown" ]; then
+                print_info "Could not read CONFIG_AF_UNIX_OOB directly; AF_UNIX appears enabled, so assume MSG_OOB reachable."
+            fi
+            print_info "Exploit chain: crafted MSG_OOB send/recv frees the OOB SKB while u->oob_skb still points to it, enabling kernel UAF → arbitrary read/write primitives (Project Zero 2025/08)."
+            print_info "Mitigations: update to a kernel containing commit 32ca245464e1479bfea8592b9db227fdc1641705, disable CONFIG_AF_UNIX_OOB, or filter MSG_OOB in sandbox policies."
+            print_info "Heuristic detection: based solely on uname -r and kernel config; vendor kernels with backported fixes should be verified manually."
+        fi
+        echo ""
+    fi
+
+fi

linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh

@@ -0,0 +1,183 @@
+# Title: System Information - CVE_2025_38352
+# ID: SY_CVE_2025_38352
+# Author: HT Bot
+# Last Update: 22-12-2025
+# Description: Detect Linux kernels that may still be vulnerable to CVE-2025-38352 (race-condition UAF in POSIX CPU timers)
+#   - Highlights kernels built without CONFIG_POSIX_CPU_TIMERS_TASK_WORK
+#   - Flags 6.12.x builds older than the fix commit f90fff1e152dedf52b932240ebbd670d83330eca (first shipped in 6.12.34)
+#   - Provides quick risk scoring so operators can decide whether to attempt the publicly available PoC
+#   - Core requirements for exploitation:
+#       * CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled (common on 32-bit Android / custom kernels)
+#       * Lack of the upstream exit_state guard in run_posix_cpu_timers()
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_list
+# Global Variables: $E, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SED_YELLOW
+# Initial Functions:
+# Generated Global Variables: $cve38352_kernel_release, $cve38352_kernel_version_cmp, $cve38352_symbol, $cve38352_task_work_state, $cve38352_config_status, $cve38352_config_source, $cve38352_config_candidates, $cve38352_cfg, $cve38352_line, $cve38352_patch_state, $cve38352_patch_label, $cve38352_fix_tag, $cve38352_last_vuln_tag, $cve38352_risk_msg, $cve38352_risk_color, $cve38352_task_line, $cve38352_patch_line, $cve38352_risk_line
+# Fat linpeas: 0
+# Small linpeas: 1
+
+cve38352_version_lt(){
+    awk -v v1="$1" -v v2="$2" '
+    function cleannum(val) {
+        gsub(/[^0-9].*/, "", val)
+        if (val == "") {
+            val = 0
+        }
+        return val + 0
+    }
+    BEGIN {
+        n = split(v1, a, ".")
+        m = split(v2, b, ".")
+        max = (n > m ? n : m)
+        for (i = 1; i <= max; i++) {
+            av = (i <= n ? cleannum(a[i]) : 0)
+            bv = (i <= m ? cleannum(b[i]) : 0)
+            if (av < bv) {
+                exit 0
+            }
+            if (av > bv) {
+                exit 1
+            }
+        }
+        exit 1
+    }'
+}
+
+cve38352_sanitize_version(){
+    printf "%s" "$1" | tr '-' '.' | sed 's/[^0-9.].*$//' | sed 's/\.\./\./g' | sed 's/^\.//' | sed 's/\.$//'
+}
+
+print_2title "CVE-2025-38352 - POSIX CPU timers race"
+
+cve38352_kernel_release=$(uname -r 2>/dev/null)
+if [ -z "$cve38352_kernel_release" ]; then
+    echo_not_found "uname -r"
+    echo ""
+else
+
+    cve38352_kernel_version_cmp=$(cve38352_sanitize_version "$cve38352_kernel_release")
+    if [ -z "$cve38352_kernel_version_cmp" ]; then
+        cve38352_kernel_version_cmp="unknown"
+    fi
+
+    cve38352_symbol="CONFIG_POSIX_CPU_TIMERS_TASK_WORK"
+    cve38352_task_work_state="unknown"
+    cve38352_config_status="Unknown ($cve38352_symbol not found)"
+    cve38352_config_source=""
+
+    cve38352_config_candidates="/boot/config-$cve38352_kernel_release /proc/config.gz /lib/modules/$cve38352_kernel_release/build/.config /usr/lib/modules/$cve38352_kernel_release/build/.config /usr/src/linux/.config"
+    for cve38352_cfg in $cve38352_config_candidates; do
+        [ -r "$cve38352_cfg" ] || continue
+        if printf "%s" "$cve38352_cfg" | grep -q '\\.gz$'; then
+            cve38352_line=$(gzip -dc "$cve38352_cfg" 2>/dev/null | grep -E "^(# )?$cve38352_symbol" | head -n1)
+        else
+            cve38352_line=$(grep -E "^(# )?$cve38352_symbol" "$cve38352_cfg" 2>/dev/null | head -n1)
+        fi
+        [ -z "$cve38352_line" ] && continue
+        cve38352_config_source="$cve38352_cfg"
+        case "$cve38352_line" in
+            "$cve38352_symbol=y")
+                cve38352_task_work_state="enabled"
+                cve38352_config_status="Enabled (y)"
+                ;;
+            "$cve38352_symbol=m")
+                cve38352_task_work_state="enabled"
+                cve38352_config_status="Built as module (m)"
+                ;;
+            "$cve38352_symbol=n")
+                cve38352_task_work_state="disabled"
+                cve38352_config_status="Disabled (n)"
+                ;;
+            "# $cve38352_symbol is not set")
+                cve38352_task_work_state="disabled"
+                cve38352_config_status="Not set"
+                ;;
+            *)
+                cve38352_config_status="Found: $cve38352_line"
+                ;;
+        esac
+        break
+    done
+
+    cve38352_patch_state="unknown_branch"
+    cve38352_patch_label="Unable to determine kernel train"
+    cve38352_fix_tag="6.12.34"
+    cve38352_last_vuln_tag="6.12.33"
+    case "$cve38352_kernel_version_cmp" in
+        6.12|6.12.*)
+            if cve38352_version_lt "$cve38352_kernel_version_cmp" "$cve38352_fix_tag"; then
+                cve38352_patch_state="pre_fix"
+                cve38352_patch_label="6.12.x build < $cve38352_fix_tag (last known vulnerable LTS: $cve38352_last_vuln_tag)"
+            else
+                cve38352_patch_state="post_fix"
+                cve38352_patch_label="6.12.x build >= $cve38352_fix_tag (should include fix f90fff1e152d)"
+            fi
+            ;;
+        unknown)
+            cve38352_patch_label="Kernel version string could not be parsed"
+            ;;
+        *)
+            cve38352_patch_label="Kernel train $cve38352_kernel_version_cmp (verify commit f90fff1e152dedf52b932240ebbd670d83330eca manually)"
+            ;;
+    esac
+
+    cve38352_risk_msg="Unknown - missing configuration data"
+    cve38352_risk_color=""
+    if [ "$cve38352_task_work_state" = "enabled" ]; then
+        cve38352_risk_msg="Low - CONFIG_POSIX_CPU_TIMERS_TASK_WORK is enabled"
+        cve38352_risk_color="green"
+    elif [ "$cve38352_task_work_state" = "disabled" ]; then
+        if [ "$cve38352_patch_state" = "pre_fix" ]; then
+            cve38352_risk_msg="High - task_work disabled & kernel predates fix f90fff1e152d"
+            cve38352_risk_color="red"
+        else
+            cve38352_risk_msg="Review - task_work disabled, ensure fix f90fff1e152d is backported"
+            cve38352_risk_color="yellow"
+        fi
+    fi
+
+    print_list "Kernel release ............... $cve38352_kernel_release\n"
+    print_list "Comparable version ........... $cve38352_kernel_version_cmp\n"
+
+    cve38352_task_line="Task_work config ............. $cve38352_config_status"
+    if [ -n "$cve38352_config_source" ]; then
+        cve38352_task_line="$cve38352_task_line (from $cve38352_config_source)"
+    fi
+    cve38352_task_line="$cve38352_task_line\n"
+    if [ "$cve38352_task_work_state" = "disabled" ]; then
+        print_list "$cve38352_task_line" | sed -${E} "s,.*,${SED_RED},"
+    elif [ "$cve38352_task_work_state" = "enabled" ]; then
+        print_list "$cve38352_task_line" | sed -${E} "s,.*,${SED_GREEN},"
+    else
+        print_list "$cve38352_task_line"
+    fi
+
+    cve38352_patch_line="Patch status ................. $cve38352_patch_label\n"
+    if [ "$cve38352_patch_state" = "pre_fix" ]; then
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    elif [ "$cve38352_patch_state" = "post_fix" ]; then
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_GREEN},"
+    else
+        print_list "$cve38352_patch_line" | sed -${E} "s,.*,${SED_YELLOW},"
+    fi
+
+    cve38352_risk_line="CVE-2025-38352 risk .......... $cve38352_risk_msg\n"
+    case "$cve38352_risk_color" in
+        red)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+            ;;
+        green)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_GREEN},"
+            ;;
+        yellow)
+            print_list "$cve38352_risk_line" | sed -${E} "s,.*,${SED_YELLOW},"
+            ;;
+        *)
+            print_list "$cve38352_risk_line"
+            ;;
+    esac
+
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh

@@ -4,6 +4,7 @@
 # Last Update: 07-03-2024
 # Description: Check for additional disk information and system resources relevant to privilege escalation:
 #   - Disk utilization
+#   - Inode usage
 #   - System resources
 #   - Storage statistics
 #   - Common vulnerable scenarios:
@@ -44,4 +45,8 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
     (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
     warn_exec free 2>/dev/null
     echo ""
-fi
+
+    print_2title "Inode usage"
+    warn_exec df -i 2>/dev/null
+    echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh

@@ -1,14 +1,14 @@
 # Title: Cloud - AWS ECS
 # ID: CL_AWS_ECS
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 17-01-2026
 # Description: AWS ECS Enumeration
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
 # Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
 # Initial Functions: check_aws_ecs
-# Generated Global Variables: $aws_ecs_req
+# Generated Global Variables: $aws_ecs_req, $aws_exec_env, $ecs_task_metadata, $launch_type, $network_modes, $imds_tool, $imds_token, $imds_roles, $imds_http_code, $ecs_block_line, $ecs_host_line, $iptables_cmd, $docker_rules, $first_role
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -44,5 +44,146 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     else
         echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
     fi
+
+    print_3title "ECS task metadata hints"
+    aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null)
+    if [ "$aws_exec_env" ]; then
+        printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env"
+    fi
+
+    ecs_task_metadata=""
+    if [ "$aws_ecs_metadata_uri" ]; then
+        ecs_task_metadata=$(eval $aws_ecs_req "$aws_ecs_metadata_uri/task" 2>/dev/null)
+    fi
+
+    if [ "$ecs_task_metadata" ]; then
+        launch_type=$(printf "%s" "$ecs_task_metadata" | grep -oE '"LaunchType":"[^"]+"' | head -n 1 | cut -d '"' -f4)
+        if [ "$launch_type" ]; then
+            printf "ECS LaunchType reported: %s\n" "$launch_type"
+        fi
+        network_modes=$(printf "%s" "$ecs_task_metadata" | grep -oE '"NetworkMode":"[^"]+"' | cut -d '"' -f4 | sort -u | tr '\n' ' ')
+        if [ "$network_modes" ]; then
+            printf "Reported NetworkMode(s): %s\n" "$network_modes"
+        fi
+    else
+        echo "Unable to fetch task metadata (check ECS_CONTAINER_METADATA_URI)."
+    fi
     echo ""
-fi
+
+    print_3title "IMDS reachability from this task"
+    imds_token=""
+    imds_roles=""
+    imds_http_code=""
+    imds_tool=""
+
+    if command -v curl >/dev/null 2>&1; then
+        imds_tool="curl"
+    elif command -v wget >/dev/null 2>&1; then
+        imds_tool="wget"
+    fi
+
+    if [ "$imds_tool" = "curl" ]; then
+        imds_token=$(curl -s --connect-timeout 2 --max-time 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
+        if [ "$imds_token" ]; then
+            printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
+            imds_roles=$(curl -s --connect-timeout 2 --max-time 2 -H "X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
+            if [ "$imds_roles" ]; then
+                printf "    Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
+                first_role=$(printf "%s" "$imds_roles" | awk '{print $1}')
+                if [ "$first_role" ]; then
+                    printf "    Example: curl -H 'X-aws-ec2-metadata-token: <TOKEN>' http://169.254.169.254/latest/meta-data/iam/security-credentials/%s\n" "$first_role"
+                fi
+            else
+                printf "    No IAM role names returned (instance profile might be missing).\n"
+            fi
+        else
+            imds_http_code=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/meta-data/" 2>/dev/null)
+            case "$imds_http_code" in
+                000|"")
+                    printf "[i] IMDS endpoint did not respond (likely blocked via hop-limit or host firewalling).\n"
+                    ;;
+                401)
+                    printf "[i] IMDS requires v2 tokens but token requests are being blocked (bridge-mode tasks rely on this when hop limit = 1).\n"
+                    ;;
+                *)
+                    printf "[i] IMDS GET returned HTTP %s (investigate host configuration).\n" "$imds_http_code"
+                    ;;
+            esac
+        fi
+    elif [ "$imds_tool" = "wget" ]; then
+        imds_token=$(wget -q -O - --timeout=2 --tries=1 --method=PUT --header="X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token" 2>/dev/null)
+        if [ "$imds_token" ]; then
+            printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
+            imds_roles=$(wget -q -O - --timeout=2 --tries=1 --header="X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
+            if [ "$imds_roles" ]; then
+                printf "    Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
+            else
+                printf "    No IAM role names returned (instance profile might be missing).\n"
+            fi
+        else
+            wget --server-response -O /dev/null --timeout=2 --tries=1 "http://169.254.169.254/latest/meta-data/" 2>&1 | awk 'BEGIN{code=""} /^  HTTP/{code=$2} END{ if(code!="") { printf("[i] IMDS GET returned HTTP %s (token could not be retrieved).\n", code); } else { print "[i] IMDS endpoint did not respond (likely blocked)."; } }'
+        fi
+    else
+        echo "Neither curl nor wget were found, I can't test IMDS reachability."
+    fi
+    echo ""
+
+    print_3title "ECS agent IMDS settings"
+    if [ -r "/etc/ecs/ecs.config" ]; then
+        ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
+        ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
+        if [ "$ecs_block_line" ]; then
+            printf "%s\n" "$ecs_block_line"
+            if echo "$ecs_block_line" | grep -qi "=true"; then
+                echo "    -> awsvpc-mode tasks should be blocked from IMDS by the ECS agent."
+            else
+                echo "    -> awsvpc-mode tasks can still reach IMDS (set this to true to block)."
+            fi
+        else
+            echo "ECS_AWSVPC_BLOCK_IMDS not set (awsvpc tasks inherit host IMDS reachability)."
+        fi
+
+        if [ "$ecs_host_line" ]; then
+            printf "%s\n" "$ecs_host_line"
+            if echo "$ecs_host_line" | grep -qi "=false"; then
+                echo "    -> Host-network tasks lose IAM task roles but IMDS is blocked."
+            else
+                echo "    -> Host-network tasks keep IAM task roles and retain IMDS access."
+            fi
+        else
+            echo "ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST not set (defaults keep IMDS reachable for host-mode tasks)."
+        fi
+    else
+        echo "Cannot read /etc/ecs/ecs.config (file missing or permissions denied)."
+    fi
+    echo ""
+
+    print_3title "DOCKER-USER IMDS filtering"
+    iptables_cmd=""
+    if command -v iptables >/dev/null 2>&1; then
+        iptables_cmd=$(command -v iptables)
+    elif command -v iptables-nft >/dev/null 2>&1; then
+        iptables_cmd=$(command -v iptables-nft)
+    fi
+
+    if [ "$iptables_cmd" ]; then
+        docker_rules=$($iptables_cmd -S DOCKER-USER 2>/dev/null)
+        if [ $? -eq 0 ]; then
+            if [ "$docker_rules" ]; then
+                echo "$docker_rules"
+            else
+                echo "(DOCKER-USER chain exists but no rules were found)"
+            fi
+            if echo "$docker_rules" | grep -q "169\\.254\\.169\\.254"; then
+                echo "    -> IMDS traffic is explicitly filtered before Docker NAT."
+            else
+                echo "    -> No DOCKER-USER rule drops 169.254.169.254 traffic (bridge tasks rely on hop limit or host firewalling)."
+            fi
+        else
+            echo "Unable to read DOCKER-USER chain (missing chain or insufficient permissions)."
+        fi
+    else
+        echo "iptables binary not found; cannot inspect DOCKER-USER chain."
+    fi
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
-# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
+# Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH
 # Initial Functions:
 # Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
 # Fat linpeas: 0
@@ -178,7 +178,11 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$EXTRA_CHECKS" ]; then
     echo ""
     print_3title "Service versions and status:"
-    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    if [ "$TIMEOUT" ]; then
+      $TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl"
+    else
+      (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    fi
   fi
 
   # Check systemd path writability
@@ -190,4 +194,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh

@@ -0,0 +1,25 @@
+# Title: Processes & Cron & Services & Timers - Deleted open files
+# ID: PR_Deleted_open_files
+# Author: Carlos Polop
+# Last Update: 2025-01-07
+# Description: Identify deleted files still held open by running processes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Deleted files still open"
+    print_info "Open deleted files can hide tools and still consume disk space"
+    lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
+    echo ""
+elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "Deleted files still open"
+    print_info "lsof not found, scanning /proc for deleted file descriptors"
+    ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
+    echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh

@@ -23,6 +23,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   incrontab -l 2>/dev/null
   ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
   cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  grep -Hn '^PATH=' /etc/crontab /etc/cron.d/* 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
   crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
   ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
   atq 2>/dev/null
@@ -247,4 +248,4 @@ else
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -8,7 +8,7 @@
 # Functions Used: print_2title, print_info
 # Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
-# Generated Global Variables: $pkexec_bin, $policy_dir, $policy_file
+# Generated Global Variables: $pkexec_bin, $pkexec_version, $policy_dir, $policy_file
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -30,6 +30,10 @@ if [ -n "$pkexec_bin" ]; then
   # Check polkit version for known vulnerabilities
   if command -v pkexec >/dev/null 2>&1; then
     pkexec --version 2>/dev/null
+    pkexec_version="$(pkexec --version 2>/dev/null | grep -oE '[0-9]+(\\.[0-9]+)+')"
+    if [ "$pkexec_version" ] && [ "$(printf '%s\n' "$pkexec_version" "0.120" | sort -V | head -n1)" = "$pkexec_version" ] && [ "$pkexec_version" != "0.120" ]; then
+      echo "Potentially vulnerable to CVE-2021-4034 (PwnKit) - check distro patches" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    fi
   fi
 fi
 

linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh

@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title
-# Global Variables: $MACPEAS, $sh_usrs, $USER 
+# Global Variables: $MACPEAS, $sh_usrs, $TIMEOUT, $USER 
 # Initial Functions:
 # Generated Global Variables: $ushell, $no_shells, $unexpected_shells
 # Fat linpeas: 0
@@ -26,8 +26,16 @@ else
   no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
   unexpected_shells=""
   printf "%s\n" "$no_shells" | while read f; do
-    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
-      unexpected_shells="$f\n$unexpected_shells"
+    if [ -x "$f" ]; then
+      if [ "$TIMEOUT" ]; then
+        if $TIMEOUT 1 "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+          unexpected_shells="$f\n$unexpected_shells"
+        fi
+      else
+        if "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+          unexpected_shells="$f\n$unexpected_shells"
+        fi
+      fi
     fi
   done
   grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
@@ -41,4 +49,4 @@ else
     done
   fi
 fi
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -8,7 +8,7 @@
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
 # Initial Functions:
-# Generated Global Variables:
+# Generated Global Variables: $secure_path_line
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -19,6 +19,16 @@ print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
 fi
+(sudo -n -l 2>/dev/null | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo "No cached sudo token (sudo -n -l)"
+
+secure_path_line=$(sudo -l 2>/dev/null | grep -o "secure_path=[^,]*" | head -n 1 | cut -d= -f2)
+if [ "$secure_path_line" ]; then
+  for p in $(echo "$secure_path_line" | tr ':' ' '); do
+    if [ -w "$p" ]; then
+      echo "Writable secure_path entry: $p" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  done
+fi
 ( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
 if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
   echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
@@ -29,4 +39,4 @@ for f in /etc/sudoers.d/*; do
     grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
   fi
 done
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -40,4 +40,18 @@ else
   echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
 
 fi
+
+if [ -d "/var/run/sudo/ts" ]; then
+  echo "Sudo token directory perms:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
+  ls -ld /var/run/sudo/ts 2>/dev/null
+  if [ -w "/var/run/sudo/ts" ]; then
+    echo "/var/run/sudo/ts is writable" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  if [ -f "/var/run/sudo/ts/$USER" ]; then
+    ls -l "/var/run/sudo/ts/$USER" 2>/dev/null
+    if [ -w "/var/run/sudo/ts/$USER" ]; then
+      echo "User sudo token file is writable" | sed -${E} "s,.*,${SED_RED},g"
+    fi
+  fi
+fi
 echo ""

linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh

@@ -0,0 +1,64 @@
+# Title: Software Information - Browser Profiles
+# ID: SW_Browser_profiles
+# Author: Carlos Polop
+# Last Update: 10-03-2025
+# Description: List browser profiles that may store credentials/cookies
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $HOMESEARCH, $SED_RED
+# Initial Functions:
+# Generated Global Variables: $h, $firefox_ini, $chrome_base, $profiles
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Browser Profiles"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data"
+
+echo ""
+
+for h in $HOMESEARCH; do
+  [ -d "$h" ] || continue
+
+  firefox_ini="$h/.mozilla/firefox/profiles.ini"
+  if [ -f "$firefox_ini" ]; then
+    print_3title "Firefox profiles ($h)"
+    awk -F= '
+      /^\[Profile/ { in_profile=1 }
+      /^Path=/ { path=$2 }
+      /^IsRelative=/ { isrel=$2 }
+      /^$/ {
+        if (path != "") {
+          if (isrel == "1") {
+            print base "/.mozilla/firefox/" path
+          } else {
+            print path
+          }
+        }
+        path=""; isrel=""
+      }
+      END {
+        if (path != "") {
+          if (isrel == "1") {
+            print base "/.mozilla/firefox/" path
+          } else {
+            print path
+          }
+        }
+      }
+    ' base="$h" "$firefox_ini" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+    echo ""
+  fi
+
+  for chrome_base in "$h/.config/google-chrome" "$h/.config/chromium" "$h/.config/BraveSoftware/Brave-Browser" "$h/.config/microsoft-edge" "$h/.config/microsoft-edge-beta" "$h/.config/microsoft-edge-dev"; do
+    if [ -d "$chrome_base" ]; then
+      profiles=$(find "$chrome_base" -maxdepth 1 -type d \( -name "Default" -o -name "Profile *" \) 2>/dev/null)
+      if [ "$profiles" ]; then
+        print_3title "Chromium profiles ($chrome_base)"
+        printf "%s\n" "$profiles" | sed -${E} "s,.*,${SED_RED},"
+        echo ""
+      fi
+    fi
+  done
+
+done

linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh

@@ -37,14 +37,14 @@ printf "%s\n" "$suids_files" | while read s; do
   else
     c="a"
     for b in $sidB; do
-      if echo $s | grep -q $(echo $b | cut -d % -f 1); then
+      if echo "$sname" | grep -q $(echo $b | cut -d % -f 1); then
         echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m&  --->  $(echo $b | cut -d % -f 2)${C}[0m,"
         c=""
         break;
       fi
     done;
     if [ "$c" ]; then
-      if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
+      if echo "$sname" | grep -qE "$sidG1" || echo "$sname" | grep -qE "$sidG2" || echo "$sname" | grep -qE "$sidG3" || echo "$sname" | grep -qE "$sidG4" || echo "$sname" | grep -qE "$sidVB" || echo "$sname" | grep -qE "$sidVB2"; then
         echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
       else
         echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED},"
@@ -96,4 +96,4 @@ printf "%s\n" "$suids_files" | while read s; do
     fi
   fi
 done;
-echo ""
+echo ""

linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh

@@ -17,10 +17,10 @@ check_external_hostname(){
   INTERNET_SEARCH_TIMEOUT=15
   # wget or curl?
   if command -v curl >/dev/null 2>&1; then
-    curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
+    curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
   elif command -v wget >/dev/null 2>&1; then
-    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
+    wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
   else
     echo "wget or curl not found"
   fi
-}
+}

linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh

@@ -15,11 +15,12 @@
 
 check_tcp_443_bin () {
   local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
-  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
+  local url_lambda="https://tools.hacktricks.wiki/api/host-checker"
 
   if command -v curl >/dev/null 2>&1; then
     if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
-         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         -H "User-Agent: linpeas" -H "Content-Type: application/json" \
+         -d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
     then
       echo "Port 443 is accessible with curl"
       return 0                      # ✅ success
@@ -30,7 +31,8 @@ check_tcp_443_bin () {
 
   elif command -v wget >/dev/null 2>&1; then
     if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
-         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         --header "User-Agent: linpeas" -H "Content-Type: application/json" \
+         --post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
     then
       echo "Port 443 is accessible with wget"
       return 0

linPEAS/builder/linpeas_parts/variables/sidG.sh

@@ -15,6 +15,5 @@
 
 sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent$|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$"
 sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/helper$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/load_osxfuse$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount$|/mount.cifs$|/mount.ecryptfs_private$|/mount.nfs$|/mount.nfs4$|/mount_osxfuse$|/mtr$|/mutt_dotlock$"
-sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
+sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/hping3$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
 sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$"
-

linPEAS/builder/linpeas_parts/variables/sudoVB1.sh

@@ -13,5 +13,5 @@
 # Small linpeas: 1
 
 
-sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
+sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|env_keep\W*\+=.*PATH|!env_reset|!requiretty|peass{SUDOVB1_HERE}"
 sudoVB2="peass{SUDOVB2_HERE}"

linPEAS/builder/src/linpeasBuilder.py

@@ -405,7 +405,7 @@ class LinpeasBuilder:
                 name = entry["name"]
                 caseinsensitive = entry.get("caseinsensitive", False)
                 regex = entry["regex"]
-                regex = regex.replace('"', '\\"').strip()
+                regex = regex.replace("\\", "\\\\").replace('"', '\\"').strip()
                 falsePositives = entry.get("falsePositives", False)
 
                 if falsePositives:

linPEAS/builder/src/linpeasModule.py

@@ -8,6 +8,7 @@ from .yamlGlobals import (
 class LinpeasModule:
     def __init__(self, path):
         self.path = path
+        real_path = os.path.realpath(path)
         with open(path, 'r') as file:
             self.module_text = file.read()
         
@@ -29,7 +30,7 @@ class LinpeasModule:
         self.section_info = {}
         if not (self.is_base or self.is_function or self.is_variable):
             for module in LINPEAS_PARTS["modules"]:
-                if module["folder_path"] in path:
+                if os.path.realpath(module["folder_path"]) in real_path:
                     self.section_info = module
                     self.is_check = True
                     break

linPEAS/tests/test_builder.py

@@ -0,0 +1,40 @@
+import os
+import stat
+import subprocess
+import tempfile
+import unittest
+from pathlib import Path
+
+
+class LinpeasBuilderTests(unittest.TestCase):
+    def setUp(self):
+        self.repo_root = Path(__file__).resolve().parents[2]
+        self.linpeas_dir = self.repo_root / "linPEAS"
+
+    def _run_builder(self, args, output_path):
+        cmd = ["python3", "-m", "builder.linpeas_builder"] + args + ["--output", str(output_path)]
+        result = subprocess.run(cmd, cwd=str(self.linpeas_dir), capture_output=True, text=True)
+        if result.returncode != 0:
+            raise AssertionError(
+                f"linpeas_builder failed:\nstdout:\n{result.stdout}\nstderr:\n{result.stderr}"
+            )
+
+    def test_small_build_creates_executable(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            output_path = Path(tmpdir) / "linpeas_small.sh"
+            self._run_builder(["--small"], output_path)
+            self.assertTrue(output_path.exists(), "linpeas_small.sh was not created.")
+            mode = output_path.stat().st_mode
+            self.assertTrue(mode & stat.S_IXUSR, "linpeas_small.sh is not executable.")
+
+    def test_include_exclude_modules(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            output_path = Path(tmpdir) / "linpeas_include.sh"
+            self._run_builder(["--include", "system_information,container", "--exclude", "container"], output_path)
+            content = output_path.read_text(encoding="utf-8", errors="ignore")
+            self.assertIn("Operative system", content)
+            self.assertNotIn("Am I Containered?", content)
+
+
+if __name__ == "__main__":
+    unittest.main()

linPEAS/tests/test_modules_metadata.py

@@ -0,0 +1,60 @@
+import re
+import sys
+import unittest
+from pathlib import Path
+
+
+class LinpeasModulesMetadataTests(unittest.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.repo_root = Path(__file__).resolve().parents[2]
+        cls.linpeas_dir = cls.repo_root / "linPEAS"
+        cls.parts_dir = cls.linpeas_dir / "builder" / "linpeas_parts"
+
+        # Ensure `import builder.*` works when tests are run from repo root.
+        sys.path.insert(0, str(cls.linpeas_dir))
+
+        from builder.src.linpeasModule import LinpeasModule  # pylint: disable=import-error
+
+        cls.LinpeasModule = LinpeasModule
+
+    def _iter_module_files(self):
+        return sorted(self.parts_dir.rglob("*.sh"))
+
+    def test_all_modules_parse(self):
+        module_files = self._iter_module_files()
+        self.assertGreater(len(module_files), 0, "No linPEAS module files were found.")
+
+        # Parsing a module validates its metadata and dependencies.
+        for path in module_files:
+            _ = self.LinpeasModule(str(path))
+
+    def test_check_module_id_matches_filename(self):
+        for path in self._iter_module_files():
+            module = self.LinpeasModule(str(path))
+            if not getattr(module, "is_check", False):
+                continue
+
+            # For checks, the filename (without numeric prefix) must match the module ID
+            # (either full ID or stripping section prefix like `SI_`).
+            file_base = re.sub(r"^[0-9]+_", "", path.stem)
+            module_id = getattr(module, "id", "")
+            module_id_tail = module_id[3:] if len(module_id) >= 3 else ""
+            self.assertIn(
+                file_base,
+                {module_id, module_id_tail},
+                f"Module ID mismatch in {path}: id={module_id} expected suffix={file_base}",
+            )
+
+    def test_module_ids_are_unique(self):
+        ids = []
+        for path in self._iter_module_files():
+            module = self.LinpeasModule(str(path))
+            ids.append(getattr(module, "id", ""))
+
+        duplicates = {x for x in ids if x and ids.count(x) > 1}
+        self.assertEqual(set(), duplicates, f"Duplicate module IDs found: {sorted(duplicates)}")
+
+
+if __name__ == "__main__":
+    unittest.main()

parsers/peas2json.py

@@ -127,7 +127,9 @@ def parse_line(line: str):
 
     elif is_section(line, INFO_PATTERN):
         title = parse_title(line)
-        C_SECTION["infos"].append(title)
+        if C_SECTION == {}:
+            return
+        C_SECTION.setdefault("infos", []).append(title)
     
     #If here, then it's text
     else:

winPEAS/winPEASbat/winPEAS.bat

@@ -71,7 +71,7 @@ CALL :T_Progress 2
 :ListHotFixes
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+    wmic qfe get Caption,Description,HotFixID,InstalledOn
 ) else (
     powershell -command "Get-HotFix | Format-Table -AutoSize"
 )
@@ -204,7 +204,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
+    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
 ) else (
     powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
 ) 
@@ -238,7 +238,7 @@ CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic logicaldisk get caption | more
+    wmic logicaldisk get caption
 ) else (
     fsutil fsinfo drives
 )
@@ -670,7 +670,7 @@ if "%long%" == "true" (
 	ECHO.
 	where wmic >nul 2>&1
 	if !errorlevel! equ 0 (
-		for /f %%x in ('wmic logicaldisk get name ^| more') do (
+		for /f %%x in ('wmic logicaldisk get name') do (
 			set tdrive=%%x
 			if "!tdrive:~1,2!" == ":" (
 				%%x

winPEAS/winPEASexe/CMakeLists.txt

@@ -0,0 +1,26 @@
+cmake_minimum_required(VERSION 3.16)
+project(winPEAS_dotnet NONE)
+
+set(PROJECT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/winPEAS.csproj")
+
+find_program(DOTNET_EXECUTABLE dotnet)
+find_program(MSBUILD_EXECUTABLE msbuild)
+find_program(XBUILD_EXECUTABLE xbuild)
+
+if(DOTNET_EXECUTABLE)
+  set(BUILD_TOOL "${DOTNET_EXECUTABLE}")
+  set(BUILD_ARGS build "${PROJECT_FILE}" -c Release)
+elseif(MSBUILD_EXECUTABLE)
+  set(BUILD_TOOL "${MSBUILD_EXECUTABLE}")
+  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
+elseif(XBUILD_EXECUTABLE)
+  set(BUILD_TOOL "${XBUILD_EXECUTABLE}")
+  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
+else()
+  message(FATAL_ERROR "dotnet, msbuild, or xbuild is required to build winPEAS")
+endif()
+
+add_custom_target(winpeas ALL
+  COMMAND ${BUILD_TOOL} ${BUILD_ARGS}
+  WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+)

winPEAS/winPEASexe/README.md

@@ -74,19 +74,15 @@ winpeas.exe -lolbas  #Execute also additional LOLBAS search check
 
 The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
 
+New in this version:
+- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
+
+- Flag installed OEM utilities such as ASUS DriverHub, MSI Center, Acer Control Centre and Razer Synapse 4, highlighting writable updater folders and world-accessible pipes tied to recent CVEs.
+
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
-### New (AD-aware) checks
-
-- Active Directory quick checks now include:
-  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
-  - AD object control surfaces: parse ACLs for high-value objects plus a sampled set of users/groups/computers and flag when the current security principal already has GenericAll/GenericWrite/WriteDacl/WriteOwner or attribute-specific rights (SPN, UAC, msDS-AllowedToActOnBehalfOfOtherIdentity, sidHistory, member, unicodePwd, replication) that can be abused for password resets, Kerberoasting, delegation/RBCD, DCSync, or stealth persistence.
-  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
-
-These checks are lightweight, read-only, and only run when the host is domain-joined.
-
 
 ## Where are my COLORS?!?!?!
 
@@ -132,7 +128,7 @@ Once you have installed and activated it you need to:
 
 - **System Information**
   - [x] Basic System info information
-  - [x] Use Watson to search for vulnerabilities
+  - [x] Use WES-NG to search for vulnerabilities
   - [x] Enumerate Microsoft updates
   - [x] PS, Audit, WEF and LAPS Settings
   - [x] LSA protection
@@ -266,7 +262,7 @@ Once you have installed and activated it you need to:
 
 ## TODO
 - Add more checks
-- Mantain updated Watson (last JAN 2021)
+- Maintain updated WES-NG
 
 If you want to help with any of this, you can do it using **[github issues](https://github.com/peass-ng/PEASS-ng/issues)** or you can submit a pull request.
 

winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs

@@ -0,0 +1,36 @@
+using System;
+using System.Reflection;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace winPEAS.Tests
+{
+    [TestClass]
+    public class ArgumentParsingTests
+    {
+        private static bool InvokeIsNetworkTypeValid(string arg)
+        {
+            var method = typeof(winPEAS.Checks.Checks).GetMethod("IsNetworkTypeValid", BindingFlags.NonPublic | BindingFlags.Static);
+            Assert.IsNotNull(method, "IsNetworkTypeValid method not found.");
+            return (bool)method.Invoke(null, new object[] { arg });
+        }
+
+        [TestMethod]
+        public void ShouldAcceptValidNetworkTypes()
+        {
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=auto"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10/24"));
+            Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10,10.10.10.20"));
+        }
+
+        [TestMethod]
+        public void ShouldRejectInvalidNetworkTypes()
+        {
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network="));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.999"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.10/64"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=999.999.999.999/24"));
+            Assert.IsFalse(InvokeIsNetworkTypeValid("-network=not-an-ip"));
+        }
+    }
+}

winPEAS/winPEASexe/Tests/ChecksArgumentEdgeCasesTests.cs

@@ -0,0 +1,37 @@
+using System;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace winPEAS.Tests
+{
+    [TestClass]
+    public class ChecksArgumentEdgeCasesTests
+    {
+        [TestMethod]
+        public void ShouldNotThrowOnEmptyLogFileArg()
+        {
+            // Should return early with a user-friendly error, not crash.
+            Program.Main(new[] { "log=" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnPortsWithoutNetwork()
+        {
+            // Should warn and return early because -network was not provided.
+            Program.Main(new[] { "-ports=80,443" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnInvalidNetworkArgument()
+        {
+            // Should warn and return early because the IP is invalid.
+            Program.Main(new[] { "-network=10.10.10.999" });
+        }
+
+        [TestMethod]
+        public void ShouldNotThrowOnEmptyNetworkArgument()
+        {
+            // Should warn and return early because the value is empty.
+            Program.Main(new[] { "-network=" });
+        }
+    }
+}

winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj

@@ -61,9 +61,11 @@
     </Reference>
     <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\MSTest.TestFramework.2.2.5\lib\net45\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System" />
     <Reference Include="System.ComponentModel.Composition" />
@@ -95,6 +97,7 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="ArgumentParsingTests.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="SmokeTests.cs" />
   </ItemGroup>
@@ -108,6 +111,40 @@
       <Name>winPEAS</Name>
     </ProjectReference>
   </ItemGroup>
+
+  <Target Name="CopyVSTestFrameworkToMSTestAdapter" AfterTargets="Build">
+    <PropertyGroup>
+      <_PackagesDir>$(MSBuildThisFileDirectory)..\packages\</_PackagesDir>
+      <_MSTestFrameworkDir>$(_PackagesDir)MSTest.TestFramework.2.2.5\lib\net45\</_MSTestFrameworkDir>
+    </PropertyGroup>
+
+    <ItemGroup Condition="Exists('$(_MSTestFrameworkDir)')">
+      <_VSTestFrameworkDlls Include="$(_MSTestFrameworkDir)Microsoft.VisualStudio.TestPlatform.TestFramework*.dll" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <_VSTestCopyDirs Include="$(TargetDir)" Condition="'$(TargetDir)' != '' AND Exists('$(TargetDir)')" />
+      <_MSTestAdapterDirs Include="$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\net45\" Condition="Exists('$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\net45\')" />
+      <_MSTestAdapterDirs Include="$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\_common\" Condition="Exists('$(_PackagesDir)MSTest.TestAdapter.2.2.5\build\_common\')" />
+    </ItemGroup>
+
+    <Message
+      Condition="@(_VSTestFrameworkDlls) != ''"
+      Importance="high"
+      Text="CopyVSTestFrameworkToMSTestAdapter: copying @( _VSTestFrameworkDlls )" />
+
+    <Copy
+      Condition="@(_VSTestFrameworkDlls) != '' AND @(_VSTestCopyDirs) != ''"
+      SourceFiles="@(_VSTestFrameworkDlls)"
+      DestinationFolder="%(_VSTestCopyDirs.Identity)"
+      SkipUnchangedFiles="true" />
+
+    <Copy
+      Condition="@(_VSTestFrameworkDlls) != '' AND @(_MSTestAdapterDirs) != ''"
+      SourceFiles="@(_VSTestFrameworkDlls)"
+      DestinationFolder="%(_MSTestAdapterDirs.Identity)"
+      SkipUnchangedFiles="true" />
+  </Target>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
     <PropertyGroup>
@@ -133,4 +170,4 @@
   <Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
   <Import Project="..\packages\Fody.6.5.5\build\Fody.targets" Condition="Exists('..\packages\Fody.6.5.5\build\Fody.targets')" />
   <Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" />
-</Project>
+</Project>

winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.DirectoryServices;
+using System.Reflection;
 using System.Linq;
 using System.Security.AccessControl;
 using System.Security.Principal;
@@ -20,6 +21,7 @@ namespace winPEAS.Checks
             new List<Action>
             {
                 PrintGmsaReadableByCurrentPrincipal,
+                PrintKerberoastableServiceAccounts,
                 PrintAdObjectControlPaths,
                 PrintAdcsMisconfigurations
             }.ForEach(action => CheckRunner.Run(action, isDebug));
@@ -751,6 +753,37 @@ namespace winPEAS.Checks
             }
         }
 
+        private void PrintKerberoastableServiceAccounts()
+        {
+            try
+            {
+                Beaprint.MainPrint("Kerberoasting / service ticket risks");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/kerberoast.html",
+                    "Enumerate weak SPN accounts and legacy Kerberos crypto");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var defaultNC = GetRootDseProp("defaultNamingContext");
+                if (string.IsNullOrEmpty(defaultNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve defaultNamingContext.");
+                    return;
+                }
+
+                PrintDomainKerberosDefaults(defaultNC);
+                EnumerateKerberoastCandidates(defaultNC);
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("  [-] Kerberoasting check failed: " + ex.Message);
+            }
+        }
+
+
         // Detect AD CS misconfigurations
         private void PrintAdcsMisconfigurations()
         {
@@ -939,5 +972,420 @@ namespace winPEAS.Checks
                 Beaprint.PrintException(ex.Message);
             }
         }
+        private void PrintDomainKerberosDefaults(string defaultNc)
+        {
+            try
+            {
+                using (var domainEntry = new DirectoryEntry("LDAP://" + defaultNc))
+                {
+                    var encValue = GetDirectoryEntryInt(domainEntry, "msDS-DefaultSupportedEncryptionTypes");
+                    if (encValue.HasValue)
+                    {
+                        var desc = DescribeEncTypes(encValue);
+                        if (IsRc4Allowed(encValue))
+                            Beaprint.BadPrint($"  Domain default supported encryption types: {desc} — RC4/NT hash tickets allowed.");
+                        else
+                            Beaprint.GoodPrint($"  Domain default supported encryption types: {desc} — RC4 disabled.");
+                    }
+                    else
+                    {
+                        Beaprint.GrayPrint("  [-] Domain default supported encryption types not set (legacy compatibility defaults to RC4).");
+                    }
+                }
+
+                using (var baseDe = new DirectoryEntry("LDAP://" + defaultNc))
+                using (var ds = new DirectorySearcher(baseDe))
+                {
+                    ds.Filter = "(&(objectClass=user)(sAMAccountName=krbtgt))";
+                    ds.PropertiesToLoad.Add("msDS-SupportedEncryptionTypes");
+                    var result = ds.FindOne();
+                    if (result != null)
+                    {
+                        var encValue = GetIntProp(result, "msDS-SupportedEncryptionTypes");
+                        if (encValue.HasValue)
+                        {
+                            var desc = DescribeEncTypes(encValue);
+                            if (IsRc4Allowed(encValue))
+                                Beaprint.BadPrint($"  krbtgt supports: {desc} — RC4 TGTs can still be issued.");
+                            else
+                                Beaprint.GoodPrint($"  krbtgt supports: {desc}.");
+                        }
+                        else
+                        {
+                            Beaprint.GrayPrint("  [-] krbtgt enc types inherit domain defaults (unspecified).");
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("  [-] Unable to query Kerberos defaults: " + ex.Message);
+            }
+        }
+
+        private void EnumerateKerberoastCandidates(string defaultNc)
+        {
+            int checkedAccounts = 0;
+            int highTotal = 0;
+            int mediumTotal = 0;
+            var high = new List<KerberoastCandidate>();
+            var medium = new List<KerberoastCandidate>();
+
+            try
+            {
+                using (var baseDe = new DirectoryEntry("LDAP://" + defaultNc))
+                using (var ds = new DirectorySearcher(baseDe))
+                {
+                    ds.PageSize = 500;
+                    ds.Filter = "(servicePrincipalName=*)";
+                    ds.PropertiesToLoad.Add("sAMAccountName");
+                    ds.PropertiesToLoad.Add("displayName");
+                    ds.PropertiesToLoad.Add("distinguishedName");
+                    ds.PropertiesToLoad.Add("servicePrincipalName");
+                    ds.PropertiesToLoad.Add("msDS-SupportedEncryptionTypes");
+                    ds.PropertiesToLoad.Add("userAccountControl");
+                    ds.PropertiesToLoad.Add("pwdLastSet");
+                    ds.PropertiesToLoad.Add("memberOf");
+                    ds.PropertiesToLoad.Add("objectClass");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        checkedAccounts++;
+                        var candidate = BuildKerberoastCandidate(r);
+                        if (candidate == null)
+                        {
+                            continue;
+                        }
+
+                        if (candidate.IsHighRisk)
+                        {
+                            highTotal++;
+                            if (high.Count < 15) high.Add(candidate);
+                        }
+                        else
+                        {
+                            mediumTotal++;
+                            if (medium.Count < 12) medium.Add(candidate);
+                        }
+                    }
+                }
+
+                Beaprint.InfoPrint($"Checked {checkedAccounts} SPN-bearing accounts. High-risk RC4/privileged targets: {highTotal}, long-lived AES-only targets: {mediumTotal}.");
+
+                if (highTotal == 0 && mediumTotal == 0)
+                {
+                    Beaprint.GoodPrint("  No obvious Kerberoastable service accounts detected with current visibility.");
+                    return;
+                }
+
+                if (high.Count > 0)
+                {
+                    Beaprint.BadPrint("  [!] RC4-enabled or privileged SPN accounts:");
+                    foreach (var c in high)
+                    {
+                        Beaprint.ColorPrint($"      - {c.Label} | SPNs: {c.SpnSummary} | Enc: {c.Encryption} | {c.Reason}", Beaprint.LRED);
+                    }
+                    if (highTotal > high.Count)
+                    {
+                        Beaprint.GrayPrint($"      ... {highTotal - high.Count} additional high-risk accounts omitted.");
+                    }
+                }
+
+                if (medium.Count > 0)
+                {
+                    Beaprint.ColorPrint("  [~] Long-lived SPN accounts (still Kerberoastable via AES tickets):", Beaprint.YELLOW);
+                    foreach (var c in medium)
+                    {
+                        Beaprint.ColorPrint($"      - {c.Label} | SPNs: {c.SpnSummary} | Enc: {c.Encryption} | {c.Reason}", Beaprint.YELLOW);
+                    }
+                    if (mediumTotal > medium.Count)
+                    {
+                        Beaprint.GrayPrint($"      ... {mediumTotal - medium.Count} additional medium-risk accounts omitted.");
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("  [-] LDAP error while enumerating SPNs: " + ex.Message);
+            }
+        }
+
+        private KerberoastCandidate BuildKerberoastCandidate(SearchResult r)
+        {
+            var sam = GetProp(r, "sAMAccountName");
+            var displayName = GetProp(r, "displayName");
+            var dn = GetProp(r, "distinguishedName");
+
+            if (IsComputerObject(r) || IsManagedServiceAccount(r))
+                return null;
+
+            var uac = GetIntProp(r, "userAccountControl");
+            if (uac.HasValue && (uac.Value & 0x2) != 0)
+                return null;
+
+            var encValue = GetIntProp(r, "msDS-SupportedEncryptionTypes");
+            bool rc4Allowed = IsRc4Allowed(encValue);
+            bool aesPresent = HasAes(encValue);
+            bool passwordNeverExpires = uac.HasValue && (uac.Value & 0x10000) != 0;
+            DateTime? pwdLastSet = GetFileTimeProp(r, "pwdLastSet");
+            bool stalePassword = pwdLastSet.HasValue && pwdLastSet.Value < DateTime.UtcNow.AddDays(-365);
+            var privilegeHits = GetPrivilegedGroups(r);
+            var reasons = new List<string>();
+
+            if (rc4Allowed)
+                reasons.Add("RC4 allowed");
+            else if (!aesPresent)
+                reasons.Add("No AES flag");
+            if (passwordNeverExpires)
+                reasons.Add("PasswordNeverExpires");
+            if (stalePassword)
+                reasons.Add("PwdLastSet " + pwdLastSet.Value.ToString("yyyy-MM-dd"));
+            if (privilegeHits.Count > 0)
+                reasons.Add("Privileged: " + string.Join("/", privilegeHits));
+
+            if (reasons.Count == 0)
+                return null;
+
+            bool isHigh = rc4Allowed || privilegeHits.Count > 0;
+            if (!isHigh && !(passwordNeverExpires || stalePassword))
+                return null;
+
+            var label = !string.IsNullOrEmpty(sam) ? sam : dn;
+            if (!string.IsNullOrEmpty(displayName) && !string.Equals(displayName, sam, StringComparison.OrdinalIgnoreCase))
+            {
+                label = string.IsNullOrEmpty(sam) ? displayName : $"{sam} ({displayName})";
+            }
+
+            return new KerberoastCandidate
+            {
+                Label = label ?? "<unknown>",
+                SpnSummary = BuildSpnSummary(r),
+                Encryption = DescribeEncTypes(encValue),
+                Reason = string.Join("; ", reasons),
+                IsHighRisk = isHigh
+            };
+        }
+
+        private static string BuildSpnSummary(SearchResult r)
+        {
+            if (!r.Properties.Contains("servicePrincipalName") || r.Properties["servicePrincipalName"].Count == 0)
+                return "<none>";
+
+            var values = r.Properties["servicePrincipalName"];
+            var list = new List<string>();
+            int limit = values.Count < 3 ? values.Count : 3;
+            for (int i = 0; i < limit; i++)
+            {
+                var spn = values[i]?.ToString();
+                if (!string.IsNullOrEmpty(spn))
+                    list.Add(spn);
+            }
+
+            string summary = list.Count > 0 ? string.Join(", ", list) : "<none>";
+            if (values.Count > limit)
+                summary += $" (+{values.Count - limit} more)";
+            return summary;
+        }
+
+        private static List<string> GetPrivilegedGroups(SearchResult r)
+        {
+            var hits = new List<string>();
+            if (!r.Properties.Contains("memberOf"))
+                return hits;
+
+            var memberships = r.Properties["memberOf"];
+            foreach (var membership in memberships)
+            {
+                var cn = ExtractCn(membership?.ToString());
+                if (string.IsNullOrEmpty(cn))
+                    continue;
+
+                foreach (var keyword in PrivilegedGroupKeywords)
+                {
+                    if (cn.IndexOf(keyword, StringComparison.OrdinalIgnoreCase) >= 0)
+                    {
+                        if (!hits.Contains(cn))
+                            hits.Add(cn);
+                        break;
+                    }
+                }
+            }
+            return hits;
+        }
+
+        private static string ExtractCn(string dn)
+        {
+            if (string.IsNullOrEmpty(dn))
+                return null;
+
+            var parts = dn.Split(',');
+            foreach (var part in parts)
+            {
+                var trimmed = part.Trim();
+                if (trimmed.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
+                    return trimmed.Substring(3);
+            }
+            return dn;
+        }
+
+        private static bool IsComputerObject(SearchResult r)
+        {
+            return HasObjectClass(r, "computer");
+        }
+
+        private static bool IsManagedServiceAccount(SearchResult r)
+        {
+            return HasObjectClass(r, "msDS-ManagedServiceAccount") || HasObjectClass(r, "msDS-GroupManagedServiceAccount");
+        }
+
+        private static bool HasObjectClass(SearchResult r, string className)
+        {
+            if (!r.Properties.Contains("objectClass"))
+                return false;
+
+            foreach (var val in r.Properties["objectClass"])
+            {
+                if (string.Equals(val?.ToString(), className, StringComparison.OrdinalIgnoreCase))
+                    return true;
+            }
+            return false;
+        }
+
+        private static DateTime? GetFileTimeProp(SearchResult r, string propName)
+        {
+            if (!r.Properties.Contains(propName) || r.Properties[propName].Count == 0)
+                return null;
+            return ConvertFileTime(r.Properties[propName][0]);
+        }
+
+        private static DateTime? ConvertFileTime(object value)
+        {
+            if (value == null)
+                return null;
+            try
+            {
+                if (value is long longVal)
+                {
+                    if (longVal <= 0) return null;
+                    return DateTime.FromFileTimeUtc(longVal);
+                }
+
+                if (value is IConvertible convertible)
+                {
+                    long converted = convertible.ToInt64(null);
+                    if (converted > 0)
+                        return DateTime.FromFileTimeUtc(converted);
+                }
+
+                var type = value.GetType();
+                var highProp = type.GetProperty("HighPart", BindingFlags.Public | BindingFlags.Instance);
+                var lowProp = type.GetProperty("LowPart", BindingFlags.Public | BindingFlags.Instance);
+                if (highProp != null && lowProp != null)
+                {
+                    int high = Convert.ToInt32(highProp.GetValue(value, null));
+                    int low = Convert.ToInt32(lowProp.GetValue(value, null));
+                    long fileTime = ((long)high << 32) | (uint)low;
+                    if (fileTime > 0)
+                        return DateTime.FromFileTimeUtc(fileTime);
+                }
+            }
+            catch
+            {
+                return null;
+            }
+            return null;
+        }
+
+        private static int? GetIntProp(SearchResult r, string name)
+        {
+            if (!r.Properties.Contains(name) || r.Properties[name].Count == 0)
+                return null;
+            return ConvertToNullableInt(r.Properties[name][0]);
+        }
+
+        private static int? GetDirectoryEntryInt(DirectoryEntry entry, string name)
+        {
+            try
+            {
+                return ConvertToNullableInt(entry.Properties[name]?.Value);
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        private static int? ConvertToNullableInt(object value)
+        {
+            if (value == null)
+                return null;
+            if (value is int intValue)
+                return intValue;
+            if (value is long longValue)
+                return unchecked((int)longValue);
+            if (int.TryParse(value.ToString(), out var parsed))
+                return parsed;
+            return null;
+        }
+
+        private static bool IsRc4Allowed(int? encValue)
+        {
+            if (!encValue.HasValue || encValue.Value == 0)
+                return true;
+            return (encValue.Value & EncFlagRc4) != 0;
+        }
+
+        private static bool HasAes(int? encValue)
+        {
+            if (!encValue.HasValue)
+                return false;
+            return (encValue.Value & (EncFlagAes128 | EncFlagAes256)) != 0;
+        }
+
+        private static string DescribeEncTypes(int? encValue)
+        {
+            if (!encValue.HasValue || encValue.Value == 0)
+                return "Unspecified (inherits defaults / RC4 compatible)";
+
+            var parts = new List<string>();
+            if ((encValue.Value & EncFlagDesCrc) != 0) parts.Add("DES-CBC-CRC");
+            if ((encValue.Value & EncFlagDesMd5) != 0) parts.Add("DES-CBC-MD5");
+            if ((encValue.Value & EncFlagRc4) != 0) parts.Add("RC4-HMAC");
+            if ((encValue.Value & EncFlagAes128) != 0) parts.Add("AES128");
+            if ((encValue.Value & EncFlagAes256) != 0) parts.Add("AES256");
+            if ((encValue.Value & 0x20) != 0) parts.Add("FAST");
+            if (parts.Count == 0) parts.Add($"0x{encValue.Value:X}");
+            return string.Join(", ", parts);
+        }
+
+        private class KerberoastCandidate
+        {
+            public string Label { get; set; }
+            public string SpnSummary { get; set; }
+            public string Encryption { get; set; }
+            public string Reason { get; set; }
+            public bool IsHighRisk { get; set; }
+        }
+
+        private static readonly string[] PrivilegedGroupKeywords = new[]
+        {
+            "Domain Admin",
+            "Enterprise Admin",
+            "Administrators",
+            "Exchange",
+            "Schema Admin",
+            "Account Operator",
+            "Server Operator",
+            "Backup Operator",
+            "DnsAdmin"
+        };
+
+        private const int EncFlagDesCrc = 0x1;
+        private const int EncFlagDesMd5 = 0x2;
+        private const int EncFlagRc4 = 0x4;
+        private const int EncFlagAes128 = 0x8;
+        private const int EncFlagAes256 = 0x10;
+
+
     }
 }

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -88,11 +88,13 @@ namespace winPEAS.Checks
                 new SystemCheck("userinfo", new UserInfo()),
                 new SystemCheck("processinfo", new ProcessInfo()),
                 new SystemCheck("servicesinfo", new ServicesInfo()),
+                new SystemCheck("soapclientinfo", new SoapClientInfo()),
                 new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                 new SystemCheck("networkinfo", new NetworkInfo()),
                 new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                 new SystemCheck("cloudinfo", new CloudInfo()),
                 new SystemCheck("windowscreds", new WindowsCreds()),
+                new SystemCheck("registryinfo", new RegistryInfo()),
                 new SystemCheck("browserinfo", new BrowserInfo()),
                 new SystemCheck("filesinfo", new FilesInfo()),
                 new SystemCheck("fileanalysis", new FileAnalysis()),
@@ -354,7 +356,7 @@ namespace winPEAS.Checks
                 {
                     var rangeParts = networkType.Split('/');
 
-                    if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
+                    if (rangeParts.Length == 2 && IPAddress.TryParse(rangeParts[0], out _) && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
                     {
                         return true;
                     }

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -392,7 +392,7 @@ namespace winPEAS.Checks
 
                 foreach (string regHkcu in passRegHkcu)
                 {
-                    Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
+                    Beaprint.DictPrint(RegistryHelper.GetRegValues("HKCU", regHkcu), false);
                 }
 
                 foreach (string regHklm in passRegHklm)

winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs

@@ -0,0 +1,141 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using winPEAS.Helpers;
+using winPEAS.Helpers.Registry;
+
+namespace winPEAS.Checks
+{
+    internal class RegistryInfo : ISystemCheck
+    {
+        private const string TypingInsightsRelativePath = @"Software\Microsoft\Input\TypingInsights";
+
+        private static readonly string[] KnownWritableSystemKeyCandidates = new[]
+        {
+            @"SOFTWARE\Microsoft\CoreShell",
+            @"SOFTWARE\Microsoft\DRM",
+            @"SOFTWARE\Microsoft\Input\Locales",
+            @"SOFTWARE\Microsoft\Input\Settings",
+            @"SOFTWARE\Microsoft\Shell\Oobe",
+            @"SOFTWARE\Microsoft\Shell\Session",
+            @"SOFTWARE\Microsoft\Tracing",
+            @"SOFTWARE\Microsoft\Windows\UpdateApi",
+            @"SOFTWARE\Microsoft\WindowsUpdate\UX",
+            @"SOFTWARE\WOW6432Node\Microsoft\DRM",
+            @"SOFTWARE\WOW6432Node\Microsoft\Tracing",
+            @"SYSTEM\Software\Microsoft\TIP",
+            @"SYSTEM\ControlSet001\Control\Cryptography\WebSignIn\Navigation",
+            @"SYSTEM\ControlSet001\Control\MUI\StringCacheSettings",
+            @"SYSTEM\ControlSet001\Control\USB\AutomaticSurpriseRemoval",
+            @"SYSTEM\ControlSet001\Services\BTAGService\Parameters\Settings",
+        };
+
+        private static readonly string[] ScanBasePaths = new[]
+        {
+            @"SOFTWARE\Microsoft",
+            @"SOFTWARE\WOW6432Node\Microsoft",
+            @"SYSTEM\CurrentControlSet\Services",
+            @"SYSTEM\CurrentControlSet\Control",
+            @"SYSTEM\ControlSet001\Control",
+        };
+
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint("Registry permissions for hive exploitation");
+
+            new List<Action>
+            {
+                PrintTypingInsightsPermissions,
+                PrintKnownSystemWritableKeys,
+                PrintHeuristicWritableKeys,
+            }.ForEach(action => CheckRunner.Run(action, isDebug));
+        }
+
+        private void PrintTypingInsightsPermissions()
+        {
+            Beaprint.MainPrint("Cross-user TypingInsights key (HKCU/HKU)");
+
+            var matches = new List<RegistryWritableKeyInfo>();
+            var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            if (RegistryAclScanner.TryGetWritableKey("HKCU", TypingInsightsRelativePath, out var currentUserKey))
+            {
+                if (seen.Add(currentUserKey.FullPath))
+                {
+                    matches.Add(currentUserKey);
+                }
+            }
+
+            foreach (var sid in RegistryHelper.GetUserSIDs())
+            {
+                if (string.IsNullOrEmpty(sid) || sid.Equals(".DEFAULT", StringComparison.OrdinalIgnoreCase) || sid.EndsWith("_Classes", StringComparison.OrdinalIgnoreCase))
+                {
+                    continue;
+                }
+
+                string relativePath = $"{sid}\\{TypingInsightsRelativePath}";
+                if (RegistryAclScanner.TryGetWritableKey("HKU", relativePath, out var info) && seen.Add(info.FullPath))
+                {
+                    matches.Add(info);
+                }
+            }
+
+            if (matches.Count == 0)
+            {
+                Beaprint.GrayPrint("  [-] TypingInsights key does not grant write access to low-privileged groups.");
+                return;
+            }
+
+            PrintEntries(matches);
+            Beaprint.LinkPrint("https://projectzero.google/2025/05/the-windows-registry-adventure-8-exploitation.html", "Writable TypingInsights enables cross-user hive tampering and DoS.");
+        }
+
+        private void PrintKnownSystemWritableKeys()
+        {
+            Beaprint.MainPrint("Known HKLM descendants writable by standard users");
+
+            var matches = new List<RegistryWritableKeyInfo>();
+            foreach (var path in KnownWritableSystemKeyCandidates)
+            {
+                if (RegistryAclScanner.TryGetWritableKey("HKLM", path, out var info))
+                {
+                    matches.Add(info);
+                }
+            }
+
+            if (matches.Count == 0)
+            {
+                Beaprint.GrayPrint("  [-] None of the tracked HKLM keys are writable by low-privileged groups.");
+                return;
+            }
+
+            PrintEntries(matches);
+        }
+
+        private void PrintHeuristicWritableKeys()
+        {
+            Beaprint.MainPrint("Sample of additional writable HKLM keys (depth-limited scan)");
+
+            var matches = RegistryAclScanner.ScanWritableKeys("HKLM", ScanBasePaths, maxDepth: 3, maxResults: 25);
+            if (matches.Count == 0)
+            {
+                Beaprint.GrayPrint("  [-] No additional writable HKLM keys were found within the sampled paths.");
+                return;
+            }
+
+            PrintEntries(matches);
+            Beaprint.GrayPrint("  [*] Showing up to 25 entries from the sampled paths to avoid noisy output.");
+        }
+
+        private static void PrintEntries(IEnumerable<RegistryWritableKeyInfo> entries)
+        {
+            foreach (var entry in entries)
+            {
+                var principals = string.Join(", ", entry.Principals);
+                var rights = entry.Rights.Count > 0 ? string.Join(", ", entry.Rights.Distinct(StringComparer.OrdinalIgnoreCase)) : "Write access";
+                var displayPath = string.IsNullOrEmpty(entry.FullPath) ? $"{entry.Hive}\\{entry.RelativePath}" : entry.FullPath;
+                Beaprint.BadPrint($"  [!] {displayPath} -> {principals} ({rights})");
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs

@@ -36,6 +36,7 @@ namespace winPEAS.Checks
                 PrintModifiableServices,
                 PrintWritableRegServices,
                 PrintPathDllHijacking,
+                PrintOemPrivilegedUtilities,
                 PrintLegacySignedKernelDrivers,
                 PrintKernelQuickIndicators,
             }.ForEach(action => CheckRunner.Run(action, isDebug));
@@ -210,6 +211,51 @@ namespace winPEAS.Checks
             }
         }
 
+        void PrintOemPrivilegedUtilities()
+        {
+            try
+            {
+                Beaprint.MainPrint("OEM privileged utilities & risky components");
+                var findings = OemSoftwareHelper.GetPotentiallyVulnerableComponents(Checks.CurrentUserSiDs);
+
+                if (findings.Count == 0)
+                {
+                    Beaprint.GoodPrint("    None of the supported OEM utilities were detected.");
+                    return;
+                }
+
+                foreach (var finding in findings)
+                {
+                    bool hasCves = finding.Cves != null && finding.Cves.Length > 0;
+                    string cveSuffix = hasCves ? $" ({string.Join(", ", finding.Cves)})" : string.Empty;
+                    Beaprint.BadPrint($"  {finding.Name}{cveSuffix}");
+
+                    if (!string.IsNullOrWhiteSpace(finding.Description))
+                    {
+                        Beaprint.GrayPrint($"      {finding.Description}");
+                    }
+
+                    foreach (var evidence in finding.Evidence)
+                    {
+                        string message = $"      - {evidence.Message}";
+                        if (evidence.Highlight)
+                        {
+                            Beaprint.BadPrint(message);
+                        }
+                        else
+                        {
+                            Beaprint.GrayPrint(message);
+                        }
+                    }
+
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
 
         void PrintLegacySignedKernelDrivers()
         {
@@ -352,4 +398,3 @@ namespace winPEAS.Checks
         }
     }
 }
-

winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs

@@ -0,0 +1,88 @@
+using System;
+using System.Collections.Generic;
+using winPEAS.Helpers;
+using winPEAS.Info.ApplicationInfo;
+
+namespace winPEAS.Checks
+{
+    internal class SoapClientInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint(".NET SOAP Client Proxies (SOAPwn)");
+
+            CheckRunner.Run(PrintSoapClientFindings, isDebug);
+        }
+
+        private static void PrintSoapClientFindings()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential SOAPwn / HttpWebClientProtocol abuse surfaces");
+                Beaprint.LinkPrint(
+                    "https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/",
+                    "Look for .NET services that let attackers control SoapHttpClientProtocol URLs or WSDL imports to coerce NTLM or drop files.");
+
+                List<SoapClientProxyFinding> findings = SoapClientProxyAnalyzer.CollectFindings();
+                if (findings.Count == 0)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                foreach (SoapClientProxyFinding finding in findings)
+                {
+                    string severity = finding.BinaryIndicators.Contains("ServiceDescriptionImporter")
+                        ? "Dynamic WSDL import"
+                        : "SOAP proxy usage";
+
+                    Beaprint.BadPrint($"    [{severity}] {finding.BinaryPath}");
+
+                    foreach (SoapClientProxyInstance instance in finding.Instances)
+                    {
+                        string instanceInfo = $"        -> {instance.SourceType}: {instance.Name}";
+                        if (!string.IsNullOrEmpty(instance.Account))
+                        {
+                            instanceInfo += $" ({instance.Account})";
+                        }
+                        if (!string.IsNullOrEmpty(instance.Extra))
+                        {
+                            instanceInfo += $" | {instance.Extra}";
+                        }
+
+                        Beaprint.GrayPrint(instanceInfo);
+                    }
+
+                    if (finding.BinaryIndicators.Count > 0)
+                    {
+                        Beaprint.BadPrint("        Binary indicators: " + string.Join(", ", finding.BinaryIndicators));
+                    }
+
+                    if (finding.ConfigIndicators.Count > 0)
+                    {
+                        string configLabel = string.IsNullOrEmpty(finding.ConfigPath)
+                            ? "Config indicators"
+                            : $"Config indicators ({finding.ConfigPath})";
+                        Beaprint.BadPrint("        " + configLabel + ": " + string.Join(", ", finding.ConfigIndicators));
+                    }
+
+                    if (finding.BinaryScanFailed)
+                    {
+                        Beaprint.GrayPrint("        (Binary scan skipped due to access/size limits)");
+                    }
+
+                    if (finding.ConfigScanFailed)
+                    {
+                        Beaprint.GrayPrint("        (Unable to read config file)");
+                    }
+
+                    Beaprint.PrintLineSeparator();
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -88,6 +88,7 @@ namespace winPEAS.Checks
                 PrintLocalGroupPolicy,
                 PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
+                PrintPrintNightmarePointAndPrint,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
                 PrintNamedPipeAbuseCandidates,
@@ -836,6 +837,39 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPrintNightmarePointAndPrint()
+        {
+            Beaprint.MainPrint("PrintNightmare PointAndPrint Policies");
+            Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening");
+
+            try
+            {
+                string key = @"Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint";
+                var restrict = RegistryHelper.GetDwordValue("HKLM", key, "RestrictDriverInstallationToAdministrators");
+                var noWarn = RegistryHelper.GetDwordValue("HKLM", key, "NoWarningNoElevationOnInstall");
+                var updatePrompt = RegistryHelper.GetDwordValue("HKLM", key, "UpdatePromptSettings");
+
+                if (restrict == null && noWarn == null && updatePrompt == null)
+                {
+                    Beaprint.NotFoundPrint();
+                    return;
+                }
+
+                Beaprint.NoColorPrint($"      RestrictDriverInstallationToAdministrators: {restrict}\n" +
+                                      $"      NoWarningNoElevationOnInstall: {noWarn}\n" +
+                                      $"      UpdatePromptSettings: {updatePrompt}");
+
+                if (restrict == 0 && noWarn == 1 && updatePrompt == 2)
+                {
+                    Beaprint.BadPrint("      [!] Potentially vulnerable to PrintNightmare misconfiguration");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintPrintersWMIInfo()
         {
             Beaprint.MainPrint("Enumerating Printers (WMI)");

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -132,6 +132,7 @@ namespace winPEAS.Helpers
             Console.WriteLine(LCYAN + "        activedirectoryinfo" + GRAY + "   Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
             Console.WriteLine(LCYAN + "        cloudinfo" + GRAY + "            Enumerate cloud information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        registryinfo" + GRAY + "         Flag writable HKLM/HKU keys that enable hive tampering" + NOCOLOR);
             Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        filesinfo" + GRAY + "            Search generic files that can contains credentials" + NOCOLOR);
             Console.WriteLine(LCYAN + "        fileanalysis" + GRAY + "         [NOT RUN BY DEFAULT] Search specific files that can contains credentials and for regexes inside files. Might take several minutes." + NOCOLOR);

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -24,36 +24,51 @@ namespace winPEAS.Helpers
         ////////////////////////////////////
         /////// MISC - Files & Paths ///////
         ////////////////////////////////////
-        public static bool CheckIfDotNet(string path)
+        public static bool CheckIfDotNet(string path, bool ignoreCompanyName = false)
         {
             bool isDotNet = false;
-            FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
-            string companyName = myFileVersionInfo.CompanyName;
-            if ((string.IsNullOrEmpty(companyName)) ||
-                (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
+            string companyName = string.Empty;
+
+            try
             {
-                try
+                FileVersionInfo myFileVersionInfo = FileVersionInfo.GetVersionInfo(path);
+                companyName = myFileVersionInfo.CompanyName;
+            }
+            catch
+            {
+                // Unable to read version information, continue with assembly inspection
+            }
+
+            bool shouldInspectAssembly = ignoreCompanyName ||
+                (string.IsNullOrEmpty(companyName)) ||
+                (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase));
+
+            if (!shouldInspectAssembly)
+            {
+                return false;
+            }
+
+            try
+            {
+                AssemblyName.GetAssemblyName(path);
+                isDotNet = true;
+            }
+            catch (System.IO.FileNotFoundException)
+            {
+                // System.Console.WriteLine("The file cannot be found.");
+            }
+            catch (System.BadImageFormatException exception)
+            {
+                if (Regex.IsMatch(exception.Message,
+                    ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
+                    RegexOptions.IgnoreCase))
                 {
-                    AssemblyName myAssemblyName = AssemblyName.GetAssemblyName(path);
                     isDotNet = true;
                 }
-                catch (System.IO.FileNotFoundException)
-                {
-                    // System.Console.WriteLine("The file cannot be found.");
-                }
-                catch (System.BadImageFormatException exception)
-                {
-                    if (Regex.IsMatch(exception.Message,
-                        ".*This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.*",
-                        RegexOptions.IgnoreCase))
-                    {
-                        isDotNet = true;
-                    }
-                }
-                catch
-                {
-                    // System.Console.WriteLine("The assembly has already been loaded.");
-                }
+            }
+            catch
+            {
+                // System.Console.WriteLine("The assembly has already been loaded.");
             }
 
             return isDotNet;

winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryAclScanner.cs

@@ -0,0 +1,221 @@
+using Microsoft.Win32;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+
+namespace winPEAS.Helpers.Registry
+{
+    internal class RegistryWritableKeyInfo
+    {
+        public string Hive { get; set; }
+        public string RelativePath { get; set; }
+        public string FullPath { get; set; }
+        public List<string> Principals { get; set; } = new List<string>();
+        public List<string> Rights { get; set; } = new List<string>();
+    }
+
+    internal static class RegistryAclScanner
+    {
+        private static readonly Dictionary<string, string> LowPrivSidMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            { new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).Value, "BUILTIN\\Users" },
+            { new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null).Value, "Authenticated Users" },
+            { new SecurityIdentifier(WellKnownSidType.WorldSid, null).Value, "Everyone" },
+            { new SecurityIdentifier(WellKnownSidType.InteractiveSid, null).Value, "Interactive" },
+            { new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null).Value, "BUILTIN\\Guests" },
+        };
+
+        public static bool TryGetWritableKey(string hive, string relativePath, out RegistryWritableKeyInfo info)
+        {
+            info = null;
+            using (var key = OpenKey(hive, relativePath))
+            {
+                if (key == null)
+                {
+                    return false;
+                }
+
+                return TryCollectWritableInfo(hive, relativePath, key, out info);
+            }
+        }
+
+        public static List<RegistryWritableKeyInfo> ScanWritableKeys(string hive, IEnumerable<string> basePaths, int maxDepth, int maxResults)
+        {
+            var results = new List<RegistryWritableKeyInfo>();
+            var seenPaths = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var basePath in basePaths ?? Enumerable.Empty<string>())
+            {
+                if (results.Count >= maxResults)
+                {
+                    break;
+                }
+
+                using (var key = OpenKey(hive, basePath))
+                {
+                    if (key == null)
+                    {
+                        continue;
+                    }
+
+                    Traverse(hive, key, basePath, 0, maxDepth, maxResults, seenPaths, results);
+                }
+            }
+
+            return results;
+        }
+
+        private static void Traverse(string hive, RegistryKey currentKey, string currentPath, int depth, int maxDepth, int maxResults, HashSet<string> seenPaths, List<RegistryWritableKeyInfo> results)
+        {
+            if (currentKey == null || results.Count >= maxResults)
+            {
+                return;
+            }
+
+            if (TryCollectWritableInfo(hive, currentPath, currentKey, out var info))
+            {
+                if (seenPaths.Add(info.FullPath))
+                {
+                    results.Add(info);
+                }
+
+                if (results.Count >= maxResults)
+                {
+                    return;
+                }
+            }
+
+            if (depth >= maxDepth)
+            {
+                return;
+            }
+
+            string[] subKeys;
+            try
+            {
+                subKeys = currentKey.GetSubKeyNames();
+            }
+            catch
+            {
+                return;
+            }
+
+            foreach (var subKeyName in subKeys)
+            {
+                if (results.Count >= maxResults)
+                {
+                    break;
+                }
+
+                try
+                {
+                    using (var childKey = currentKey.OpenSubKey(subKeyName))
+                    {
+                        if (childKey == null)
+                        {
+                            continue;
+                        }
+
+                        string childPath = string.IsNullOrEmpty(currentPath) ? subKeyName : $"{currentPath}\\{subKeyName}";
+                        Traverse(hive, childKey, childPath, depth + 1, maxDepth, maxResults, seenPaths, results);
+                    }
+                }
+                catch
+                {
+                    // Ignore keys we cannot open
+                }
+            }
+        }
+
+        private static bool TryCollectWritableInfo(string hive, string relativePath, RegistryKey key, out RegistryWritableKeyInfo info)
+        {
+            info = null;
+
+            try
+            {
+                var acl = key.GetAccessControl(AccessControlSections.Access);
+
+                var principals = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+                var rights = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+                foreach (RegistryAccessRule rule in acl.GetAccessRules(true, true, typeof(SecurityIdentifier)))
+                {
+                    if (rule.AccessControlType != AccessControlType.Allow)
+                    {
+                        continue;
+                    }
+
+                    var sid = rule.IdentityReference as SecurityIdentifier ?? rule.IdentityReference.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier;
+                    if (sid == null)
+                    {
+                        continue;
+                    }
+
+                    if (!LowPrivSidMap.TryGetValue(sid.Value, out var label))
+                    {
+                        continue;
+                    }
+
+                    string interestingRight = PermissionsHelper.PermInt2Str((int)rule.RegistryRights, PermissionType.WRITEABLE_OR_EQUIVALENT_REG);
+                    if (string.IsNullOrEmpty(interestingRight))
+                    {
+                        continue;
+                    }
+
+                    principals.Add($"{label} ({sid.Value})");
+                    rights.Add(interestingRight);
+                }
+
+                if (principals.Count == 0)
+                {
+                    return false;
+                }
+
+                string normalizedRelativePath = relativePath ?? string.Empty;
+                string fullPath = string.IsNullOrEmpty(normalizedRelativePath) ? key.Name : $"{hive}\\{normalizedRelativePath}";
+
+                info = new RegistryWritableKeyInfo
+                {
+                    Hive = hive,
+                    RelativePath = normalizedRelativePath,
+                    FullPath = fullPath,
+                    Principals = principals.ToList(),
+                    Rights = rights.ToList(),
+                };
+                return true;
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
+        private static RegistryKey OpenKey(string hive, string path)
+        {
+            if (string.IsNullOrEmpty(path))
+            {
+                return null;
+            }
+
+            try
+            {
+                RegistryKey baseKey = hive switch
+                {
+                    "HKLM" => Microsoft.Win32.Registry.LocalMachine,
+                    "HKCU" => Microsoft.Win32.Registry.CurrentUser,
+                    "HKU" => Microsoft.Win32.Registry.Users,
+                    _ => null,
+                };
+
+                return baseKey?.OpenSubKey(path);
+            }
+            catch
+            {
+                return null;
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/SoapClientProxyAnalyzer.cs

@@ -0,0 +1,369 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Management;
+using System.Text;
+using winPEAS.Helpers;
+using winPEAS.Info.ProcessInfo;
+
+namespace winPEAS.Info.ApplicationInfo
+{
+    internal class SoapClientProxyInstance
+    {
+        public string SourceType { get; set; }
+        public string Name { get; set; }
+        public string Account { get; set; }
+        public string Extra { get; set; }
+    }
+
+    internal class SoapClientProxyFinding
+    {
+        public string BinaryPath { get; set; }
+        public List<SoapClientProxyInstance> Instances { get; } = new List<SoapClientProxyInstance>();
+        public HashSet<string> BinaryIndicators { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        public HashSet<string> ConfigIndicators { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        public string ConfigPath { get; set; }
+        public bool BinaryScanFailed { get; set; }
+        public bool ConfigScanFailed { get; set; }
+    }
+
+    internal static class SoapClientProxyAnalyzer
+    {
+        private class SoapClientProxyCandidate
+        {
+            public string BinaryPath { get; set; }
+            public string SourceType { get; set; }
+            public string Name { get; set; }
+            public string Account { get; set; }
+            public string Extra { get; set; }
+        }
+
+        private static readonly string[] BinaryIndicatorStrings = new[]
+        {
+            "SoapHttpClientProtocol",
+            "HttpWebClientProtocol",
+            "DiscoveryClientProtocol",
+            "HttpSimpleClientProtocol",
+            "HttpGetClientProtocol",
+            "HttpPostClientProtocol",
+            "ServiceDescriptionImporter",
+            "System.Web.Services.Description.ServiceDescriptionImporter",
+        };
+
+        private static readonly Dictionary<string, string> ConfigIndicatorMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            { "soap:address", "soap:address element present" },
+            { "soap12:address", "soap12:address element present" },
+            { "?wsdl", "?wsdl reference" },
+            { "<wsdl:", "WSDL schema embedded in config" },
+            { "servicedescriptionimporter", "ServiceDescriptionImporter referenced in config" },
+            { "system.web.services.description", "System.Web.Services.Description namespace referenced" },
+            { "new-webserviceproxy", "PowerShell New-WebServiceProxy referenced" },
+            { "file://", "file:// scheme referenced" },
+        };
+
+        private const long MaxBinaryScanSize = 200 * 1024 * 1024; // 200MB
+        private static readonly object DotNetCacheLock = new object();
+        private static readonly Dictionary<string, bool> DotNetCache = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
+
+        public static List<SoapClientProxyFinding> CollectFindings()
+        {
+            var findings = new Dictionary<string, SoapClientProxyFinding>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var candidate in EnumerateServiceCandidates().Concat(EnumerateProcessCandidates()))
+            {
+                if (string.IsNullOrEmpty(candidate.BinaryPath) || !File.Exists(candidate.BinaryPath))
+                {
+                    continue;
+                }
+
+                if (!findings.TryGetValue(candidate.BinaryPath, out var finding))
+                {
+                    finding = new SoapClientProxyFinding
+                    {
+                        BinaryPath = candidate.BinaryPath,
+                    };
+
+                    findings.Add(candidate.BinaryPath, finding);
+                }
+
+                finding.Instances.Add(new SoapClientProxyInstance
+                {
+                    SourceType = candidate.SourceType,
+                    Name = candidate.Name,
+                    Account = string.IsNullOrEmpty(candidate.Account) ? "Unknown" : candidate.Account,
+                    Extra = candidate.Extra ?? string.Empty,
+                });
+            }
+
+            foreach (var finding in findings.Values)
+            {
+                ScanBinaryIndicators(finding);
+                ScanConfigIndicators(finding);
+            }
+
+            return findings.Values
+                .Where(f => f.BinaryIndicators.Count > 0 || f.ConfigIndicators.Count > 0)
+                .OrderByDescending(f => f.BinaryIndicators.Contains("ServiceDescriptionImporter"))
+                .ThenBy(f => f.BinaryPath, StringComparer.OrdinalIgnoreCase)
+                .ToList();
+        }
+
+        private static IEnumerable<SoapClientProxyCandidate> EnumerateServiceCandidates()
+        {
+            var results = new List<SoapClientProxyCandidate>();
+            try
+            {
+                using (var searcher = new ManagementObjectSearcher(@"root\\cimv2", "SELECT Name, DisplayName, PathName, StartName FROM Win32_Service"))
+                using (var services = searcher.Get())
+                {
+                    foreach (ManagementObject service in services)
+                    {
+                        string pathName = service["PathName"]?.ToString();
+                        string binaryPath = MyUtils.GetExecutableFromPath(pathName ?? string.Empty);
+                        if (string.IsNullOrEmpty(binaryPath) || !File.Exists(binaryPath))
+                            continue;
+
+                        if (!IsDotNetBinary(binaryPath))
+                            continue;
+
+                        results.Add(new SoapClientProxyCandidate
+                        {
+                            BinaryPath = binaryPath,
+                            SourceType = "Service",
+                            Name = service["Name"]?.ToString() ?? string.Empty,
+                            Account = service["StartName"]?.ToString() ?? string.Empty,
+                            Extra = service["DisplayName"]?.ToString() ?? string.Empty,
+                        });
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while enumerating services for SOAP client analysis: " + ex.Message);
+            }
+
+            return results;
+        }
+
+        private static IEnumerable<SoapClientProxyCandidate> EnumerateProcessCandidates()
+        {
+            var results = new List<SoapClientProxyCandidate>();
+            try
+            {
+                List<Dictionary<string, string>> processes = ProcessesInfo.GetProcInfo();
+                foreach (var proc in processes)
+                {
+                    string path = proc.ContainsKey("ExecutablePath") ? proc["ExecutablePath"] : string.Empty;
+                    if (string.IsNullOrEmpty(path) || !File.Exists(path))
+                        continue;
+
+                    if (!IsDotNetBinary(path))
+                        continue;
+
+                    string owner = proc.ContainsKey("Owner") ? proc["Owner"] : string.Empty;
+                    if (!IsInterestingProcessOwner(owner))
+                        continue;
+
+                    results.Add(new SoapClientProxyCandidate
+                    {
+                        BinaryPath = path,
+                        SourceType = "Process",
+                        Name = proc.ContainsKey("Name") ? proc["Name"] : string.Empty,
+                        Account = owner,
+                        Extra = proc.ContainsKey("ProcessID") ? $"PID {proc["ProcessID"]}" : string.Empty,
+                    });
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while enumerating processes for SOAP client analysis: " + ex.Message);
+            }
+
+            return results;
+        }
+
+        private static bool IsInterestingProcessOwner(string owner)
+        {
+            if (string.IsNullOrEmpty(owner))
+                return true;
+
+            string normalizedOwner = owner;
+            if (owner.Contains("\\"))
+            {
+                normalizedOwner = owner.Split('\\').Last();
+            }
+
+            return !normalizedOwner.Equals(Environment.UserName, StringComparison.OrdinalIgnoreCase);
+        }
+
+        private static bool IsDotNetBinary(string path)
+        {
+            lock (DotNetCacheLock)
+            {
+                if (DotNetCache.TryGetValue(path, out bool cached))
+                {
+                    return cached;
+                }
+
+                bool result = false;
+                try
+                {
+                    result = MyUtils.CheckIfDotNet(path, true);
+                }
+                catch
+                {
+                }
+
+                DotNetCache[path] = result;
+                return result;
+            }
+        }
+
+        private static void ScanBinaryIndicators(SoapClientProxyFinding finding)
+        {
+            try
+            {
+                FileInfo fi = new FileInfo(finding.BinaryPath);
+                if (!fi.Exists || fi.Length == 0)
+                    return;
+
+                if (fi.Length > MaxBinaryScanSize)
+                {
+                    finding.BinaryScanFailed = true;
+                    return;
+                }
+
+                foreach (var indicator in BinaryIndicatorStrings)
+                {
+                    if (FileContainsString(finding.BinaryPath, indicator))
+                    {
+                        finding.BinaryIndicators.Add(indicator);
+                    }
+                }
+            }
+            catch
+            {
+                finding.BinaryScanFailed = true;
+            }
+        }
+
+        private static void ScanConfigIndicators(SoapClientProxyFinding finding)
+        {
+            string configPath = GetConfigPath(finding.BinaryPath);
+            if (!string.IsNullOrEmpty(configPath) && File.Exists(configPath))
+            {
+                finding.ConfigPath = configPath;
+                try
+                {
+                    string content = File.ReadAllText(configPath);
+                    foreach (var kvp in ConfigIndicatorMap)
+                    {
+                        if (content.IndexOf(kvp.Key, StringComparison.OrdinalIgnoreCase) >= 0)
+                        {
+                            finding.ConfigIndicators.Add(kvp.Value);
+                        }
+                    }
+                }
+                catch
+                {
+                    finding.ConfigScanFailed = true;
+                }
+            }
+
+            string directory = Path.GetDirectoryName(finding.BinaryPath);
+            if (!string.IsNullOrEmpty(directory))
+            {
+                try
+                {
+                    var wsdlFiles = Directory.GetFiles(directory, "*.wsdl", SearchOption.TopDirectoryOnly);
+                    if (wsdlFiles.Length > 0)
+                    {
+                        finding.ConfigIndicators.Add($"Found {wsdlFiles.Length} WSDL file(s) next to binary");
+                    }
+                }
+                catch
+                {
+                    // ignore
+                }
+            }
+        }
+
+        private static string GetConfigPath(string binaryPath)
+        {
+            if (string.IsNullOrEmpty(binaryPath))
+                return string.Empty;
+
+            string candidate = binaryPath + ".config";
+            return File.Exists(candidate) ? candidate : string.Empty;
+        }
+
+        private static bool FileContainsString(string path, string value)
+        {
+            const int bufferSize = 64 * 1024;
+            byte[] pattern = Encoding.UTF8.GetBytes(value);
+            if (pattern.Length == 0)
+                return false;
+
+            try
+            {
+                using (var fs = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete))
+                {
+                    byte[] buffer = new byte[bufferSize + pattern.Length];
+                    int bufferLen = 0;
+                    int bytesRead;
+                    while ((bytesRead = fs.Read(buffer, bufferLen, bufferSize)) > 0)
+                    {
+                        int total = bufferLen + bytesRead;
+                        if (IndexOf(buffer, total, pattern) >= 0)
+                        {
+                            return true;
+                        }
+
+                        if (pattern.Length > 1)
+                        {
+                            bufferLen = Math.Min(pattern.Length - 1, total);
+                            Buffer.BlockCopy(buffer, total - bufferLen, buffer, 0, bufferLen);
+                        }
+                        else
+                        {
+                            bufferLen = 0;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                return false;
+            }
+
+            return false;
+        }
+
+        private static int IndexOf(byte[] buffer, int bufferLength, byte[] pattern)
+        {
+            int limit = bufferLength - pattern.Length;
+            if (limit < 0)
+                return -1;
+
+            for (int i = 0; i <= limit; i++)
+            {
+                bool match = true;
+                for (int j = 0; j < pattern.Length; j++)
+                {
+                    if (buffer[i + j] != pattern[j])
+                    {
+                        match = false;
+                        break;
+                    }
+                }
+
+                if (match)
+                    return i;
+            }
+
+            return -1;
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs

@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo
 
                 // 4. Call external checker
                 var resp = httpClient
-                    .PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
+                    .PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
                     .GetAwaiter().GetResult();
 
                 if (resp.IsSuccessStatusCode)

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs

@@ -4,6 +4,8 @@ using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Net.NetworkInformation;
 using System.Net.Sockets;
+using System.Text;
+using System.Text.Json;
 using System.Threading;
 
 namespace winPEAS.Info.NetworkInfo
@@ -48,7 +50,7 @@ namespace winPEAS.Info.NetworkInfo
             { "1.1.1.1", "8.8.8.8" };
 
         private const string LAMBDA_URL =
-            "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";
+            "https://tools.hacktricks.wiki/api/host-checker";
 
         // Shared HttpClient (kept for HTTP & Lambda checks)
         private static readonly HttpClient http = new HttpClient
@@ -118,7 +120,12 @@ namespace winPEAS.Info.NetworkInfo
                 using var cts =
                     new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));
 
-                var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
+                var payload = new StringContent(
+                    JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
+                    Encoding.UTF8,
+                    "application/json");
+                var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
+                req.Content = payload;
                 req.Headers.UserAgent.ParseAdd("winpeas");
                 req.Headers.Accept.Add(
                     new MediaTypeWithQualityHeaderValue("application/json"));

winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/OemSoftwareHelper.cs

@@ -0,0 +1,458 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using System.ServiceProcess;
+using winPEAS.Helpers;
+
+namespace winPEAS.Info.ServicesInfo
+{
+    internal static class OemSoftwareHelper
+    {
+        internal static List<OemSoftwareFinding> GetPotentiallyVulnerableComponents(Dictionary<string, string> currentUserSids)
+        {
+            var findings = new List<OemSoftwareFinding>();
+            var services = GetServiceSnapshot();
+            var processes = GetProcessSnapshot();
+
+            foreach (var definition in GetDefinitions())
+            {
+                var finding = new OemSoftwareFinding
+                {
+                    Name = definition.Name,
+                    Description = definition.Description,
+                    Cves = definition.Cves,
+                };
+
+                AppendServiceEvidence(definition, services, finding);
+                AppendProcessEvidence(definition, processes, finding);
+                AppendPathEvidence(definition, currentUserSids, finding);
+                AppendPipeEvidence(definition, finding);
+
+                if (finding.Evidence.Count > 0)
+                {
+                    findings.Add(finding);
+                }
+            }
+
+            return findings;
+        }
+
+        private static void AppendServiceEvidence(OemComponentDefinition definition, List<ServiceSnapshot> services, OemSoftwareFinding finding)
+        {
+            if (definition.ServiceHints == null || definition.ServiceHints.Length == 0)
+            {
+                return;
+            }
+
+            foreach (var serviceHint in definition.ServiceHints)
+            {
+                foreach (var service in services)
+                {
+                    if (ContainsIgnoreCase(service.Name, serviceHint) ||
+                        ContainsIgnoreCase(service.DisplayName, serviceHint))
+                    {
+                        finding.Evidence.Add(new OemEvidence
+                        {
+                            EvidenceType = "service",
+                            Highlight = true,
+                            Message = $"Service '{service.Name}' (Display: {service.DisplayName}) matches indicator '{serviceHint}'"
+                        });
+                    }
+                }
+            }
+        }
+
+        private static void AppendProcessEvidence(OemComponentDefinition definition, List<ProcessSnapshot> processes, OemSoftwareFinding finding)
+        {
+            if (definition.ProcessHints == null || definition.ProcessHints.Length == 0)
+            {
+                return;
+            }
+
+            foreach (var processHint in definition.ProcessHints)
+            {
+                foreach (var process in processes)
+                {
+                    bool matchesName = ContainsIgnoreCase(process.Name, processHint);
+                    bool matchesPath = ContainsIgnoreCase(process.FullPath, processHint);
+
+                    if (matchesName || matchesPath)
+                    {
+                        var location = string.IsNullOrWhiteSpace(process.FullPath) ? "Unknown" : process.FullPath;
+                        finding.Evidence.Add(new OemEvidence
+                        {
+                            EvidenceType = "process",
+                            Highlight = true,
+                            Message = $"Process '{process.Name}' (Path: {location}) matches indicator '{processHint}'"
+                        });
+                    }
+                }
+            }
+        }
+
+        private static void AppendPathEvidence(OemComponentDefinition definition, Dictionary<string, string> currentUserSids, OemSoftwareFinding finding)
+        {
+            if ((definition.DirectoryHints == null || definition.DirectoryHints.Length == 0) &&
+                (definition.FileHints == null || definition.FileHints.Length == 0))
+            {
+                return;
+            }
+
+            if (definition.DirectoryHints != null)
+            {
+                foreach (var dirHint in definition.DirectoryHints)
+                {
+                    var expandedPath = ExpandPath(dirHint.Path);
+                    if (!Directory.Exists(expandedPath))
+                    {
+                        continue;
+                    }
+
+                    var permissions = PermissionsHelper.GetPermissionsFolder(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                    bool isWritable = permissions.Count > 0;
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "path",
+                        Highlight = isWritable,
+                        Message = BuildPathMessage(expandedPath, dirHint.Description, isWritable, permissions)
+                    });
+                }
+            }
+
+            if (definition.FileHints != null)
+            {
+                foreach (var fileHint in definition.FileHints)
+                {
+                    var expandedPath = ExpandPath(fileHint);
+                    if (!File.Exists(expandedPath))
+                    {
+                        continue;
+                    }
+
+                    var permissions = PermissionsHelper.GetPermissionsFile(expandedPath, currentUserSids, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                    bool isWritable = permissions.Count > 0;
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "file",
+                        Highlight = isWritable,
+                        Message = BuildPathMessage(expandedPath, "file", isWritable, permissions)
+                    });
+                }
+            }
+        }
+
+        private static void AppendPipeEvidence(OemComponentDefinition definition, OemSoftwareFinding finding)
+        {
+            if (definition.PipeHints == null)
+            {
+                return;
+            }
+
+            foreach (var pipeHint in definition.PipeHints)
+            {
+                try
+                {
+                    var path = $"\\\\.\\pipe\\{pipeHint.Name}";
+                    var security = File.GetAccessControl(path);
+                    string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
+                    string identity = string.Empty;
+                    string rights = string.Empty;
+                    bool worldWritable = false;
+
+                    if (pipeHint.CheckWorldWritable)
+                    {
+                        worldWritable = HasWorldWritableAce(security, out identity, out rights);
+                    }
+
+                    string details = worldWritable
+                        ? $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) is writable by {identity} ({rights})."
+                        : $"Named pipe '{pipeHint.Name}' ({pipeHint.Description}) present. SDDL: {sddl}";
+
+                    finding.Evidence.Add(new OemEvidence
+                    {
+                        EvidenceType = "pipe",
+                        Highlight = worldWritable,
+                        Message = details
+                    });
+                }
+                catch (FileNotFoundException)
+                {
+                    // Pipe not present.
+                }
+                catch (DirectoryNotFoundException)
+                {
+                    // Pipe namespace not accessible.
+                }
+                catch (Exception)
+                {
+                    // Best effort: pipes might disappear during enumeration or deny access.
+                }
+            }
+        }
+
+        private static List<ServiceSnapshot> GetServiceSnapshot()
+        {
+            var services = new List<ServiceSnapshot>();
+
+            try
+            {
+                foreach (var service in ServiceController.GetServices())
+                {
+                    services.Add(new ServiceSnapshot
+                    {
+                        Name = service.ServiceName ?? string.Empty,
+                        DisplayName = service.DisplayName ?? string.Empty
+                    });
+                }
+            }
+            catch (Exception)
+            {
+                // Ignore - this is best effort.
+            }
+
+            return services;
+        }
+
+        private static List<ProcessSnapshot> GetProcessSnapshot()
+        {
+            var processes = new List<ProcessSnapshot>();
+
+            try
+            {
+                foreach (var process in Process.GetProcesses())
+                {
+                    string fullPath = string.Empty;
+                    try
+                    {
+                        fullPath = process.MainModule?.FileName ?? string.Empty;
+                    }
+                    catch
+                    {
+                        // Access denied or 64-bit vs 32-bit mismatch.
+                    }
+
+                    processes.Add(new ProcessSnapshot
+                    {
+                        Name = process.ProcessName ?? string.Empty,
+                        FullPath = fullPath ?? string.Empty
+                    });
+                }
+            }
+            catch (Exception)
+            {
+                // Ignore - enumeration is best effort.
+            }
+
+            return processes;
+        }
+
+        private static string ExpandPath(string rawPath)
+        {
+            if (string.IsNullOrWhiteSpace(rawPath))
+            {
+                return string.Empty;
+            }
+
+            var expanded = Environment.ExpandEnvironmentVariables(rawPath);
+            return expanded.Trim().Trim('"');
+        }
+
+        private static string BuildPathMessage(string path, string description, bool isWritable, List<string> permissions)
+        {
+            string descriptor = string.IsNullOrWhiteSpace(description) ? "" : $" ({description})";
+            if (isWritable)
+            {
+                return $"Path '{path}'{descriptor} is writable by current user: {string.Join(", ", permissions)}";
+            }
+
+            return $"Path '{path}'{descriptor} detected.";
+        }
+
+        private static bool ContainsIgnoreCase(string value, string toFind)
+        {
+            if (string.IsNullOrWhiteSpace(value) || string.IsNullOrWhiteSpace(toFind))
+            {
+                return false;
+            }
+
+            return value.IndexOf(toFind, StringComparison.OrdinalIgnoreCase) >= 0;
+        }
+
+        private static bool HasWorldWritableAce(FileSecurity security, out string identity, out string rights)
+        {
+            identity = string.Empty;
+            rights = string.Empty;
+
+            try
+            {
+                var rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                foreach (FileSystemAccessRule rule in rules)
+                {
+                    if (rule.AccessControlType != AccessControlType.Allow)
+                    {
+                        continue;
+                    }
+
+                    if (rule.IdentityReference is SecurityIdentifier sid)
+                    {
+                        bool isWorld = sid.IsWellKnown(WellKnownSidType.WorldSid);
+                        bool isAuthenticated = sid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid);
+
+                        if (!isWorld && !isAuthenticated)
+                        {
+                            continue;
+                        }
+
+                        const FileSystemRights interestingRights =
+                            FileSystemRights.FullControl |
+                            FileSystemRights.Modify |
+                            FileSystemRights.Write |
+                            FileSystemRights.WriteData |
+                            FileSystemRights.CreateFiles |
+                            FileSystemRights.ChangePermissions;
+
+                        if ((rule.FileSystemRights & interestingRights) != 0)
+                        {
+                            identity = isWorld ? "Everyone" : "Authenticated Users";
+                            rights = rule.FileSystemRights.ToString();
+                            return true;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                // Ignore parsing issues.
+            }
+
+            return false;
+        }
+
+        private static IEnumerable<OemComponentDefinition> GetDefinitions()
+        {
+            return new List<OemComponentDefinition>
+            {
+                new OemComponentDefinition
+                {
+                    Name = "ASUS DriverHub",
+                    Description = "Local web API exposed by ADU.exe allowed bypassing origin/url validation and signature checks.",
+                    Cves = new[] { "CVE-2025-3462", "CVE-2025-3463" },
+                    ServiceHints = new[] { "asusdriverhub", "asus driverhub" },
+                    ProcessHints = new[] { "adu", "asusdriverhub" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\ASUS\\AsusDriverHub", Description = "Program Files" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\ASUS\\AsusDriverHub", Description = "Program Files (x86)" },
+                        new PathHint { Path = "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp", Description = "SupportTemp updater staging" }
+                    },
+                    FileHints = new[]
+                    {
+                        "%ProgramData%\\ASUS\\AsusDriverHub\\SupportTemp\\Installer.json"
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "MSI Center",
+                    Description = "MSI.CentralServer.exe exposed TCP commands with TOCTOU and signature bypass issues.",
+                    Cves = new[] { "CVE-2025-27812", "CVE-2025-27813" },
+                    ServiceHints = new[] { "msi.center", "msi centralserver" },
+                    ProcessHints = new[] { "msi.centralserver", "msi center" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\MSI\\MSI Center", Description = "Main installation" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\MSI\\MSI Center", Description = "Main installation (x86)" },
+                        new PathHint { Path = "%ProgramData%\\MSI\\MSI Center", Description = "Shared data" },
+                        new PathHint { Path = "%ProgramData%\\MSI Center SDK", Description = "SDK temp copy location" }
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "Acer Control Centre",
+                    Description = "ACCSvc.exe exposes treadstone_service_LightMode named pipe with weak impersonation controls.",
+                    Cves = new[] { "CVE-2025-5491" },
+                    ServiceHints = new[] { "accsvc", "acer control" },
+                    ProcessHints = new[] { "accsvc", "accstd" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\Acer\\Care Center", Description = "Install directory" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\Acer\\Care Center", Description = "Install directory (x86)" }
+                    },
+                    PipeHints = new[]
+                    {
+                        new PipeHint { Name = "treadstone_service_LightMode", Description = "Command dispatcher", CheckWorldWritable = true }
+                    }
+                },
+                new OemComponentDefinition
+                {
+                    Name = "Razer Synapse 4 Elevation Service",
+                    Description = "razer_elevation_service.exe exposes COM elevation helpers that allowed arbitrary process launch.",
+                    Cves = new[] { "CVE-2025-27811" },
+                    ServiceHints = new[] { "razer_elevation_service" },
+                    ProcessHints = new[] { "razer_elevation_service" },
+                    DirectoryHints = new[]
+                    {
+                        new PathHint { Path = "%ProgramFiles%\\Razer\\RazerAppEngine", Description = "Razer App Engine" },
+                        new PathHint { Path = "%ProgramFiles(x86)%\\Razer\\RazerAppEngine", Description = "Razer App Engine (x86)" }
+                    }
+                }
+            };
+        }
+
+        private class ServiceSnapshot
+        {
+            public string Name { get; set; }
+            public string DisplayName { get; set; }
+        }
+
+        private class ProcessSnapshot
+        {
+            public string Name { get; set; }
+            public string FullPath { get; set; }
+        }
+
+        private class OemComponentDefinition
+        {
+            public string Name { get; set; }
+            public string Description { get; set; }
+            public string[] Cves { get; set; } = Array.Empty<string>();
+            public string[] ServiceHints { get; set; } = Array.Empty<string>();
+            public string[] ProcessHints { get; set; } = Array.Empty<string>();
+            public PathHint[] DirectoryHints { get; set; } = Array.Empty<PathHint>();
+            public string[] FileHints { get; set; } = Array.Empty<string>();
+            public PipeHint[] PipeHints { get; set; } = Array.Empty<PipeHint>();
+        }
+
+        private class PathHint
+        {
+            public string Path { get; set; }
+            public string Description { get; set; }
+        }
+
+        private class PipeHint
+        {
+            public string Name { get; set; }
+            public string Description { get; set; }
+            public bool CheckWorldWritable { get; set; }
+        }
+    }
+
+    internal class OemSoftwareFinding
+    {
+        public string Name { get; set; }
+        public string Description { get; set; }
+        public string[] Cves { get; set; } = Array.Empty<string>();
+        public List<OemEvidence> Evidence { get; } = new List<OemEvidence>();
+    }
+
+    internal class OemEvidence
+    {
+        public string EvidenceType { get; set; }
+        public string Message { get; set; }
+        public bool Highlight { get; set; }
+    }
+}

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/Structs.cs

@@ -16,6 +16,10 @@ namespace winPEAS.Info.UserInfo.SAM
         {
             get
             {
+                if (_maxPasswordAge == long.MinValue)
+                {
+                    return TimeSpan.MinValue;
+                }
                 return -new TimeSpan(_maxPasswordAge);
             }
             set
@@ -28,6 +32,10 @@ namespace winPEAS.Info.UserInfo.SAM
         {
             get
             {
+                if (_minPasswordAge == long.MinValue)
+                {
+                    return TimeSpan.MinValue;
+                }
                 return -new TimeSpan(_minPasswordAge);
             }
             set

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs

@@ -88,6 +88,10 @@ namespace winPEAS.KnownFileCreds
                     if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                     {
                         string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID));
+                        if (subKeys.Length == 0)
+                        {
+                            subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions", SID));
+                        }
 
                         foreach (string sessionName in subKeys)
                         {
@@ -129,6 +133,10 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
+                if (subKeys.Length == 0)
+                {
+                    subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions");
+                }
                 RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys           
 
                 if (selfKey != null)
@@ -198,6 +206,10 @@ namespace winPEAS.KnownFileCreds
                     if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                     {
                         Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
+                        if ((hostKeys == null) || (hostKeys.Count == 0))
+                        {
+                            hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys", SID));
+                        }
                         if ((hostKeys != null) && (hostKeys.Count != 0))
                         {
                             Dictionary<string, string> putty_ssh = new Dictionary<string, string>
@@ -216,6 +228,10 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys\\");
+                if ((hostKeys == null) || (hostKeys.Count == 0))
+                {
+                    hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys");
+                }
                 if ((hostKeys != null) && (hostKeys.Count != 0))
                 {
                     Dictionary<string, string> putty_ssh = new Dictionary<string, string>();

winPEAS/winPEASexe/winPEAS/Program.cs

@@ -11,6 +11,7 @@ namespace winPEAS
         [STAThread]
         public static void Main(string[] args)
         {
+            // TODO: keep Main minimal; this line was an intentional break in test PR.
             Checks.Checks.Run(args);
         }
     }

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

@@ -57,7 +57,7 @@
     <Prefer32Bit>false</Prefer32Bit>
     <LangVersion>8.0</LangVersion>
     <RunCodeAnalysis>false</RunCodeAnalysis>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
   <PropertyGroup>
@@ -71,7 +71,7 @@
     <PlatformTarget>AnyCPU</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <NoWarn>0168 ; 0169; 0414; 0618; 0649</NoWarn>
@@ -84,7 +84,7 @@
     <PlatformTarget>x64</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -96,7 +96,7 @@
     <PlatformTarget>x86</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -108,7 +108,7 @@
     <PlatformTarget>x86</PlatformTarget>
     <LangVersion>8.0</LangVersion>
     <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet Condition="Exists('MinimumRecommendedRules.ruleset')">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>false</Prefer32Bit>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -1197,9 +1197,11 @@
     <Compile Include="Checks\NetworkInfo.cs" />
     <Compile Include="Checks\ProcessInfo.cs" />
     <Compile Include="Checks\ServicesInfo.cs" />
+    <Compile Include="Checks\SoapClientInfo.cs" />
     <Compile Include="Checks\SystemInfo.cs" />
     <Compile Include="Checks\UserInfo.cs" />
     <Compile Include="Checks\WindowsCreds.cs" />
+    <Compile Include="Checks\RegistryInfo.cs" />
     <Compile Include="Helpers\AppLocker\AppLockerHelper.cs" />
     <Compile Include="Helpers\AppLocker\AppLockerRules.cs" />
     <Compile Include="Helpers\AppLocker\IAppIdPolicyHandler.cs" />
@@ -1223,6 +1225,7 @@
     <Compile Include="Info\ApplicationInfo\ApplicationInfoHelper.cs" />
     <Compile Include="Info\ApplicationInfo\AutoRuns.cs" />
     <Compile Include="Info\ApplicationInfo\DeviceDrivers.cs" />
+    <Compile Include="Info\ApplicationInfo\SoapClientProxyAnalyzer.cs" />
     <Compile Include="Info\ApplicationInfo\InstalledApps.cs" />
     <Compile Include="Helpers\Beaprint.cs" />
     <Compile Include="Info\CloudInfo\AWSInfo.cs" />
@@ -1460,12 +1463,14 @@
       <DependentUpon>Resources.resx</DependentUpon>
     </Compile>
     <Compile Include="Info\ServicesInfo\ServicesInfoHelper.cs" />
+    <Compile Include="Info\ServicesInfo\OemSoftwareHelper.cs" />
     <Compile Include="Info\SystemInfo\SystemInfo.cs" />
     <Compile Include="Info\UserInfo\UserInfoHelper.cs" />
     <Compile Include="Helpers\DomainHelper.cs" />
     <Compile Include="Helpers\CheckRunner.cs" />
     <Compile Include="Helpers\ReflectionHelper.cs" />
     <Compile Include="Helpers\Registry\RegistryHelper.cs" />
+    <Compile Include="Helpers\Registry\RegistryAclScanner.cs" />
     <Compile Include="Helpers\Search\SearchHelper.cs" />
     <Compile Include="Wifi\Wifi.cs" />
     <Compile Include="Wifi\NativeWifiApi\Interop.cs" />

winPEAS/winPEASps1/winPEAS.ps1

@@ -815,12 +815,40 @@ systeminfo.exe
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| WINDOWS HOTFIXES"
-Write-Host "=| Check if windows is vulnerable with Watson https://github.com/rasta-mouse/Watson" -ForegroundColor Yellow
+Write-Host "=| Check missing patches with WES-NG https://github.com/bitsadmin/wesng" -ForegroundColor Yellow
 Write-Host "Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)" -ForegroundColor Yellow
 $Hotfix = Get-HotFix | Sort-Object -Descending -Property InstalledOn -ErrorAction SilentlyContinue | Select-Object HotfixID, Description, InstalledBy, InstalledOn
 $Hotfix | Format-Table -AutoSize
 
 
+# PrintNightmare PointAndPrint policy checks
+Write-Host ""
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========|| PRINTNIGHTMARE POINTANDPRINT POLICY"
+$pnKey = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
+if (Test-Path $pnKey) {
+  $pn = Get-ItemProperty -Path $pnKey -ErrorAction SilentlyContinue
+  $restrict = $pn.RestrictDriverInstallationToAdministrators
+  $noWarn = $pn.NoWarningNoElevationOnInstall
+  $updatePrompt = $pn.UpdatePromptSettings
+
+  Write-Host "RestrictDriverInstallationToAdministrators: $restrict"
+  Write-Host "NoWarningNoElevationOnInstall: $noWarn"
+  Write-Host "UpdatePromptSettings: $updatePrompt"
+
+  $hasAllValues = ($null -ne $restrict) -and ($null -ne $noWarn) -and ($null -ne $updatePrompt)
+  if (-not $hasAllValues) {
+    Write-Host "PointAndPrint policy values are missing or not configured" -ForegroundColor Gray
+  } elseif (($restrict -eq 0) -and ($noWarn -eq 1) -and ($updatePrompt -eq 2)) {
+    Write-Host "Potentially vulnerable to PrintNightmare misconfiguration" -ForegroundColor Red
+  } else {
+    Write-Host "PointAndPrint policy is not in the known risky configuration" -ForegroundColor Green
+  }
+} else {
+  Write-Host "PointAndPrint policy key not found" -ForegroundColor Gray
+}
+
+
 #Show all unique updates installed
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
@@ -1649,7 +1677,7 @@ if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow
+Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens"
 Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege"
 Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow
 Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow