private static void PrintHistFirefox() { try { Beaprint.MainPrint("Looking for GET credentials in Firefox history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List <string> firefoxHist = Firefox.GetFirefoxHistory(); if (firefoxHist.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in firefoxHist) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintDBsChrome() { try { Beaprint.MainPrint("Looking for Chrome DBs"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary <string, string> chromeDBs = Chrome.GetChromeDbs(); if (chromeDBs.ContainsKey("userChromeCookiesPath")) { Beaprint.BadPrint(" Chrome cookies database exists at " + chromeDBs["userChromeCookiesPath"]); Beaprint.InfoPrint("Follow the provided link for further instructions."); } if (chromeDBs.ContainsKey("userChromeLoginDataPath")) { Beaprint.BadPrint(" Chrome saved login database exists at " + chromeDBs["userChromeCookiesPath"]); Beaprint.InfoPrint("Follow the provided link for further instructions."); } if ((!chromeDBs.ContainsKey("userChromeLoginDataPath")) && (!chromeDBs.ContainsKey("userChromeCookiesPath"))) { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintDPAPIMasterKeys() { try { Beaprint.MainPrint("Checking for DPAPI Master Keys"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); var masterKeys = KnownFileCredsInfo.ListMasterKeys(); if (masterKeys.Count != 0) { Beaprint.DictPrint(masterKeys, true); if (MyUtils.IsHighIntegrity()) { Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the masterkey."); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRdpSessions() { try { Beaprint.MainPrint("RDP Sessions"); List <Dictionary <string, string> > rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions(); if (rdp_sessions.Count > 0) { string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}"; string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP"); Beaprint.GrayPrint(header); foreach (Dictionary <string, string> rdpSes in rdp_sessions) { Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU()); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintCU() { try { Beaprint.MainPrint("Users"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges"); List <string> usersGrps = User.GetMachineUsers(false, false, false, false, true); Beaprint.AnsiPrint(" Current user: "******" Current groups: " + string.Join(", ", currentGroupsNames), ColorsU()); Beaprint.PrintLineSeparator(); Beaprint.ListPrint(usersGrps, ColorsU()); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRecentFiles() { try { Beaprint.MainPrint("Recent files --limit 70--"); List <Dictionary <string, string> > recFiles = KnownFileCredsInfo.GetRecentFiles(); Dictionary <string, string> colorF = new Dictionary <string, string>() { { _patternsFileCredsColor, Beaprint.ansi_color_bad }, }; if (recFiles.Count != 0) { foreach (Dictionary <string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70)) { Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintActiveWindow() { try { Beaprint.MainPrint("Current Active Window Application"); string title = ApplicationInfoHelper.GetActiveWindowTitle(); List <string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs); List <string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs); if (permsFile.Count > 0) { Beaprint.BadPrint(" " + title); Beaprint.BadPrint(" File Permissions: " + string.Join(",", permsFile)); } else { Beaprint.GoodPrint(" " + title); } if (permsFolder.Count > 0) { Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title)); Beaprint.BadPrint(" Folder Permissions: " + string.Join(",", permsFile)); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
internal static IEnumerable <CREDENTIAL> CredEnumerate() { int count; IntPtr pCredentials; var ret = Advapi32.CredEnumerate(null, 0, out count, out pCredentials); if (ret == false) { string exceptionDetails = string.Format("Win32Exception: {0}", new Win32Exception(Marshal.GetLastWin32Error()).ToString()); Beaprint.NoColorPrint($" [!] Unable to enumerate credentials automatically, error: '{exceptionDetails}'"); Beaprint.NoColorPrint("Please run: "); Beaprint.ColorPrint("cmdkey /list", Beaprint.ansi_color_yellow); return(Enumerable.Empty <CREDENTIAL>()); } var credentials = new IntPtr[count]; for (var n = 0; n < count; n++) { credentials[n] = Marshal.ReadIntPtr(pCredentials, n * Marshal.SizeOf(typeof(IntPtr))); } return(credentials.Select(ptr => (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL)))); }
////////////////////////////////////////// /////// Find Write reg. Services //////// ////////////////////////////////////////// /// Find Services which Reg you have write or equivalent access public static List <Dictionary <string, string> > GetWriteServiceRegs(Dictionary <string, string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services"); foreach (string serviceRegName in regKey.GetSubKeyNames()) { RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName); List <string> perms = PermissionsHelper.GetMyPermissionsR(key, NtAccountNames); if (perms.Count > 0) { results.Add(new Dictionary <string, string> { { "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName }, { "Permissions", string.Join(", ", perms) } }); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } return(results); }
private static void PrintExplicitLogonEvents() { try { var lastDays = 30; Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var explicitLogonInfos = Logon.GetExplicitLogonEventsInfos(lastDays); foreach (var logonInfo in explicitLogonInfos) { Beaprint.BadPrint($" Subject User : {logonInfo.SubjectUser}\n" + $" Subject Domain : {logonInfo.SubjectDomain}\n" + $" Created (UTC) : {logonInfo.CreatedAtUtc}\n" + $" IP Address : {logonInfo.IpAddress}\n" + $" Process : {logonInfo.Process}\n" + $" Target User : {logonInfo.TargetUser}\n" + $" Target Domain : {logonInfo.TargetDomain}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintProcessCreationEvents() { try { Beaprint.MainPrint("Process creation events - searching logs (EID 4688) for sensitive data.\n"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var eventInfo in ProcessCreation.GetProcessCreationEventInfos()) { Beaprint.BadPrint($" Created (UTC) : {eventInfo.CreatedAtUtc}\n" + $" Event Id : {eventInfo.EventId}\n" + $" User : {eventInfo.User}\n" + $" Command Line : {eventInfo.Match}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static OfficeRecentFileInfo ParseMruString(string mru) { var matches = Regex.Matches(mru, "\\[[a-zA-Z0-9]+?\\]\\[T([a-zA-Z0-9]+?)\\](\\[[a-zA-Z0-9]+?\\])?\\*(.+)"); if (matches.Count == 0) { return(null); } long timestamp = 0; var dateHexString = matches[0].Groups[1].Value; var filename = matches[0].Groups[matches[0].Groups.Count - 1].Value; try { timestamp = long.Parse(dateHexString, NumberStyles.HexNumber); } catch { Beaprint.PrintException($"Could not parse MRU timestamp. Parsed timestamp: {dateHexString} MRU value: {mru}"); } return(new OfficeRecentFileInfo { Application = "Office", User = null, Target = filename, LastAccessDate = DateTime.FromFileTimeUtc(timestamp), }); }
private static void PrintSecurityPackagesCredentials() { Beaprint.MainPrint("Enumerating Security Packages Credentials"); try { var credentials = (SecurityPackages.GetNtlmCredentials() ?? Enumerable.Empty <NtlmHashInfo>()).ToList(); if (credentials.Any()) { foreach (var credential in credentials) { if (credential != null) { Beaprint.BadPrint($" Version: {credential.Version}\n" + $" Hash: {credential.Hash}\n"); Beaprint.PrintLineSeparator(); } } } else { Beaprint.GoodPrint(" The NTLM security package does not contain any credentials."); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintAppCmd() { try { Beaprint.MainPrint("Looking AppCmd.exe"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe"); var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); if (File.Exists(appCmdPath)) { Beaprint.BadPrint($" AppCmd.exe was found in {appCmdPath}"); } else { Beaprint.NotFoundPrint(); } if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var script = AppCmd.GetExtractAppCmdCredsPowerShellScript(); string args = @$ " {script}"; var processStartInfo = new ProcessStartInfo { UseShellExecute = false, CreateNoWindow = true, FileName = "powershell.exe", Arguments = args, RedirectStandardOutput = true, RedirectStandardError = true, StandardOutputEncoding = Encoding.UTF8 }; using (var process = Process.Start(processStartInfo)) { if (process != null) { while (!process.StandardOutput.EndOfStream) { Beaprint.BadPrint($" {process.StandardOutput.ReadLine()}"); } while (!process.StandardError.EndOfStream) { Console.WriteLine(process.StandardError.ReadLine()); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintCloudCreds() { try { Beaprint.MainPrint("Cloud Credentials"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); List <Dictionary <string, string> > could_creds = KnownFileCredsInfo.ListCloudCreds(); if (could_creds.Count != 0) { foreach (Dictionary <string, string> cc in could_creds) { string formString = " {0} ({1})\n Accessed:{2} -- Size:{3}"; Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"])); System.Console.WriteLine(""); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
////////////////////////////////////// //////// PATH DLL Hijacking ///////// ////////////////////////////////////// /// Look for write or equivalent permissions on ay folder in PATH public static Dictionary <string, string> GetPathDLLHijacking() { Dictionary <string, string> results = new Dictionary <string, string>(); try { // grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives string path = RegistryHelper.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path"); if (string.IsNullOrEmpty(path)) { path = Environment.GetEnvironmentVariable("PATH"); } List <string> folders = path.Split(';').ToList(); foreach (string folder in folders) { results[folder] = String.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs)); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } return(results); }
void PrintPossCredsRegs() { try { string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" }; string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; Beaprint.MainPrint("Looking for possible regs with creds"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password"); if (!string.IsNullOrEmpty(winVnc4.Trim())) { Beaprint.BadPrint(winVnc4); } foreach (string regHkcu in passRegHkcu) { Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false); } foreach (string regHklm in passRegHklm) { Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintLocalGroupPolicy() { try { Beaprint.MainPrint("Display Local Group Policy settings - local users/machine"); var infos = GroupPolicy.GetLocalGroupPolicyInfos(); foreach (var info in infos) { Beaprint.NoColorPrint($" Type : {info.GPOType}\n" + $" Display Name : {info.DisplayName}\n" + $" Name : {info.GPOName}\n" + $" Extensions : {info.Extensions}\n" + $" File Sys Path : {info.FileSysPath}\n" + $" Link : {info.Link}\n" + $" GPO Link : {info.GPOLink.GetDescription()}\n" + $" Options : {info.Options.GetDescription()}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } }
void PrintOtherUsersInterestingFiles() { try { Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n"); // check if admin already, if yes, print a message, if not, try to enumerate all files if (MyUtils.IsHighIntegrity()) { Beaprint.BadPrint(" You are already Administrator, check users home folders manually."); } else // get all files and check them { var users = User.GetOtherUsersFolders(); foreach (var user in users) { Beaprint.GoodPrint($" Checking folder: {user}\n"); var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true); foreach (var file in files) { try { FileAttributes attr = File.GetAttributes(file.FullPath); if ((attr & FileAttributes.Directory) == FileAttributes.Directory) { List <string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (dirRights.Count > 0) { Beaprint.BadPrint($" Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights)); } } else { List <string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (fileRights.Count > 0) { Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights)); } } } catch (Exception) { } } Beaprint.PrintLineSeparator(); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintPowerShellSessionSettings() { try { Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var infos = PowerShell.GetPowerShellSessionSettingsInfos(); foreach (var info in infos) { Beaprint.NoColorPrint($" {"Name",-38} {info.Plugin}"); foreach (var access in info.Permissions) { Beaprint.NoColorPrint($" {access.Principal,-35} {access.Permission,-22}"); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } }
public static IEnumerable <SysmonEventInfo> GetSysMonEventInfos() { var query = "*[System/EventID=1]"; EventLogReader logReader; try { var computerName = Environment.GetEnvironmentVariable("COMPUTERNAME"); logReader = MyUtils.GetEventLogReader("Microsoft-Windows-Sysmon/Operational", query, computerName); } catch (Exception ex) { Beaprint.NoColorPrint(" Unable to query Sysmon event logs, Sysmon likely not installed."); yield break; } var i = 0; for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent()) { ++i; var commandLine = eventDetail.Properties[10].Value.ToString().Trim(); if (commandLine != "") { var userName = eventDetail.Properties[12].Value.ToString().Trim(); yield return(new SysmonEventInfo { TimeCreated = eventDetail.TimeCreated, EventID = eventDetail.Id, UserName = userName, Match = commandLine }); } } }
private static void PrintAuditPoliciesInfo() { try { Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced"); var policies = AuditPolicies.GetAuditPoliciesInfos(); foreach (var policy in policies) { Beaprint.NoColorPrint($" Domain : {policy.Domain}\n" + $" GPO : {policy.GPO}\n" + $" Type : {policy.Type}\n"); foreach (var entry in policy.Settings) { Beaprint.NoColorPrint($" {entry.Subcategory,50} : {entry.AuditType}"); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintLogonSessions() { try { Beaprint.MainPrint("Print Logon Sessions"); var logonSessions = LogonSessions.GetLogonSessions(); foreach (var logonSession in logonSessions) { Beaprint.NoColorPrint($" Method: {logonSession.Method}\n" + $" Logon Server: {logonSession.LogonServer}\n" + $" Logon Server Dns Domain: {logonSession.LogonServerDnsDomain}\n" + $" Logon Id: {logonSession.LogonId}\n" + $" Logon Time: {logonSession.LogonTime}\n" + $" Logon Type: {logonSession.LogonType}\n" + $" Start Time: {logonSession.StartTime}\n" + $" Domain: {logonSession.Domain}\n" + $" Authentication Package: {logonSession.AuthenticationPackage}\n" + $" Start Time: {logonSession.StartTime}\n" + $" User Name: {logonSession.UserName}\n" + $" User Principal Name: {logonSession.UserPrincipalName}\n" + $" User SID: {logonSession.UserSID}\n" ); Beaprint.PrintLineSeparator(); } } catch (Exception) { } }
static void PrintAlwaysInstallElevated() { try { Beaprint.MainPrint("Checking AlwaysInstallElevated"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated"); string path = "Software\\Policies\\Microsoft\\Windows\\Installer"; string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated"); string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated"); if (HKLM_AIE == "1") { Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKLM!"); } if (HKCU_AIE == "1") { Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKCU!"); } if (HKLM_AIE != "1" && HKCU_AIE != "1") { Beaprint.GoodPrint(" AlwaysInstallElevated isn't available"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static List <string> ParseChromeHistory(string path) { List <string> results = new List <string>(); // parses a Chrome history file via regex if (System.IO.File.Exists(path)) { Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?"); try { using (StreamReader r = new StreamReader(path)) { string line; while ((line = r.ReadLine()) != null) { Match m = historyRegex.Match(line); if (m.Success) { results.Add(m.Groups[0].ToString().Trim()); } } } } catch (IOException exception) { Console.WriteLine("\r\n [x] IO exception, history file likely in use (i.e. Browser is likely running): ", exception.Message); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } return(results); }
private void PrintSysmonConfiguration() { Beaprint.MainPrint("Enumerating Sysmon configuration"); Dictionary <string, string> colors = new Dictionary <string, string> { { SysMon.NotDefined, Beaprint.ansi_color_bad }, { "False", Beaprint.ansi_color_bad }, }; try { if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var item in SysMon.GetSysMonInfos()) { Beaprint.AnsiPrint($" Installed: {item.Installed}\n" + $" Hashing Algorithm: {item.HashingAlgorithm.GetDescription()}\n" + $" Options: {item.Options.GetDescription()}\n" + $" Rules: {item.Rules}\n", colors); Beaprint.PrintLineSeparator(); } } catch (Exception) { } }
static void PrintSavedRDPInfo() { try { Beaprint.MainPrint("Saved RDP connections"); List <Dictionary <string, string> > rdps_info = RemoteDesktop.GetSavedRDPConnections(); if (rdps_info.Count > 0) { Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID")); } else { Beaprint.NotFoundPrint(); } foreach (Dictionary <string, string> rdp_info in rdps_info) { Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"])); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("Interesting files and registry"); new List <Action> { Putty.PrintInfo, SuperPutty.PrintInfo, PrintOffice365EndpointsSyncedByOneDrive, PrintCloudCreds, PrintUnattendFiles, PrintSAMBackups, PrintMcAffeSitelistFiles, PrintCachedGPPPassword, PrintPossCredsRegs, PrintUserCredsFiles, PrintOracleSQLDeveloperConfigFiles, Slack.PrintInfo, PrintLOLBAS, PrintOutlookDownloads, PrintMachineAndUserCertificateFiles, PrintUsersInterestingFiles, PrintUsersDocsKeys, PrintOfficeMostRecentFiles, PrintRecentFiles, PrintRecycleBin, PrintHiddenFilesAndFolders, PrintOtherUsersInterestingFiles, PrintExecutablesInNonDefaultFoldersWithWritePermissions, PrintWSLDistributions }.ForEach(action => CheckRunner.Run(action, isDebug)); }
private static void PrintWifi() { try { Beaprint.MainPrint("Looking for saved Wifi credentials"); foreach (var @interface in new WlanClient().Interfaces) { foreach (var profile in @interface.GetProfiles()) { var xml = @interface.GetProfileXml(profile.profileName); XmlDocument xDoc = new XmlDocument(); xDoc.LoadXml(xml); var keyMaterial = xDoc.GetElementsByTagName("keyMaterial"); if (keyMaterial.Count > 0) { string password = keyMaterial[0].InnerText; Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" + $" password : '******' \n\n"); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintDBsFirefox() { try { Beaprint.MainPrint("Looking for Firefox DBs"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List <string> firefoxDBs = Firefox.GetFirefoxDbs(); if (firefoxDBs.Count > 0) { foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red { Beaprint.BadPrint(" Firefox credentials file exists at " + firefoxDB); } Beaprint.InfoPrint("Run SharpWeb (https://github.com/djhohnstein/SharpWeb)"); } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }