private static void PrintHistFirefox()
{
try
{
Beaprint.MainPrint("Looking for GET credentials in Firefox history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List <string> firefoxHist = Firefox.GetFirefoxHistory();
if (firefoxHist.Count > 0)
{
Dictionary <string, string> colorsB = new Dictionary <string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in firefoxHist)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintDBsChrome()
{
try
{
Beaprint.MainPrint("Looking for Chrome DBs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary <string, string> chromeDBs = Chrome.GetChromeDbs();
if (chromeDBs.ContainsKey("userChromeCookiesPath"))
{
Beaprint.BadPrint(" Chrome cookies database exists at " + chromeDBs["userChromeCookiesPath"]);
Beaprint.InfoPrint("Follow the provided link for further instructions.");
}
if (chromeDBs.ContainsKey("userChromeLoginDataPath"))
{
Beaprint.BadPrint(" Chrome saved login database exists at " + chromeDBs["userChromeCookiesPath"]);
Beaprint.InfoPrint("Follow the provided link for further instructions.");
}
if ((!chromeDBs.ContainsKey("userChromeLoginDataPath")) &&
(!chromeDBs.ContainsKey("userChromeCookiesPath")))
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintDPAPIMasterKeys()
{
try
{
Beaprint.MainPrint("Checking for DPAPI Master Keys");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi");
var masterKeys = KnownFileCredsInfo.ListMasterKeys();
if (masterKeys.Count != 0)
{
Beaprint.DictPrint(masterKeys, true);
if (MyUtils.IsHighIntegrity())
{
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the masterkey.");
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintRdpSessions()
{
try
{
Beaprint.MainPrint("RDP Sessions");
List <Dictionary <string, string> > rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions();
if (rdp_sessions.Count > 0)
{
string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
Beaprint.GrayPrint(header);
foreach (Dictionary <string, string> rdpSes in rdp_sessions)
{
Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU());
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintCU()
{
try
{
Beaprint.MainPrint("Users");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
List <string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
Beaprint.AnsiPrint(" Current user: "******" Current groups: " + string.Join(", ", currentGroupsNames), ColorsU());
Beaprint.PrintLineSeparator();
Beaprint.ListPrint(usersGrps, ColorsU());
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintRecentFiles()
{
try
{
Beaprint.MainPrint("Recent files --limit 70--");
List <Dictionary <string, string> > recFiles = KnownFileCredsInfo.GetRecentFiles();
Dictionary <string, string> colorF = new Dictionary <string, string>()
{
{ _patternsFileCredsColor, Beaprint.ansi_color_bad },
};
if (recFiles.Count != 0)
{
foreach (Dictionary <string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70))
{
Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF);
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintActiveWindow()
{
try
{
Beaprint.MainPrint("Current Active Window Application");
string title = ApplicationInfoHelper.GetActiveWindowTitle();
List <string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs);
List <string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs);
if (permsFile.Count > 0)
{
Beaprint.BadPrint(" " + title);
Beaprint.BadPrint(" File Permissions: " + string.Join(",", permsFile));
}
else
{
Beaprint.GoodPrint(" " + title);
}
if (permsFolder.Count > 0)
{
Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title));
Beaprint.BadPrint(" Folder Permissions: " + string.Join(",", permsFile));
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
internal static IEnumerable <CREDENTIAL> CredEnumerate()
{
int count;
IntPtr pCredentials;
var ret = Advapi32.CredEnumerate(null, 0, out count, out pCredentials);
if (ret == false)
{
string exceptionDetails = string.Format("Win32Exception: {0}", new Win32Exception(Marshal.GetLastWin32Error()).ToString());
Beaprint.NoColorPrint($" [!] Unable to enumerate credentials automatically, error: '{exceptionDetails}'");
Beaprint.NoColorPrint("Please run: ");
Beaprint.ColorPrint("cmdkey /list", Beaprint.ansi_color_yellow);
return(Enumerable.Empty <CREDENTIAL>());
}
var credentials = new IntPtr[count];
for (var n = 0; n < count; n++)
{
credentials[n] = Marshal.ReadIntPtr(pCredentials,
n * Marshal.SizeOf(typeof(IntPtr)));
}
return(credentials.Select(ptr => (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL))));
}
//////////////////////////////////////////
/////// Find Write reg. Services ////////
//////////////////////////////////////////
/// Find Services which Reg you have write or equivalent access
public static List <Dictionary <string, string> > GetWriteServiceRegs(Dictionary <string, string> NtAccountNames)
{
List <Dictionary <string, string> > results = new List <Dictionary <string, string> >();
try
{
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
foreach (string serviceRegName in regKey.GetSubKeyNames())
{
RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName);
List <string> perms = PermissionsHelper.GetMyPermissionsR(key, NtAccountNames);
if (perms.Count > 0)
{
results.Add(new Dictionary <string, string> {
{ "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName },
{ "Permissions", string.Join(", ", perms) }
});
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
return(results);
}
private static void PrintExplicitLogonEvents()
{
try
{
var lastDays = 30;
Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n");
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var explicitLogonInfos = Logon.GetExplicitLogonEventsInfos(lastDays);
foreach (var logonInfo in explicitLogonInfos)
{
Beaprint.BadPrint($" Subject User : {logonInfo.SubjectUser}\n" +
$" Subject Domain : {logonInfo.SubjectDomain}\n" +
$" Created (UTC) : {logonInfo.CreatedAtUtc}\n" +
$" IP Address : {logonInfo.IpAddress}\n" +
$" Process : {logonInfo.Process}\n" +
$" Target User : {logonInfo.TargetUser}\n" +
$" Target Domain : {logonInfo.TargetDomain}\n");
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintProcessCreationEvents()
{
try
{
Beaprint.MainPrint("Process creation events - searching logs (EID 4688) for sensitive data.\n");
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
foreach (var eventInfo in ProcessCreation.GetProcessCreationEventInfos())
{
Beaprint.BadPrint($" Created (UTC) : {eventInfo.CreatedAtUtc}\n" +
$" Event Id : {eventInfo.EventId}\n" +
$" User : {eventInfo.User}\n" +
$" Command Line : {eventInfo.Match}\n");
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static OfficeRecentFileInfo ParseMruString(string mru)
{
var matches = Regex.Matches(mru, "\\[[a-zA-Z0-9]+?\\]\\[T([a-zA-Z0-9]+?)\\](\\[[a-zA-Z0-9]+?\\])?\\*(.+)");
if (matches.Count == 0)
{
return(null);
}
long timestamp = 0;
var dateHexString = matches[0].Groups[1].Value;
var filename = matches[0].Groups[matches[0].Groups.Count - 1].Value;
try
{
timestamp = long.Parse(dateHexString, NumberStyles.HexNumber);
}
catch
{
Beaprint.PrintException($"Could not parse MRU timestamp. Parsed timestamp: {dateHexString} MRU value: {mru}");
}
return(new OfficeRecentFileInfo
{
Application = "Office",
User = null,
Target = filename,
LastAccessDate = DateTime.FromFileTimeUtc(timestamp),
});
}
private static void PrintSecurityPackagesCredentials()
{
Beaprint.MainPrint("Enumerating Security Packages Credentials");
try
{
var credentials = (SecurityPackages.GetNtlmCredentials() ?? Enumerable.Empty <NtlmHashInfo>()).ToList();
if (credentials.Any())
{
foreach (var credential in credentials)
{
if (credential != null)
{
Beaprint.BadPrint($" Version: {credential.Version}\n" +
$" Hash: {credential.Hash}\n");
Beaprint.PrintLineSeparator();
}
}
}
else
{
Beaprint.GoodPrint(" The NTLM security package does not contain any credentials.");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintAppCmd()
{
try
{
Beaprint.MainPrint("Looking AppCmd.exe");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe");
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
if (File.Exists(appCmdPath))
{
Beaprint.BadPrint($" AppCmd.exe was found in {appCmdPath}");
}
else
{
Beaprint.NotFoundPrint();
}
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var script = AppCmd.GetExtractAppCmdCredsPowerShellScript();
string args = @$ " {script}";
var processStartInfo = new ProcessStartInfo
{
UseShellExecute = false,
CreateNoWindow = true,
FileName = "powershell.exe",
Arguments = args,
RedirectStandardOutput = true,
RedirectStandardError = true,
StandardOutputEncoding = Encoding.UTF8
};
using (var process = Process.Start(processStartInfo))
{
if (process != null)
{
while (!process.StandardOutput.EndOfStream)
{
Beaprint.BadPrint($" {process.StandardOutput.ReadLine()}");
}
while (!process.StandardError.EndOfStream)
{
Console.WriteLine(process.StandardError.ReadLine());
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintCloudCreds()
{
try
{
Beaprint.MainPrint("Cloud Credentials");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
List <Dictionary <string, string> > could_creds = KnownFileCredsInfo.ListCloudCreds();
if (could_creds.Count != 0)
{
foreach (Dictionary <string, string> cc in could_creds)
{
string formString = " {0} ({1})\n Accessed:{2} -- Size:{3}";
Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"]));
System.Console.WriteLine("");
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
//////////////////////////////////////
//////// PATH DLL Hijacking /////////
//////////////////////////////////////
/// Look for write or equivalent permissions on ay folder in PATH
public static Dictionary <string, string> GetPathDLLHijacking()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
// grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives
string path = RegistryHelper.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path");
if (string.IsNullOrEmpty(path))
{
path = Environment.GetEnvironmentVariable("PATH");
}
List <string> folders = path.Split(';').ToList();
foreach (string folder in folders)
{
results[folder] = String.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs));
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
return(results);
}
void PrintPossCredsRegs()
{
try
{
string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" };
string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
Beaprint.MainPrint("Looking for possible regs with creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry");
string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
if (!string.IsNullOrEmpty(winVnc4.Trim()))
{
Beaprint.BadPrint(winVnc4);
}
foreach (string regHkcu in passRegHkcu)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
}
foreach (string regHklm in passRegHklm)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintLocalGroupPolicy()
{
try
{
Beaprint.MainPrint("Display Local Group Policy settings - local users/machine");
var infos = GroupPolicy.GetLocalGroupPolicyInfos();
foreach (var info in infos)
{
Beaprint.NoColorPrint($" Type : {info.GPOType}\n" +
$" Display Name : {info.DisplayName}\n" +
$" Name : {info.GPOName}\n" +
$" Extensions : {info.Extensions}\n" +
$" File Sys Path : {info.FileSysPath}\n" +
$" Link : {info.Link}\n" +
$" GPO Link : {info.GPOLink.GetDescription()}\n" +
$" Options : {info.Options.GetDescription()}\n");
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
}
}
void PrintOtherUsersInterestingFiles()
{
try
{
Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
// check if admin already, if yes, print a message, if not, try to enumerate all files
if (MyUtils.IsHighIntegrity())
{
Beaprint.BadPrint(" You are already Administrator, check users home folders manually.");
}
else
// get all files and check them
{
var users = User.GetOtherUsersFolders();
foreach (var user in users)
{
Beaprint.GoodPrint($" Checking folder: {user}\n");
var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true);
foreach (var file in files)
{
try
{
FileAttributes attr = File.GetAttributes(file.FullPath);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{
List <string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (dirRights.Count > 0)
{
Beaprint.BadPrint($" Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights));
}
}
else
{
List <string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (fileRights.Count > 0)
{
Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights));
}
}
}
catch (Exception)
{
}
}
Beaprint.PrintLineSeparator();
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintPowerShellSessionSettings()
{
try
{
Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry");
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var infos = PowerShell.GetPowerShellSessionSettingsInfos();
foreach (var info in infos)
{
Beaprint.NoColorPrint($" {"Name",-38} {info.Plugin}");
foreach (var access in info.Permissions)
{
Beaprint.NoColorPrint($" {access.Principal,-35} {access.Permission,-22}");
}
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
}
}
public static IEnumerable <SysmonEventInfo> GetSysMonEventInfos()
{
var query = "*[System/EventID=1]";
EventLogReader logReader;
try
{
var computerName = Environment.GetEnvironmentVariable("COMPUTERNAME");
logReader = MyUtils.GetEventLogReader("Microsoft-Windows-Sysmon/Operational", query, computerName);
}
catch (Exception ex)
{
Beaprint.NoColorPrint(" Unable to query Sysmon event logs, Sysmon likely not installed.");
yield break;
}
var i = 0;
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
++i;
var commandLine = eventDetail.Properties[10].Value.ToString().Trim();
if (commandLine != "")
{
var userName = eventDetail.Properties[12].Value.ToString().Trim();
yield return(new SysmonEventInfo
{
TimeCreated = eventDetail.TimeCreated,
EventID = eventDetail.Id,
UserName = userName,
Match = commandLine
});
}
}
}
private static void PrintAuditPoliciesInfo()
{
try
{
Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced");
var policies = AuditPolicies.GetAuditPoliciesInfos();
foreach (var policy in policies)
{
Beaprint.NoColorPrint($" Domain : {policy.Domain}\n" +
$" GPO : {policy.GPO}\n" +
$" Type : {policy.Type}\n");
foreach (var entry in policy.Settings)
{
Beaprint.NoColorPrint($" {entry.Subcategory,50} : {entry.AuditType}");
}
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private void PrintLogonSessions()
{
try
{
Beaprint.MainPrint("Print Logon Sessions");
var logonSessions = LogonSessions.GetLogonSessions();
foreach (var logonSession in logonSessions)
{
Beaprint.NoColorPrint($" Method: {logonSession.Method}\n" +
$" Logon Server: {logonSession.LogonServer}\n" +
$" Logon Server Dns Domain: {logonSession.LogonServerDnsDomain}\n" +
$" Logon Id: {logonSession.LogonId}\n" +
$" Logon Time: {logonSession.LogonTime}\n" +
$" Logon Type: {logonSession.LogonType}\n" +
$" Start Time: {logonSession.StartTime}\n" +
$" Domain: {logonSession.Domain}\n" +
$" Authentication Package: {logonSession.AuthenticationPackage}\n" +
$" Start Time: {logonSession.StartTime}\n" +
$" User Name: {logonSession.UserName}\n" +
$" User Principal Name: {logonSession.UserPrincipalName}\n" +
$" User SID: {logonSession.UserSID}\n"
);
Beaprint.PrintLineSeparator();
}
}
catch (Exception)
{
}
}
static void PrintAlwaysInstallElevated()
{
try
{
Beaprint.MainPrint("Checking AlwaysInstallElevated");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated");
string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
if (HKLM_AIE == "1")
{
Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKLM!");
}
if (HKCU_AIE == "1")
{
Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKCU!");
}
if (HKLM_AIE != "1" && HKCU_AIE != "1")
{
Beaprint.GoodPrint(" AlwaysInstallElevated isn't available");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static List <string> ParseChromeHistory(string path)
{
List <string> results = new List <string>();
// parses a Chrome history file via regex
if (System.IO.File.Exists(path))
{
Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?");
try
{
using (StreamReader r = new StreamReader(path))
{
string line;
while ((line = r.ReadLine()) != null)
{
Match m = historyRegex.Match(line);
if (m.Success)
{
results.Add(m.Groups[0].ToString().Trim());
}
}
}
}
catch (IOException exception)
{
Console.WriteLine("\r\n [x] IO exception, history file likely in use (i.e. Browser is likely running): ", exception.Message);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
return(results);
}
private void PrintSysmonConfiguration()
{
Beaprint.MainPrint("Enumerating Sysmon configuration");
Dictionary <string, string> colors = new Dictionary <string, string>
{
{ SysMon.NotDefined, Beaprint.ansi_color_bad },
{ "False", Beaprint.ansi_color_bad },
};
try
{
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
foreach (var item in SysMon.GetSysMonInfos())
{
Beaprint.AnsiPrint($" Installed: {item.Installed}\n" +
$" Hashing Algorithm: {item.HashingAlgorithm.GetDescription()}\n" +
$" Options: {item.Options.GetDescription()}\n" +
$" Rules: {item.Rules}\n",
colors);
Beaprint.PrintLineSeparator();
}
}
catch (Exception)
{
}
}
static void PrintSavedRDPInfo()
{
try
{
Beaprint.MainPrint("Saved RDP connections");
List <Dictionary <string, string> > rdps_info = RemoteDesktop.GetSavedRDPConnections();
if (rdps_info.Count > 0)
{
Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", "Host", "Username Hint", "User SID"));
}
else
{
Beaprint.NotFoundPrint();
}
foreach (Dictionary <string, string> rdp_info in rdps_info)
{
Beaprint.NoColorPrint(string.Format(" {0,-20}{1,-55}{2}", rdp_info["Host"], rdp_info["Username Hint"], rdp_info["SID"]));
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Interesting files and registry");
new List <Action>
{
Putty.PrintInfo,
SuperPutty.PrintInfo,
PrintOffice365EndpointsSyncedByOneDrive,
PrintCloudCreds,
PrintUnattendFiles,
PrintSAMBackups,
PrintMcAffeSitelistFiles,
PrintCachedGPPPassword,
PrintPossCredsRegs,
PrintUserCredsFiles,
PrintOracleSQLDeveloperConfigFiles,
Slack.PrintInfo,
PrintLOLBAS,
PrintOutlookDownloads,
PrintMachineAndUserCertificateFiles,
PrintUsersInterestingFiles,
PrintUsersDocsKeys,
PrintOfficeMostRecentFiles,
PrintRecentFiles,
PrintRecycleBin,
PrintHiddenFilesAndFolders,
PrintOtherUsersInterestingFiles,
PrintExecutablesInNonDefaultFoldersWithWritePermissions,
PrintWSLDistributions
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
private static void PrintWifi()
{
try
{
Beaprint.MainPrint("Looking for saved Wifi credentials");
foreach (var @interface in new WlanClient().Interfaces)
{
foreach (var profile in @interface.GetProfiles())
{
var xml = @interface.GetProfileXml(profile.profileName);
XmlDocument xDoc = new XmlDocument();
xDoc.LoadXml(xml);
var keyMaterial = xDoc.GetElementsByTagName("keyMaterial");
if (keyMaterial.Count > 0)
{
string password = keyMaterial[0].InnerText;
Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" +
$" password : '******' \n\n");
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintDBsFirefox()
{
try
{
Beaprint.MainPrint("Looking for Firefox DBs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List <string> firefoxDBs = Firefox.GetFirefoxDbs();
if (firefoxDBs.Count > 0)
{
foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red
{
Beaprint.BadPrint(" Firefox credentials file exists at " + firefoxDB);
}
Beaprint.InfoPrint("Run SharpWeb (https://github.com/djhohnstein/SharpWeb)");
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
