private static void PrintDPAPIMasterKeys() { try { Beaprint.MainPrint("Checking for DPAPI Master Keys"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); var masterKeys = KnownFileCredsInfo.ListMasterKeys(); if (masterKeys.Count != 0) { Beaprint.DictPrint(masterKeys, true); if (MyUtils.IsHighIntegrity()) { Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the masterkey."); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintPossCredsRegs() { try { string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" }; string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; Beaprint.MainPrint("Looking for possible regs with creds"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password"); if (!string.IsNullOrEmpty(winVnc4.Trim())) { Beaprint.BadPrint(winVnc4); } foreach (string regHkcu in passRegHkcu) { Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false); } foreach (string regHklm in passRegHklm) { Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintModifiableServices() { try { Beaprint.MainPrint("Modifiable Services"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:"); Dictionary <string, string> colorsMS = new Dictionary <string, string>() { { ".*", Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(modifiableServices, colorsMS, false, true); } else { Beaprint.GoodPrint(" You cannot modify any service"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintWifi() { try { Beaprint.MainPrint("Looking for saved Wifi credentials"); WlanClient wlanClient = new WlanClient(); foreach (var @interface in new WlanClient().Interfaces) { foreach (var profile in @interface.GetProfiles()) { var xml = @interface.GetProfileXml(profile.profileName); XmlDocument xDoc = new XmlDocument(); xDoc.LoadXml(xml); var keyMaterial = xDoc.GetElementsByTagName("keyMaterial"); if (keyMaterial.Count > 0) { string password = keyMaterial[0].InnerText; Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" + $" password : '******' \n\n"); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); // revert to old way Beaprint.NoColorPrint("Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'"); Dictionary <string, string> networkConnections = Wifi.Wifi.Retrieve(); Dictionary <string, string> ansi_colors_regexp = new Dictionary <string, string>(); if (networkConnections.Count > 0) { //Make sure the passwords are all flagged as ansi_color_bad. foreach (var connection in networkConnections) { ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad); } Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false); } else { Beaprint.NoColorPrint("No saved Wifi credentials found"); } } }
private static void PrintRecentRunCommands() { try { Beaprint.MainPrint("Recently run commands"); Dictionary <string, object> recentCommands = KnownFileCredsInfo.GetRecentRunCommands(); Beaprint.DictPrint(recentCommands, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintKerberosTGTTickets() { try { Beaprint.MainPrint("Looking for Kerberos TGT tickets"); var kerberosTgts = Kerberos.GetKerberosTGTData(); Beaprint.DictPrint(kerberosTgts, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintPasswordPolicies() { try { Beaprint.MainPrint("Password Policies"); Beaprint.LinkPrint("", "Check for a possible brute-force"); List <Dictionary <string, string> > PPy = Info.UserInfo.UserInfoHelper.GetPasswordPolicy(); Beaprint.DictPrint(PPy, ColorsU(), false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintAuditInfo() { try { Beaprint.MainPrint("Audit Settings"); Beaprint.LinkPrint("", "Check what is being logged"); Dictionary <string, string> auditDict = Info.SystemInfo.SystemInfo.GetAuditSettings(); Beaprint.DictPrint(auditDict, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintWEFInfo() { try { Beaprint.MainPrint("WEF Settings"); Beaprint.LinkPrint("", "Windows Event Forwarding, is interesting to know were are sent the logs"); Dictionary <string, string> weftDict = Info.SystemInfo.SystemInfo.GetWEFSettings(); Beaprint.DictPrint(weftDict, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintTokenP() { try { Beaprint.MainPrint("Current Token privileges"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token"); Dictionary <string, string> tokenPrivs = Token.GetTokenGroupPrivs(); Beaprint.DictPrint(tokenPrivs, ColorsU(), false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintKerberosTickets() { try { Beaprint.MainPrint("Looking for Kerberos tickets"); Beaprint.LinkPrint("https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88"); var kerberosTickets = Kerberos.ListKerberosTickets(); Beaprint.DictPrint(kerberosTickets, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintPuttySSH() { try { Beaprint.MainPrint("Putty SSH Host keys"); List <Dictionary <string, string> > putty_sess = Putty.ListPuttySSHHostKeys(); Dictionary <string, string> colorF = new Dictionary <string, string>() { { ".*", Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(putty_sess, colorF, false, true); } catch (Exception ex) { Beaprint.GrayPrint(string.Format("{0}", ex)); } }
static void PrintPSInfo() { try { Dictionary <string, string> colorsPSI = new Dictionary <string, string>() { { "PS history file: .+", Beaprint.ansi_color_bad }, { "PS history size: .+", Beaprint.ansi_color_bad } }; Beaprint.MainPrint("PowerShell Settings"); Dictionary <string, string> PSs = Info.SystemInfo.SystemInfo.GetPowerShellSettings(); Beaprint.DictPrint(PSs, colorsPSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintPuttySess() { try { Beaprint.MainPrint("Putty Sessions"); List <Dictionary <string, string> > putty_sess = Putty.GetPuttySessions(); Dictionary <string, string> colorF = new Dictionary <string, string>() { { "ProxyPassword.*|PublicKeyFile.*|HostName.*|PortForwardings.*", Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(putty_sess, colorF, true, true); } catch (Exception ex) { Beaprint.GrayPrint(string.Format("{0}", ex)); } }
static void PrintSystemEV() { try { Beaprint.MainPrint("System Environment Variables"); Beaprint.LinkPrint("", "Check for some passwords or keys in the env variables"); Dictionary <string, string> sysEnvDict = Info.SystemInfo.SystemInfo.GetSystemEnvVariables(); Dictionary <string, string> colorsSI = new Dictionary <string, string>() { { Globals.PrintCredStringsLimited, Beaprint.ansi_color_bad } }; Beaprint.DictPrint(sysEnvDict, colorsSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintLAPSInfo() { try { Beaprint.MainPrint("LAPS Settings"); Beaprint.LinkPrint("", "If installed, local administrator password is changed frequently and is restricted by ACL"); Dictionary <string, string> lapsDict = Info.SystemInfo.SystemInfo.GetLapsSettings(); Dictionary <string, string> colorsSI = new Dictionary <string, string>() { { badLAPS, Beaprint.ansi_color_bad } }; Beaprint.DictPrint(lapsDict, colorsSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintVaultCreds() { try { Beaprint.MainPrint("Checking Windows Vault"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); var vaultCreds = VaultCli.DumpVault(); var colorsC = new Dictionary <string, string>() { { "Identity.*|Credential.*|Resource.*", Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(vaultCreds, colorsC, true, true); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintDpapiCredFiles() { try { Beaprint.MainPrint("Checking for DPAPI Credential Files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); var credFiles = KnownFileCredsInfo.GetCredFiles(); Beaprint.DictPrint(credFiles, false); if (credFiles.Count != 0) { Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the creds file"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintRCManFiles() { try { Beaprint.MainPrint("Checking for RDCMan Settings Files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager", "Dump credentials from Remote Desktop Connection Manager"); var rdcFiles = RemoteDesktop.GetRDCManFiles(); Beaprint.DictPrint(rdcFiles, false); if (rdcFiles.Count != 0) { Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the .rdg file"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintUACInfo() { try { Beaprint.MainPrint("UAC Status"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC"); Dictionary <string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); Dictionary <string, string> colorsSI = new Dictionary <string, string>() { { badUAC, Beaprint.ansi_color_bad }, { goodUAC, Beaprint.ansi_color_good } }; Beaprint.DictPrint(uacDict, colorsSI, false); if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0")) { Beaprint.BadPrint(" [*] EnableLUA != 1, UAC policies disabled.\r\n [+] Any local account can be used for lateral movement."); } if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] == "1")) { Beaprint.BadPrint(" [*] LocalAccountTokenFilterPolicy set to 1.\r\n [+] Any local account can be used for lateral movement."); } if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] != "1")) { Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.\r\n [-] Only the RID-500 local admin account can be used for lateral movement."); } if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] == "1")) { Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\r\n [-] No local accounts can be used for lateral movement."); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintAVInfo() { try { Beaprint.MainPrint("AV Information"); Dictionary <string, string> AVInfo = Info.SystemInfo.SystemInfo.GetAVInfo(); if (AVInfo.ContainsKey("Name") && AVInfo["Name"].Length > 0) { Beaprint.GoodPrint(" Some AV was detected, search for bypasses"); } else { Beaprint.BadPrint(" No AV was detected!!"); } Beaprint.DictPrint(AVInfo, true); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintInetInfo() { try { Dictionary <string, string> colorsSI = new Dictionary <string, string>() { { "ProxyServer.*", Beaprint.ansi_color_bad } }; Beaprint.MainPrint("HKCU Internet Settings"); Dictionary <string, string> HKCUDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKCU"); Beaprint.DictPrint(HKCUDict, colorsSI, true); Beaprint.MainPrint("HKLM Internet Settings"); Dictionary <string, string> HKMLDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKLM"); Beaprint.DictPrint(HKMLDict, colorsSI, true); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRecycleBin() { try { //string pattern_bin = _patternsFileCreds + ";*password*;*credential*"; string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*"; Dictionary <string, string> colorF = new Dictionary <string, string>() { { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, }; Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); List <Dictionary <string, string> > recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); foreach (Dictionary <string, string> rec_file in recy_files) { foreach (string pattern in pattern_bin.Split(';')) { if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success) { Beaprint.DictPrint(rec_file, colorF, true); System.Console.WriteLine(); } } } if (recy_files.Count <= 0) { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintCachedGPPPassword() { try { Beaprint.MainPrint("Cached GPP Passwords"); Dictionary <string, Dictionary <string, string> > gpp_passwords = GPP.GetCachedGPPPassword(); Dictionary <string, string> gppColors = new Dictionary <string, string>() { { "cpassword.*", Beaprint.ansi_color_bad }, }; foreach (KeyValuePair <string, Dictionary <string, string> > entry in gpp_passwords) { Beaprint.BadPrint(" Found " + entry.Key); Beaprint.DictPrint(entry.Value, gppColors, true); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintModifiableServices() { try { Beaprint.MainPrint("Modifiable Services"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:"); Dictionary <string, string> colorsMS = new Dictionary <string, string>() { // modify { "AllAccess", Beaprint.ansi_color_bad }, { "ChangeConfig", Beaprint.ansi_color_bad }, { "WriteDac", Beaprint.ansi_color_bad }, { "WriteOwner", Beaprint.ansi_color_bad }, { "AccessSystemSecurity", Beaprint.ansi_color_bad }, { "GenericAll", Beaprint.ansi_color_bad }, { "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad }, // start/stop { "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow }, { "Start", Beaprint.ansi_color_yellow }, { "Stop", Beaprint.ansi_color_yellow }, }; Beaprint.DictPrint(modifiableServices, colorsMS, false, true); } else { Beaprint.GoodPrint(" You cannot modify any service"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintBasicSystemInfo() { try { Beaprint.MainPrint("Basic System Information"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit"); Dictionary <string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo(); basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR; Dictionary <string, string> colorsSI = new Dictionary <string, string> { { Globals.StrTrue, Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(basicDictSystem, colorsSI, false); System.Console.WriteLine(); Watson.FindVulns(); //To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function) //Usually you won't need to do anything with the classes Wmi, Vulnerability and VulnerabilityCollection } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }