private static void PrintDPAPIMasterKeys()
{
try
{
Beaprint.MainPrint("Checking for DPAPI Master Keys");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi");
var masterKeys = KnownFileCredsInfo.ListMasterKeys();
if (masterKeys.Count != 0)
{
Beaprint.DictPrint(masterKeys, true);
if (MyUtils.IsHighIntegrity())
{
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the masterkey.");
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintPossCredsRegs()
{
try
{
string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" };
string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
Beaprint.MainPrint("Looking for possible regs with creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry");
string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
if (!string.IsNullOrEmpty(winVnc4.Trim()))
{
Beaprint.BadPrint(winVnc4);
}
foreach (string regHkcu in passRegHkcu)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
}
foreach (string regHklm in passRegHklm)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintModifiableServices()
{
try
{
Beaprint.MainPrint("Modifiable Services");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
if (modifiableServices.Count > 0)
{
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:");
Dictionary <string, string> colorsMS = new Dictionary <string, string>()
{
{ ".*", Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
}
else
{
Beaprint.GoodPrint(" You cannot modify any service");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintWifi()
{
try
{
Beaprint.MainPrint("Looking for saved Wifi credentials");
WlanClient wlanClient = new WlanClient();
foreach (var @interface in new WlanClient().Interfaces)
{
foreach (var profile in @interface.GetProfiles())
{
var xml = @interface.GetProfileXml(profile.profileName);
XmlDocument xDoc = new XmlDocument();
xDoc.LoadXml(xml);
var keyMaterial = xDoc.GetElementsByTagName("keyMaterial");
if (keyMaterial.Count > 0)
{
string password = keyMaterial[0].InnerText;
Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" +
$" password : '******' \n\n");
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
// revert to old way
Beaprint.NoColorPrint("Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'");
Dictionary <string, string> networkConnections = Wifi.Wifi.Retrieve();
Dictionary <string, string> ansi_colors_regexp = new Dictionary <string, string>();
if (networkConnections.Count > 0)
{
//Make sure the passwords are all flagged as ansi_color_bad.
foreach (var connection in networkConnections)
{
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
}
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
}
else
{
Beaprint.NoColorPrint("No saved Wifi credentials found");
}
}
}
private static void PrintRecentRunCommands()
{
try
{
Beaprint.MainPrint("Recently run commands");
Dictionary <string, object> recentCommands = KnownFileCredsInfo.GetRecentRunCommands();
Beaprint.DictPrint(recentCommands, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintKerberosTGTTickets()
{
try
{
Beaprint.MainPrint("Looking for Kerberos TGT tickets");
var kerberosTgts = Kerberos.GetKerberosTGTData();
Beaprint.DictPrint(kerberosTgts, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintPasswordPolicies()
{
try
{
Beaprint.MainPrint("Password Policies");
Beaprint.LinkPrint("", "Check for a possible brute-force");
List <Dictionary <string, string> > PPy = Info.UserInfo.UserInfoHelper.GetPasswordPolicy();
Beaprint.DictPrint(PPy, ColorsU(), false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintAuditInfo()
{
try
{
Beaprint.MainPrint("Audit Settings");
Beaprint.LinkPrint("", "Check what is being logged");
Dictionary <string, string> auditDict = Info.SystemInfo.SystemInfo.GetAuditSettings();
Beaprint.DictPrint(auditDict, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintWEFInfo()
{
try
{
Beaprint.MainPrint("WEF Settings");
Beaprint.LinkPrint("", "Windows Event Forwarding, is interesting to know were are sent the logs");
Dictionary <string, string> weftDict = Info.SystemInfo.SystemInfo.GetWEFSettings();
Beaprint.DictPrint(weftDict, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintTokenP()
{
try
{
Beaprint.MainPrint("Current Token privileges");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token");
Dictionary <string, string> tokenPrivs = Token.GetTokenGroupPrivs();
Beaprint.DictPrint(tokenPrivs, ColorsU(), false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintKerberosTickets()
{
try
{
Beaprint.MainPrint("Looking for Kerberos tickets");
Beaprint.LinkPrint("https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88");
var kerberosTickets = Kerberos.ListKerberosTickets();
Beaprint.DictPrint(kerberosTickets, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintPuttySSH()
{
try
{
Beaprint.MainPrint("Putty SSH Host keys");
List <Dictionary <string, string> > putty_sess = Putty.ListPuttySSHHostKeys();
Dictionary <string, string> colorF = new Dictionary <string, string>()
{
{ ".*", Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(putty_sess, colorF, false, true);
}
catch (Exception ex)
{
Beaprint.GrayPrint(string.Format("{0}", ex));
}
}
static void PrintPSInfo()
{
try
{
Dictionary <string, string> colorsPSI = new Dictionary <string, string>()
{
{ "PS history file: .+", Beaprint.ansi_color_bad },
{ "PS history size: .+", Beaprint.ansi_color_bad }
};
Beaprint.MainPrint("PowerShell Settings");
Dictionary <string, string> PSs = Info.SystemInfo.SystemInfo.GetPowerShellSettings();
Beaprint.DictPrint(PSs, colorsPSI, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintPuttySess()
{
try
{
Beaprint.MainPrint("Putty Sessions");
List <Dictionary <string, string> > putty_sess = Putty.GetPuttySessions();
Dictionary <string, string> colorF = new Dictionary <string, string>()
{
{ "ProxyPassword.*|PublicKeyFile.*|HostName.*|PortForwardings.*", Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(putty_sess, colorF, true, true);
}
catch (Exception ex)
{
Beaprint.GrayPrint(string.Format("{0}", ex));
}
}
static void PrintSystemEV()
{
try
{
Beaprint.MainPrint("System Environment Variables");
Beaprint.LinkPrint("", "Check for some passwords or keys in the env variables");
Dictionary <string, string> sysEnvDict = Info.SystemInfo.SystemInfo.GetSystemEnvVariables();
Dictionary <string, string> colorsSI = new Dictionary <string, string>()
{
{ Globals.PrintCredStringsLimited, Beaprint.ansi_color_bad }
};
Beaprint.DictPrint(sysEnvDict, colorsSI, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintLAPSInfo()
{
try
{
Beaprint.MainPrint("LAPS Settings");
Beaprint.LinkPrint("", "If installed, local administrator password is changed frequently and is restricted by ACL");
Dictionary <string, string> lapsDict = Info.SystemInfo.SystemInfo.GetLapsSettings();
Dictionary <string, string> colorsSI = new Dictionary <string, string>()
{
{ badLAPS, Beaprint.ansi_color_bad }
};
Beaprint.DictPrint(lapsDict, colorsSI, false);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintVaultCreds()
{
try
{
Beaprint.MainPrint("Checking Windows Vault");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault");
var vaultCreds = VaultCli.DumpVault();
var colorsC = new Dictionary <string, string>()
{
{ "Identity.*|Credential.*|Resource.*", Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(vaultCreds, colorsC, true, true);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintDpapiCredFiles()
{
try
{
Beaprint.MainPrint("Checking for DPAPI Credential Files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi");
var credFiles = KnownFileCredsInfo.GetCredFiles();
Beaprint.DictPrint(credFiles, false);
if (credFiles.Count != 0)
{
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the creds file");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintRCManFiles()
{
try
{
Beaprint.MainPrint("Checking for RDCMan Settings Files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager",
"Dump credentials from Remote Desktop Connection Manager");
var rdcFiles = RemoteDesktop.GetRDCManFiles();
Beaprint.DictPrint(rdcFiles, false);
if (rdcFiles.Count != 0)
{
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the .rdg file");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintUACInfo()
{
try
{
Beaprint.MainPrint("UAC Status");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
Dictionary <string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
Dictionary <string, string> colorsSI = new Dictionary <string, string>()
{
{ badUAC, Beaprint.ansi_color_bad },
{ goodUAC, Beaprint.ansi_color_good }
};
Beaprint.DictPrint(uacDict, colorsSI, false);
if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0"))
{
Beaprint.BadPrint(" [*] EnableLUA != 1, UAC policies disabled.\r\n [+] Any local account can be used for lateral movement.");
}
if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] == "1"))
{
Beaprint.BadPrint(" [*] LocalAccountTokenFilterPolicy set to 1.\r\n [+] Any local account can be used for lateral movement.");
}
if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] != "1"))
{
Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.\r\n [-] Only the RID-500 local admin account can be used for lateral movement.");
}
if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] == "1"))
{
Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\r\n [-] No local accounts can be used for lateral movement.");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintAVInfo()
{
try
{
Beaprint.MainPrint("AV Information");
Dictionary <string, string> AVInfo = Info.SystemInfo.SystemInfo.GetAVInfo();
if (AVInfo.ContainsKey("Name") && AVInfo["Name"].Length > 0)
{
Beaprint.GoodPrint(" Some AV was detected, search for bypasses");
}
else
{
Beaprint.BadPrint(" No AV was detected!!");
}
Beaprint.DictPrint(AVInfo, true);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintInetInfo()
{
try
{
Dictionary <string, string> colorsSI = new Dictionary <string, string>()
{
{ "ProxyServer.*", Beaprint.ansi_color_bad }
};
Beaprint.MainPrint("HKCU Internet Settings");
Dictionary <string, string> HKCUDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKCU");
Beaprint.DictPrint(HKCUDict, colorsSI, true);
Beaprint.MainPrint("HKLM Internet Settings");
Dictionary <string, string> HKMLDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKLM");
Beaprint.DictPrint(HKMLDict, colorsSI, true);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintRecycleBin()
{
try
{
//string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
Dictionary <string, string> colorF = new Dictionary <string, string>()
{
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
List <Dictionary <string, string> > recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
foreach (Dictionary <string, string> rec_file in recy_files)
{
foreach (string pattern in pattern_bin.Split(';'))
{
if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success)
{
Beaprint.DictPrint(rec_file, colorF, true);
System.Console.WriteLine();
}
}
}
if (recy_files.Count <= 0)
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintCachedGPPPassword()
{
try
{
Beaprint.MainPrint("Cached GPP Passwords");
Dictionary <string, Dictionary <string, string> > gpp_passwords = GPP.GetCachedGPPPassword();
Dictionary <string, string> gppColors = new Dictionary <string, string>()
{
{ "cpassword.*", Beaprint.ansi_color_bad },
};
foreach (KeyValuePair <string, Dictionary <string, string> > entry in gpp_passwords)
{
Beaprint.BadPrint(" Found " + entry.Key);
Beaprint.DictPrint(entry.Value, gppColors, true);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintModifiableServices()
{
try
{
Beaprint.MainPrint("Modifiable Services");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service");
if (modifiableServices.Count > 0)
{
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
Dictionary <string, string> colorsMS = new Dictionary <string, string>()
{
// modify
{ "AllAccess", Beaprint.ansi_color_bad },
{ "ChangeConfig", Beaprint.ansi_color_bad },
{ "WriteDac", Beaprint.ansi_color_bad },
{ "WriteOwner", Beaprint.ansi_color_bad },
{ "AccessSystemSecurity", Beaprint.ansi_color_bad },
{ "GenericAll", Beaprint.ansi_color_bad },
{ "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad },
// start/stop
{ "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow },
{ "Start", Beaprint.ansi_color_yellow },
{ "Stop", Beaprint.ansi_color_yellow },
};
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
}
else
{
Beaprint.GoodPrint(" You cannot modify any service");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintBasicSystemInfo()
{
try
{
Beaprint.MainPrint("Basic System Information");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
Dictionary <string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
Dictionary <string, string> colorsSI = new Dictionary <string, string>
{
{ Globals.StrTrue, Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(basicDictSystem, colorsSI, false);
System.Console.WriteLine();
Watson.FindVulns();
//To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function)
//Usually you won't need to do anything with the classes Wmi, Vulnerability and VulnerabilityCollection
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
