void PrintRecentFiles()
{
try
{
Beaprint.MainPrint("Recent files --limit 70--");
List <Dictionary <string, string> > recFiles = KnownFileCredsInfo.GetRecentFiles();
Dictionary <string, string> colorF = new Dictionary <string, string>()
{
{ _patternsFileCredsColor, Beaprint.ansi_color_bad },
};
if (recFiles.Count != 0)
{
foreach (Dictionary <string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70))
{
Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF);
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private void PrintNetShares()
{
try
{
Beaprint.MainPrint("Network Shares");
Dictionary <string, string> colorsN = new Dictionary <string, string>()
{
{ commonShares, Beaprint.ansi_color_good },
{ "Permissions.*", Beaprint.ansi_color_bad }
};
List <Dictionary <string, string> > shares = NetworkInfoHelper.GetNetworkShares("127.0.0.1");
foreach (Dictionary <string, string> share in shares)
{
string line = string.Format(" {0} (" + Beaprint.ansi_color_gray + "Path: {1}" + Beaprint.NOCOLOR + ")", share["Name"], share["Path"]);
if (share["Permissions"].Length > 0)
{
line += " -- Permissions: " + share["Permissions"];
}
Beaprint.AnsiPrint(line, colorsN);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintRdpSessions()
{
try
{
Beaprint.MainPrint("RDP Sessions");
List <Dictionary <string, string> > rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions();
if (rdp_sessions.Count > 0)
{
string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
Beaprint.GrayPrint(header);
foreach (Dictionary <string, string> rdpSes in rdp_sessions)
{
Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU());
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintWritableRegServices()
{
try
{
Beaprint.MainPrint("Looking if you can modify any service registry");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
List <Dictionary <string, string> > regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs);
Dictionary <string, string> colorsWR = new Dictionary <string, string>()
{
{ @"\(.*\)", Beaprint.ansi_color_bad },
};
if (regPerms.Count <= 0)
{
Beaprint.GoodPrint(" [-] Looks like you cannot change the registry of any service...");
}
else
{
foreach (Dictionary <string, string> writeServReg in regPerms)
{
Beaprint.AnsiPrint(string.Format(" {0} ({1})", writeServReg["Path"], writeServReg["Permissions"]), colorsWR);
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private void PrintListeningPortsUdpIPv6(Dictionary <int, Process> processesByPid)
{
try
{
Beaprint.ColorPrint(" Enumerating IPv6 connections\n", Beaprint.LBLUE);
string formatString = @"{0,-12} {1,-43} {2,-13} {3,-30} {4,-17} {5}";
Beaprint.NoColorPrint(
string.Format($"{formatString}\n", " Protocol", "Local Address", "Local Port", "Remote Address:Remote Port", "Process ID", "Process Name"));
foreach (var udpConnectionInfo in NetworkInfoHelper.GetUdpConnections(IPVersion.IPv6, processesByPid))
{
Beaprint.AnsiPrint(
string.Format(formatString,
" UDP",
$"[{udpConnectionInfo.LocalAddress}]",
udpConnectionInfo.LocalPort,
"*:*", // UDP does not have remote address/port
udpConnectionInfo.ProcessId,
udpConnectionInfo.ProcessName
),
colorsN);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private void PrintListeningPortsTcpIPv6(Dictionary <int, Process> processesByPid)
{
try
{
Beaprint.ColorPrint(" Enumerating IPv6 connections\n", Beaprint.LBLUE);
string formatString = @"{0,-12} {1,-43} {2,-13} {3,-43} {4,-15} {5,-17} {6,-15} {7}";
Beaprint.NoColorPrint(
string.Format($"{formatString}\n", " Protocol", "Local Address", "Local Port", "Remote Address", "Remote Port", "State", "Process ID", "Process Name"));
foreach (var tcpConnectionInfo in NetworkInfoHelper.GetTcpConnections(IPVersion.IPv6, processesByPid))
{
Beaprint.AnsiPrint(
string.Format(formatString,
" TCP",
$"[{tcpConnectionInfo.LocalAddress}]",
tcpConnectionInfo.LocalPort,
$"[{tcpConnectionInfo.RemoteAddress}]",
tcpConnectionInfo.RemotePort,
tcpConnectionInfo.State.GetDescription(),
tcpConnectionInfo.ProcessId,
tcpConnectionInfo.ProcessName
),
colorsN);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintHistFirefox()
{
try
{
Beaprint.MainPrint("Looking for GET credentials in Firefox history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List <string> firefoxHist = Firefox.GetFirefoxHistory();
if (firefoxHist.Count > 0)
{
Dictionary <string, string> colorsB = new Dictionary <string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in firefoxHist)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintCU()
{
try
{
Beaprint.MainPrint("Users");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
List <string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
Beaprint.AnsiPrint(" Current user: "******" Current groups: " + string.Join(", ", currentGroupsNames), ColorsU());
Beaprint.PrintLineSeparator();
Beaprint.ListPrint(usersGrps, ColorsU());
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private void PrintSysmonConfiguration()
{
Beaprint.MainPrint("Enumerating Sysmon configuration");
Dictionary <string, string> colors = new Dictionary <string, string>
{
{ SysMon.NotDefined, Beaprint.ansi_color_bad },
{ "False", Beaprint.ansi_color_bad },
};
try
{
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
foreach (var item in SysMon.GetSysMonInfos())
{
Beaprint.AnsiPrint($" Installed: {item.Installed}\n" +
$" Hashing Algorithm: {item.HashingAlgorithm.GetDescription()}\n" +
$" Options: {item.Options.GetDescription()}\n" +
$" Rules: {item.Rules}\n",
colors);
Beaprint.PrintLineSeparator();
}
}
catch (Exception)
{
}
}
internal static void PrintInfo()
{
var colors = new Dictionary <string, string>()
{
{ "False", Beaprint.ansi_color_bad },
{ "True", Beaprint.ansi_color_good },
{ NOT_ENABLED, Beaprint.ansi_color_bad },
{ ENABLED_NOT_RUNNING, Beaprint.ansi_color_bad },
{ ENABLED_AND_RUNNING, Beaprint.ansi_color_good },
{ UNDEFINED, Beaprint.ansi_color_bad },
};
try
{
using (var searcher = new ManagementObjectSearcher(@"root\Microsoft\Windows\DeviceGuard", "SELECT * FROM Win32_DeviceGuard"))
{
using (var data = searcher.Get())
{
foreach (var result in data)
{
var configCheck = (int[])result.GetPropertyValue("SecurityServicesConfigured");
var serviceCheck = (int[])result.GetPropertyValue("SecurityServicesRunning");
var configured = false;
var running = false;
uint? vbs = (uint)result.GetPropertyValue("VirtualizationBasedSecurityStatus");
string vbsSettingString = GetVbsSettingString(vbs);
if (configCheck.Contains(1))
{
configured = true;
}
if (serviceCheck.Contains(1))
{
running = true;
}
Beaprint.AnsiPrint($" Virtualization Based Security Status: {vbsSettingString}\n" +
$" Configured: {configured}\n" +
$" Running: {running}",
colors);
}
}
}
}
catch (ManagementException ex) when(ex.ErrorCode == ManagementStatus.InvalidNamespace)
{
Beaprint.PrintException(string.Format(" [X] 'Win32_DeviceGuard' WMI class unavailable", ex.Message));
}
catch (Exception ex)
{
//Beaprint.PrintException(ex.Message);
}
}
private static void PrintDotNetVersions()
{
try
{
Beaprint.MainPrint("Installed .NET versions\n");
var info = DotNet.GetDotNetInfo();
Beaprint.ColorPrint(" CLR Versions", Beaprint.LBLUE);
foreach (var version in info.ClrVersions)
{
Beaprint.NoColorPrint($" {version}");
}
Beaprint.ColorPrint("\n .NET Versions", Beaprint.LBLUE);
foreach (var version in info.DotNetVersions)
{
Beaprint.NoColorPrint($" {version}");
}
var colors = new Dictionary <string, string>
{
{ "True", Beaprint.ansi_color_good },
{ "False", Beaprint.ansi_color_bad },
};
Beaprint.ColorPrint("\n .NET & AMSI (Anti-Malware Scan Interface) support", Beaprint.LBLUE);
Beaprint.AnsiPrint($" .NET version supports AMSI : {info.IsAmsiSupportedByDotNet}\n" +
$" OS supports AMSI : {info.IsAmsiSupportedByOs}",
colors);
var highestVersion = info.HighestVersion;
var lowestVersion = info.LowestVersion;
if ((highestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (highestVersion.Minor >= DotNetInfo.AmsiSupportedByDotNetMinMinorVersion))
{
Beaprint.NoColorPrint($" [!] The highest .NET version is enrolled in AMSI!");
}
if (
info.IsAmsiSupportedByOs &&
info.IsAmsiSupportedByDotNet &&
((
(lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion - 1)
) ||
((lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (lowestVersion.Minor < DotNetInfo.AmsiSupportedByDotNetMinMinorVersion)))
)
{
Beaprint.NoColorPrint($" [-] You can invoke .NET version {lowestVersion.Major}.{lowestVersion.Minor} to bypass AMSI.");
}
}
catch (Exception e)
{
}
}
private static void GrepResult(CustomFileInfo fileInfo, FileSettings fileSettings)
{
var fileContent = File.ReadLines(fileInfo.FullPath);
var colors = new Dictionary <string, string>();
if ((bool)fileSettings.only_bad_lines)
{
colors.Add(fileSettings.bad_regex, Beaprint.ansi_color_bad);
fileContent = fileContent.Where(l => Regex.IsMatch(l, fileSettings.bad_regex, RegexOptions.IgnoreCase));
}
else
{
string lineGrep = null;
if ((bool)fileSettings.remove_empty_lines)
{
fileContent = fileContent.Where(l => !string.IsNullOrWhiteSpace(l));
}
if (!string.IsNullOrWhiteSpace(fileSettings.remove_regex))
{
var pattern = GetRegexpFromString(fileSettings.remove_regex);
fileContent = fileContent.Where(l => !Regex.IsMatch(l, pattern, RegexOptions.IgnoreCase));
}
if (!string.IsNullOrWhiteSpace(fileSettings.good_regex))
{
colors.Add(fileSettings.good_regex, Beaprint.ansi_color_good);
}
if (!string.IsNullOrWhiteSpace(fileSettings.bad_regex))
{
colors.Add(fileSettings.bad_regex, Beaprint.ansi_color_bad);
}
if (!string.IsNullOrWhiteSpace(fileSettings.line_grep))
{
lineGrep = SanitizeLineGrep(fileSettings.line_grep);
}
fileContent = fileContent.Where(line => (!string.IsNullOrWhiteSpace(fileSettings.good_regex) && Regex.IsMatch(line, fileSettings.good_regex, RegexOptions.IgnoreCase)) ||
(!string.IsNullOrWhiteSpace(fileSettings.bad_regex) && Regex.IsMatch(line, fileSettings.bad_regex, RegexOptions.IgnoreCase)) ||
(!string.IsNullOrWhiteSpace(lineGrep) && Regex.IsMatch(line, lineGrep, RegexOptions.IgnoreCase)));
}
var content = string.Join(Environment.NewLine, fileContent);
Beaprint.AnsiPrint(content, colors);
if (content.Length > 0)
{
Console.WriteLine();
}
}
private static void PrintLocalUsers()
{
try
{
Beaprint.MainPrint("Display information about local users");
var computerName = Environment.GetEnvironmentVariable("COMPUTERNAME");
var localUsers = User.GetLocalUsers(computerName);
var colors = new Dictionary <string, string>
{
{ "Administrator", Beaprint.ansi_color_bad },
{ "Guest", Beaprint.YELLOW },
{ "False", Beaprint.ansi_color_good },
{ "True", Beaprint.ansi_color_bad },
};
foreach (var localUser in localUsers)
{
var enabled = ((localUser.flags >> 1) & 1) == 0;
var pwdLastSet = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
var lastLogon = new DateTime(1970, 1, 1, 0, 0, 0);
if (localUser.passwordAge != 0)
{
pwdLastSet = DateTime.Now.AddSeconds(-localUser.passwordAge);
}
if (localUser.last_logon != 0)
{
lastLogon = lastLogon.AddSeconds(localUser.last_logon).ToLocalTime();
}
Beaprint.AnsiPrint($" Computer Name : {computerName}\n" +
$" User Name : {localUser.name}\n" +
$" User Id : {localUser.user_id}\n" +
$" Is Enabled : {enabled}\n" +
$" User Type : {(UserPrivType)localUser.priv}\n" +
$" Comment : {localUser.comment}\n" +
$" Last Logon : {lastLogon}\n" +
$" Logons Count : {localUser.num_logons}\n" +
$" Password Last Set : {pwdLastSet}\n",
colors);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
}
}
private void PrintFirewallRules()
{
try
{
Beaprint.MainPrint("Firewall Rules");
Beaprint.LinkPrint("", "Showing only DENY rules (too many ALLOW rules always)");
Dictionary <string, string> colorsN = new Dictionary <string, string>()
{
{ Globals.StrFalse, Beaprint.ansi_color_bad },
{ Globals.StrTrue, Beaprint.ansi_color_good },
};
Beaprint.AnsiPrint(" Current Profiles: " + Firewall.GetFirewallProfiles(), colorsN);
foreach (KeyValuePair <string, string> entry in Firewall.GetFirewallBooleans())
{
Beaprint.AnsiPrint(string.Format(" {0,-23}: {1}", entry.Key, entry.Value), colorsN);
}
Beaprint.GrayPrint(" DENY rules:");
foreach (Dictionary <string, string> rule in Firewall.GetFirewallRules())
{
string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
string formString = " ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}";
if (filePerms.Length > 0)
{
formString += "\n File Permissions: {8}";
}
if (folderPerms.Length > 0)
{
formString += "\n Folder Permissions: {9}";
}
formString += "\n {10}";
colorsN = new Dictionary <string, string>
{
{ Globals.StrFalse, Beaprint.ansi_color_bad },
{ Globals.StrTrue, Beaprint.ansi_color_good },
{ "File Permissions.*|Folder Permissions.*", Beaprint.ansi_color_bad },
{ rule["AppName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (filePerms.Length > 0 || folderPerms.Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
Beaprint.AnsiPrint(string.Format(formString, rule["Profiles"], rule["Name"], rule["AppName"], rule["Action"], rule["Protocol"], rule["Direction"], rule["Direction"] == "IN" ? rule["Local"] : rule["Remote"], rule["Direction"] == "IN" ? rule["Remote"] : rule["Local"], filePerms, folderPerms, rule["Description"]), colorsN);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintUserCredsFiles()
{
try
{
string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";
var validExtensions = new HashSet <string>
{
".cnf",
".conf",
".doc",
".docx",
".json",
".xlsx",
".xml",
".yaml",
".yml",
".txt",
};
var colorF = new Dictionary <string, string>()
{
{ pattern_color, Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Looking for possible password files in users homes");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
var fileInfos = SearchHelper.SearchUserCredsFiles();
foreach (var fileInfo in fileInfos)
{
if (!fileInfo.Filename.Contains("."))
{
Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF);
}
else
{
string extLower = fileInfo.Extension.ToLower();
if (validExtensions.Contains(extLower))
{
Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF);
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static bool ProcessResult(
CustomFileInfo fileInfo,
Helpers.YamlConfig.YamlConfig.SearchParameters.FileSettings fileSettings,
ref int resultsCount)
{
// print depending on the options here
resultsCount++;
if (resultsCount > ListFileLimit)
{
return(false);
}
if (fileSettings.type == "f")
{
var colors = new Dictionary <string, string>();
colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
Beaprint.AnsiPrint($"File: {fileInfo.FullPath}", colors);
if (!(bool)fileSettings.just_list_file)
{
GrepResult(fileInfo, fileSettings);
}
}
else if (fileSettings.type == "d")
{
var colors = new Dictionary <string, string>();
colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
Beaprint.AnsiPrint($"Folder: {fileInfo.FullPath}", colors);
// just list the directory
if ((bool)fileSettings.just_list_file)
{
string[] files = Directory.GetFiles(fileInfo.FullPath, "*", SearchOption.TopDirectoryOnly);
foreach (var file in files)
{
Beaprint.BadPrint($" {file}");
}
}
else
{
// should not happen
}
}
return(true);
}
void PrintScheduled()
{
try
{
Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
List <Dictionary <string, string> > scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
foreach (Dictionary <string, string> sapp in scheduled_apps)
{
List <string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
List <string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
string formString = " ({0}) {1}: {2}";
if (fileRights.Count > 0)
{
formString += "\n Permissions file: {3}";
}
if (dirRights.Count > 0)
{
formString += "\n Permissions folder(DLL Hijacking): {4}";
}
if (!string.IsNullOrEmpty(sapp["Trigger"]))
{
formString += "\n Trigger: {5}";
}
if (string.IsNullOrEmpty(sapp["Description"]))
{
formString += "\n {6}";
}
Dictionary <string, string> colorsS = new Dictionary <string, string>()
{
{ "Permissions.*", Beaprint.ansi_color_bad },
{ sapp["Action"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
Beaprint.AnsiPrint(string.Format(formString, sapp["Author"], sapp["Name"], sapp["Action"], string.Join(", ", fileRights), string.Join(", ", dirRights), sapp["Trigger"], sapp["Description"]), colorsS);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintDeviceDrivers()
{
try
{
Beaprint.MainPrint("Device Drivers --Non Microsoft--");
// this link is not very specific, but its the best on hacktricks
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
{
string pathDriver = driver.Key;
List <string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
List <string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
Dictionary <string, string> colorsD = new Dictionary <string, string>()
{
{ "Permissions.*", Beaprint.ansi_color_bad },
{ "Capcom.sys", Beaprint.ansi_color_bad },
{ pathDriver.Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
string formString = " {0} - {1} [{2}]: {3}";
if (fileRights.Count > 0)
{
formString += "\n Permissions file: {4}";
}
if (dirRights.Count > 0)
{
formString += "\n Permissions folder(DLL Hijacking): {5}";
}
Beaprint.AnsiPrint(string.Format(formString, driver.Value.ProductName, driver.Value.ProductVersion, driver.Value.CompanyName, pathDriver, string.Join(", ", fileRights), string.Join(", ", dirRights)), colorsD);
//If vuln, end with separator
if ((fileRights.Count > 0) || (dirRights.Count > 0))
{
Beaprint.PrintLineSeparator();
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintCredentialManager()
{
try
{
Beaprint.MainPrint("Checking Credential manager");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault");
var colorsC = new Dictionary <string, string>()
{
{ "Warning:", Beaprint.YELLOW },
};
Beaprint.AnsiPrint(" [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string\n\n", colorsC);
var keywords = new HashSet <string>
{
nameof(Credential.Password),
nameof(Credential.Username),
nameof(Credential.Target),
nameof(Credential.PersistenceType),
nameof(Credential.LastWriteTime),
};
colorsC = new Dictionary <string, string>()
{
{ CredentialManager.UnicodeInfoText, Beaprint.LBLUE }
};
foreach (var keyword in keywords)
{
colorsC.Add($"{keyword}:", Beaprint.ansi_color_bad);
}
var credentials = CredentialManager.GetCredentials();
foreach (var credential in credentials)
{
Beaprint.AnsiPrint(credential, colorsC);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintDrivesInfo()
{
try
{
Beaprint.MainPrint("Drives Information");
Beaprint.LinkPrint("", "Remember that you should search more info inside the other drives");
Dictionary <string, string> colorsSI = new Dictionary <string, string>()
{
{ "Permissions.*", Beaprint.ansi_color_bad }
};
foreach (Dictionary <string, string> drive in Info.SystemInfo.SystemInfo.GetDrivesInfo())
{
string drive_permissions = string.Join(", ", PermissionsHelper.GetPermissionsFolder(drive["Name"], Checks.CurrentUserSiDs));
string dToPrint = string.Format(" {0} (Type: {1})", drive["Name"], drive["Type"]);
if (!string.IsNullOrEmpty(drive["Volume label"]))
{
dToPrint += "(Volume label: " + drive["Volume label"] + ")";
}
if (!string.IsNullOrEmpty(drive["Filesystem"]))
{
dToPrint += "(Filesystem: " + drive["Filesystem"] + ")";
}
if (!string.IsNullOrEmpty(drive["Available space"]))
{
dToPrint += "(Available space: " + (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString() + " GB)";
}
if (drive_permissions.Length > 0)
{
dToPrint += "(Permissions: " + drive_permissions + ")";
}
Beaprint.AnsiPrint(dToPrint, colorsSI);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintUsersInterestingFiles()
{
try
{
var colorF = new Dictionary <string, string>
{
{ _patternsFileCredsColor, Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Searching known files that can contain creds in home");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
var files = SearchHelper.SearchUsersInterestingFiles();
Beaprint.AnsiPrint(" " + string.Join("\n ", files), colorF);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintHistBookChrome()
{
try
{
Beaprint.MainPrint("Looking for GET credentials in Chrome history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary <string, List <string> > chromeHistBook = Chrome.GetChromeHistBook();
List <string> history = chromeHistBook["history"];
List <string> bookmarks = chromeHistBook["bookmarks"];
if (history.Count > 0)
{
Dictionary <string, string> colorsB = new Dictionary <string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in history)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
}
else
{
Beaprint.NotFoundPrint();
}
Beaprint.MainPrint("Chrome bookmarks");
Beaprint.ListPrint(bookmarks);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintAutoLogin()
{
try
{
Beaprint.MainPrint("Looking for AutoLogon credentials");
bool ban = false;
Dictionary <string, string> autologon = UserInfoHelper.GetAutoLogon();
if (autologon.Count > 0)
{
foreach (KeyValuePair <string, string> entry in autologon)
{
if (!string.IsNullOrEmpty(entry.Value))
{
if (!ban)
{
Beaprint.BadPrint(" Some AutoLogon credentials were found");
ban = true;
}
Beaprint.AnsiPrint(string.Format(" {0,-30}: {1}", entry.Key, entry.Value), ColorsU());
}
}
if (!ban)
{
Beaprint.NotFoundPrint();
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintHistFavIE()
{
try
{
Beaprint.MainPrint("Looking for GET credentials in IE history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
Dictionary <string, List <string> > chromeHistBook = InternetExplorer.GetIEHistFav();
List <string> history = chromeHistBook["history"];
List <string> favorites = chromeHistBook["favorites"];
if (history.Count > 0)
{
Dictionary <string, string> colorsB = new Dictionary <string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in history)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
}
Beaprint.MainPrint("IE favorites");
Beaprint.ListPrint(favorites);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintAutoRuns()
{
try
{
Beaprint.MainPrint("Autorun Applications");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
List <Dictionary <string, string> > apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
foreach (Dictionary <string, string> app in apps)
{
var colorsA = new Dictionary <string, string>
{
{ "FolderPerms:.*", Beaprint.ansi_color_bad },
{ "FilePerms:.*", Beaprint.ansi_color_bad },
{ "(Unquoted and Space detected)", Beaprint.ansi_color_bad },
{ "(PATH Injection)", Beaprint.ansi_color_bad },
{ "RegPerms: .*", Beaprint.ansi_color_bad },
{ (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
string line = "";
if (!string.IsNullOrEmpty(app["Reg"]))
{
line += "\n RegPath: " + app["Reg"];
}
if (app["RegPermissions"].Length > 0)
{
line += "\n RegPerms: " + app["RegPermissions"];
}
if (!string.IsNullOrEmpty(app["RegKey"]))
{
line += "\n Key: " + app["RegKey"];
}
if (!string.IsNullOrEmpty(app["Folder"]))
{
line += "\n Folder: " + app["Folder"];
}
else
{
if (!string.IsNullOrEmpty(app["Reg"]))
{
line += "\n Folder: None (PATH Injection)";
}
}
if (!string.IsNullOrEmpty(app["interestingFolderRights"]))
{
line += "\n FolderPerms: " + app["interestingFolderRights"];
}
string filepath_mod = app["File"].Replace("\"", "").Replace("'", "");
if (!string.IsNullOrEmpty(app["File"]))
{
line += "\n File: " + filepath_mod;
}
if (app["isUnquotedSpaced"].ToLower() == "true")
{
line += " (Unquoted and Space detected)";
}
if (!string.IsNullOrEmpty(app["interestingFileRights"]))
{
line += "\n FilePerms: " + app["interestingFileRights"];
}
Beaprint.AnsiPrint(line, colorsA);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintInterestingServices()
{
try
{
Beaprint.MainPrint("Interesting Services -non Microsoft-");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
List <Dictionary <string, string> > services_info = ServicesInfoHelper.GetNonstandardServices();
if (services_info.Count < 1)
{
services_info = ServicesInfoHelper.GetNonstandardServicesFromReg();
}
foreach (Dictionary <string, string> serviceInfo in services_info)
{
List <string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs);
List <string> dirRights = new List <string>();
if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "")
{
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs);
}
bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]);
string formString = " {0}(";
if (serviceInfo["CompanyName"] != null && serviceInfo["CompanyName"].Length > 1)
{
formString += "{1} - ";
}
if (serviceInfo["DisplayName"].Length > 1)
{
formString += "{2}";
}
formString += ")";
if (serviceInfo["PathName"].Length > 1)
{
formString += "[{3}]";
}
if (serviceInfo["StartMode"].Length > 1)
{
formString += " - {4}";
}
if (serviceInfo["State"].Length > 1)
{
formString += " - {5}";
}
if (serviceInfo["isDotNet"].Length > 1)
{
formString += " - {6}";
}
if (noQuotesAndSpace)
{
formString += " - {7}";
}
if (modifiableServices.ContainsKey(serviceInfo["Name"]))
{
if (modifiableServices[serviceInfo["Name"]] == "Start")
{
formString += "\n You can START this service";
}
else
{
formString += "\n YOU CAN MODIFY THIS SERVICE: " + modifiableServices[serviceInfo["Name"]];
}
}
if (fileRights.Count > 0)
{
formString += "\n File Permissions: {8}";
}
if (dirRights.Count > 0)
{
formString += "\n Possible DLL Hijacking in binary folder: {9} ({10})";
}
if (serviceInfo["Description"].Length > 1)
{
formString += "\n " + Beaprint.ansi_color_gray + "{11}";
}
{
Dictionary <string, string> colorsS = new Dictionary <string, string>()
{
{ "File Permissions:.*", Beaprint.ansi_color_bad },
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
{ "No quotes and Space detected", Beaprint.ansi_color_bad },
{ "YOU CAN MODIFY THIS SERVICE:.*", Beaprint.ansi_color_bad },
{ " START ", Beaprint.ansi_color_bad },
{ serviceInfo["PathName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0 || noQuotesAndSpace) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
Beaprint.AnsiPrint(string.Format(formString, serviceInfo["Name"], serviceInfo["CompanyName"], serviceInfo["DisplayName"], serviceInfo["PathName"], serviceInfo["StartMode"], serviceInfo["State"], serviceInfo["isDotNet"], "No quotes and Space detected", string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(serviceInfo["FilteredPath"]) : "", string.Join(", ", dirRights), serviceInfo["Description"]), colorsS);
}
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintWSLDistributions()
{
Beaprint.MainPrint("Looking for Linux shells/distributions - wsl.exe, bash.exe");
List <string> linuxShells = InterestingFiles.InterestingFiles.GetLinuxShells();
string hive = "HKCU";
string basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss";
const string linpeas = "linpeas.sh";
if (linuxShells.Any())
{
foreach (string path in linuxShells)
{
Beaprint.BadPrint(" " + path);
}
Beaprint.BadPrint("");
try
{
var wslKeys = RegistryHelper.GetRegSubkeys(hive, basePath);
if (wslKeys.Any())
{
const string distribution = "Distribution";
const string rootDirectory = "Root directory";
const string runWith = "Run command";
var colors = new Dictionary <string, string>();
new List <string>
{
linpeas,
distribution,
rootDirectory,
runWith
}.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below");
Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors);
foreach (var wslKey in wslKeys)
{
try
{
string distributionSubKey = $"{basePath}\\{wslKey}";
string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs";
string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName");
Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" +
$" {rootDirectory}: \"{distributionRootDirectory}\"\n" +
$" {runWith}: wsl.exe --distribution \"{distributionName}\"",
colors);
Beaprint.PrintLineSeparator();
}
catch (Exception) { }
}
// try to run linpeas.sh in the default distribution
Beaprint.ColorPrint($" Running {linpeas} in the default distribution\n" +
$" Using linpeas.sh URL: {Checks.LinpeasUrl}", Beaprint.LBLUE);
if (Checks.IsLinpeas)
{
try
{
WSL.RunLinpeas(Checks.LinpeasUrl);
}
catch (Exception ex)
{
Beaprint.PrintException($" Unable to run linpeas.sh: {ex.Message}");
}
}
else
{
Beaprint.ColorPrint(" [!] Check skipped, if you want to run it, please specify '-linpeas=[url]' argument", Beaprint.YELLOW);
}
}
else
{
Beaprint.GoodPrint(" WSL - no installed Linux distributions found.");
}
}
catch (Exception) { }
}
}
void PrintInterestingProcesses()
{
try
{
Beaprint.MainPrint("Interesting Processes -non Microsoft-");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
List <Dictionary <string, string> > processesInfo = ProcessesInfo.GetProcInfo();
foreach (Dictionary <string, string> procInfo in processesInfo)
{
Dictionary <string, string> colorsP = new Dictionary <string, string>()
{
{ " " + Checks.CurrentUserName, Beaprint.ansi_current_user },
{ "Permissions:.*", Beaprint.ansi_color_bad },
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
};
if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"]))
{
if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]]))
{
procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]];
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
}
else if (InterestingProcesses.Definitions.ContainsKey(procInfo["Name"]))
{
if (!string.IsNullOrEmpty(InterestingProcesses.Definitions[procInfo["Name"]]))
{
procInfo["Product"] = InterestingProcesses.Definitions[procInfo["Name"]];
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_bad;
}
List <string> fileRights = PermissionsHelper.GetPermissionsFile(procInfo["ExecutablePath"], Checks.CurrentUserSiDs);
List <string> dirRights = new List <string>();
if (procInfo["ExecutablePath"] != null && procInfo["ExecutablePath"] != "")
{
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(procInfo["ExecutablePath"]), Checks.CurrentUserSiDs);
}
colorsP[procInfo["ExecutablePath"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") + "[^\"^']"] = (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good;
string formString = " {0}({1})[{2}]";
if (procInfo["Product"] != null && procInfo["Product"].Length > 1)
{
formString += ": {3}";
}
if (procInfo["Owner"].Length > 1)
{
formString += " -- POwn: {4}";
}
if (procInfo["isDotNet"].Length > 1)
{
formString += " -- {5}";
}
if (fileRights.Count > 0)
{
formString += "\n Permissions: {6}";
}
if (dirRights.Count > 0)
{
formString += "\n Possible DLL Hijacking folder: {7} ({8})";
}
if (procInfo["CommandLine"].Length > 1)
{
formString += "\n " + Beaprint.ansi_color_gray + "Command Line: {9}";
}
Beaprint.AnsiPrint(string.Format(formString, procInfo["Name"], procInfo["ProcessID"], procInfo["ExecutablePath"], procInfo["Product"], procInfo["Owner"], procInfo["isDotNet"], string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(procInfo["ExecutablePath"]) : "", string.Join(", ", dirRights), procInfo["CommandLine"]), colorsP);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(ex.Message);
}
}
private static void PrintNtlmSettings()
{
Beaprint.MainPrint($"Enumerating NTLM Settings");
try
{
var info = Ntlm.GetNtlmSettingsInfo();
string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor);
var ntlmSettingsColors = new Dictionary <string, string>
{
{ "True", Beaprint.ansi_color_good },
{ "False", Beaprint.ansi_color_bad },
{ "No signing", Beaprint.ansi_color_bad },
{ "null", Beaprint.ansi_color_bad },
{ "Require Signing", Beaprint.ansi_color_good },
{ "Negotiate signing", Beaprint.ansi_color_yellow },
{ "Unknown", Beaprint.ansi_color_bad },
};
Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE);
Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" +
$" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" +
$" ServerRequireSigning : {info.ServerRequireSigning}\n" +
$" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" +
$" LdapSigning : {(info.LdapSigning != null ? info.LdapSigningString : "null")} ({info.LdapSigningString})",
ntlmSettingsColors);
Beaprint.ColorPrint("\n Session Security", Beaprint.LBLUE);
if (info.NTLMMinClientSec != null)
{
var clientSessionSecurity = (SessionSecurity)info.NTLMMinClientSec;
var clientSessionSecurityDescription = clientSessionSecurity.GetDescription();
var color = !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !clientSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ?
Beaprint.ansi_color_bad :
Beaprint.ansi_color_good;
Beaprint.ColorPrint($" NTLMMinClientSec : {info.NTLMMinClientSec} ({clientSessionSecurityDescription})", color);
if (info.LanmanCompatibilityLevel < 3 && !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2))
{
Beaprint.BadPrint(" [!] NTLM clients support NTLMv1!");
}
}
if (info.NTLMMinServerSec != null)
{
var serverSessionSecurity = (SessionSecurity)info.NTLMMinServerSec;
var serverSessionSecurityDescription = serverSessionSecurity.GetDescription();
var color = !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !serverSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ?
Beaprint.ansi_color_bad :
Beaprint.ansi_color_good;
Beaprint.ColorPrint($" NTLMMinServerSec : {info.NTLMMinServerSec} ({serverSessionSecurityDescription})\n", color);
if (info.LanmanCompatibilityLevel < 3 && !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2))
{
Beaprint.BadPrint(" [!] NTLM services on this machine support NTLMv1!");
}
}
var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE);
Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})");
Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor);
Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})");
Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}");
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
