void PrintRecentFiles() { try { Beaprint.MainPrint("Recent files --limit 70--"); List <Dictionary <string, string> > recFiles = KnownFileCredsInfo.GetRecentFiles(); Dictionary <string, string> colorF = new Dictionary <string, string>() { { _patternsFileCredsColor, Beaprint.ansi_color_bad }, }; if (recFiles.Count != 0) { foreach (Dictionary <string, string> recF in recFiles.GetRange(0, recFiles.Count <= 70 ? recFiles.Count : 70)) { Beaprint.AnsiPrint(" " + recF["Target"] + "(" + recF["Accessed"] + ")", colorF); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintNetShares() { try { Beaprint.MainPrint("Network Shares"); Dictionary <string, string> colorsN = new Dictionary <string, string>() { { commonShares, Beaprint.ansi_color_good }, { "Permissions.*", Beaprint.ansi_color_bad } }; List <Dictionary <string, string> > shares = NetworkInfoHelper.GetNetworkShares("127.0.0.1"); foreach (Dictionary <string, string> share in shares) { string line = string.Format(" {0} (" + Beaprint.ansi_color_gray + "Path: {1}" + Beaprint.NOCOLOR + ")", share["Name"], share["Path"]); if (share["Permissions"].Length > 0) { line += " -- Permissions: " + share["Permissions"]; } Beaprint.AnsiPrint(line, colorsN); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRdpSessions() { try { Beaprint.MainPrint("RDP Sessions"); List <Dictionary <string, string> > rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions(); if (rdp_sessions.Count > 0) { string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}"; string header = string.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP"); Beaprint.GrayPrint(header); foreach (Dictionary <string, string> rdpSes in rdp_sessions) { Beaprint.AnsiPrint(string.Format(format, rdpSes["SessionID"], rdpSes["pSessionName"], rdpSes["pUserName"], rdpSes["pDomainName"], rdpSes["State"], rdpSes["SourceIP"]), ColorsU()); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintWritableRegServices() { try { Beaprint.MainPrint("Looking if you can modify any service registry"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service"); List <Dictionary <string, string> > regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs); Dictionary <string, string> colorsWR = new Dictionary <string, string>() { { @"\(.*\)", Beaprint.ansi_color_bad }, }; if (regPerms.Count <= 0) { Beaprint.GoodPrint(" [-] Looks like you cannot change the registry of any service..."); } else { foreach (Dictionary <string, string> writeServReg in regPerms) { Beaprint.AnsiPrint(string.Format(" {0} ({1})", writeServReg["Path"], writeServReg["Permissions"]), colorsWR); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintListeningPortsUdpIPv6(Dictionary <int, Process> processesByPid) { try { Beaprint.ColorPrint(" Enumerating IPv6 connections\n", Beaprint.LBLUE); string formatString = @"{0,-12} {1,-43} {2,-13} {3,-30} {4,-17} {5}"; Beaprint.NoColorPrint( string.Format($"{formatString}\n", " Protocol", "Local Address", "Local Port", "Remote Address:Remote Port", "Process ID", "Process Name")); foreach (var udpConnectionInfo in NetworkInfoHelper.GetUdpConnections(IPVersion.IPv6, processesByPid)) { Beaprint.AnsiPrint( string.Format(formatString, " UDP", $"[{udpConnectionInfo.LocalAddress}]", udpConnectionInfo.LocalPort, "*:*", // UDP does not have remote address/port udpConnectionInfo.ProcessId, udpConnectionInfo.ProcessName ), colorsN); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintListeningPortsTcpIPv6(Dictionary <int, Process> processesByPid) { try { Beaprint.ColorPrint(" Enumerating IPv6 connections\n", Beaprint.LBLUE); string formatString = @"{0,-12} {1,-43} {2,-13} {3,-43} {4,-15} {5,-17} {6,-15} {7}"; Beaprint.NoColorPrint( string.Format($"{formatString}\n", " Protocol", "Local Address", "Local Port", "Remote Address", "Remote Port", "State", "Process ID", "Process Name")); foreach (var tcpConnectionInfo in NetworkInfoHelper.GetTcpConnections(IPVersion.IPv6, processesByPid)) { Beaprint.AnsiPrint( string.Format(formatString, " TCP", $"[{tcpConnectionInfo.LocalAddress}]", tcpConnectionInfo.LocalPort, $"[{tcpConnectionInfo.RemoteAddress}]", tcpConnectionInfo.RemotePort, tcpConnectionInfo.State.GetDescription(), tcpConnectionInfo.ProcessId, tcpConnectionInfo.ProcessName ), colorsN); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintHistFirefox() { try { Beaprint.MainPrint("Looking for GET credentials in Firefox history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List <string> firefoxHist = Firefox.GetFirefoxHistory(); if (firefoxHist.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in firefoxHist) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintCU() { try { Beaprint.MainPrint("Users"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges"); List <string> usersGrps = User.GetMachineUsers(false, false, false, false, true); Beaprint.AnsiPrint(" Current user: "******" Current groups: " + string.Join(", ", currentGroupsNames), ColorsU()); Beaprint.PrintLineSeparator(); Beaprint.ListPrint(usersGrps, ColorsU()); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private void PrintSysmonConfiguration() { Beaprint.MainPrint("Enumerating Sysmon configuration"); Dictionary <string, string> colors = new Dictionary <string, string> { { SysMon.NotDefined, Beaprint.ansi_color_bad }, { "False", Beaprint.ansi_color_bad }, }; try { if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var item in SysMon.GetSysMonInfos()) { Beaprint.AnsiPrint($" Installed: {item.Installed}\n" + $" Hashing Algorithm: {item.HashingAlgorithm.GetDescription()}\n" + $" Options: {item.Options.GetDescription()}\n" + $" Rules: {item.Rules}\n", colors); Beaprint.PrintLineSeparator(); } } catch (Exception) { } }
internal static void PrintInfo() { var colors = new Dictionary <string, string>() { { "False", Beaprint.ansi_color_bad }, { "True", Beaprint.ansi_color_good }, { NOT_ENABLED, Beaprint.ansi_color_bad }, { ENABLED_NOT_RUNNING, Beaprint.ansi_color_bad }, { ENABLED_AND_RUNNING, Beaprint.ansi_color_good }, { UNDEFINED, Beaprint.ansi_color_bad }, }; try { using (var searcher = new ManagementObjectSearcher(@"root\Microsoft\Windows\DeviceGuard", "SELECT * FROM Win32_DeviceGuard")) { using (var data = searcher.Get()) { foreach (var result in data) { var configCheck = (int[])result.GetPropertyValue("SecurityServicesConfigured"); var serviceCheck = (int[])result.GetPropertyValue("SecurityServicesRunning"); var configured = false; var running = false; uint? vbs = (uint)result.GetPropertyValue("VirtualizationBasedSecurityStatus"); string vbsSettingString = GetVbsSettingString(vbs); if (configCheck.Contains(1)) { configured = true; } if (serviceCheck.Contains(1)) { running = true; } Beaprint.AnsiPrint($" Virtualization Based Security Status: {vbsSettingString}\n" + $" Configured: {configured}\n" + $" Running: {running}", colors); } } } } catch (ManagementException ex) when(ex.ErrorCode == ManagementStatus.InvalidNamespace) { Beaprint.PrintException(string.Format(" [X] 'Win32_DeviceGuard' WMI class unavailable", ex.Message)); } catch (Exception ex) { //Beaprint.PrintException(ex.Message); } }
private static void PrintDotNetVersions() { try { Beaprint.MainPrint("Installed .NET versions\n"); var info = DotNet.GetDotNetInfo(); Beaprint.ColorPrint(" CLR Versions", Beaprint.LBLUE); foreach (var version in info.ClrVersions) { Beaprint.NoColorPrint($" {version}"); } Beaprint.ColorPrint("\n .NET Versions", Beaprint.LBLUE); foreach (var version in info.DotNetVersions) { Beaprint.NoColorPrint($" {version}"); } var colors = new Dictionary <string, string> { { "True", Beaprint.ansi_color_good }, { "False", Beaprint.ansi_color_bad }, }; Beaprint.ColorPrint("\n .NET & AMSI (Anti-Malware Scan Interface) support", Beaprint.LBLUE); Beaprint.AnsiPrint($" .NET version supports AMSI : {info.IsAmsiSupportedByDotNet}\n" + $" OS supports AMSI : {info.IsAmsiSupportedByOs}", colors); var highestVersion = info.HighestVersion; var lowestVersion = info.LowestVersion; if ((highestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (highestVersion.Minor >= DotNetInfo.AmsiSupportedByDotNetMinMinorVersion)) { Beaprint.NoColorPrint($" [!] The highest .NET version is enrolled in AMSI!"); } if ( info.IsAmsiSupportedByOs && info.IsAmsiSupportedByDotNet && (( (lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion - 1) ) || ((lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (lowestVersion.Minor < DotNetInfo.AmsiSupportedByDotNetMinMinorVersion))) ) { Beaprint.NoColorPrint($" [-] You can invoke .NET version {lowestVersion.Major}.{lowestVersion.Minor} to bypass AMSI."); } } catch (Exception e) { } }
private static void GrepResult(CustomFileInfo fileInfo, FileSettings fileSettings) { var fileContent = File.ReadLines(fileInfo.FullPath); var colors = new Dictionary <string, string>(); if ((bool)fileSettings.only_bad_lines) { colors.Add(fileSettings.bad_regex, Beaprint.ansi_color_bad); fileContent = fileContent.Where(l => Regex.IsMatch(l, fileSettings.bad_regex, RegexOptions.IgnoreCase)); } else { string lineGrep = null; if ((bool)fileSettings.remove_empty_lines) { fileContent = fileContent.Where(l => !string.IsNullOrWhiteSpace(l)); } if (!string.IsNullOrWhiteSpace(fileSettings.remove_regex)) { var pattern = GetRegexpFromString(fileSettings.remove_regex); fileContent = fileContent.Where(l => !Regex.IsMatch(l, pattern, RegexOptions.IgnoreCase)); } if (!string.IsNullOrWhiteSpace(fileSettings.good_regex)) { colors.Add(fileSettings.good_regex, Beaprint.ansi_color_good); } if (!string.IsNullOrWhiteSpace(fileSettings.bad_regex)) { colors.Add(fileSettings.bad_regex, Beaprint.ansi_color_bad); } if (!string.IsNullOrWhiteSpace(fileSettings.line_grep)) { lineGrep = SanitizeLineGrep(fileSettings.line_grep); } fileContent = fileContent.Where(line => (!string.IsNullOrWhiteSpace(fileSettings.good_regex) && Regex.IsMatch(line, fileSettings.good_regex, RegexOptions.IgnoreCase)) || (!string.IsNullOrWhiteSpace(fileSettings.bad_regex) && Regex.IsMatch(line, fileSettings.bad_regex, RegexOptions.IgnoreCase)) || (!string.IsNullOrWhiteSpace(lineGrep) && Regex.IsMatch(line, lineGrep, RegexOptions.IgnoreCase))); } var content = string.Join(Environment.NewLine, fileContent); Beaprint.AnsiPrint(content, colors); if (content.Length > 0) { Console.WriteLine(); } }
private static void PrintLocalUsers() { try { Beaprint.MainPrint("Display information about local users"); var computerName = Environment.GetEnvironmentVariable("COMPUTERNAME"); var localUsers = User.GetLocalUsers(computerName); var colors = new Dictionary <string, string> { { "Administrator", Beaprint.ansi_color_bad }, { "Guest", Beaprint.YELLOW }, { "False", Beaprint.ansi_color_good }, { "True", Beaprint.ansi_color_bad }, }; foreach (var localUser in localUsers) { var enabled = ((localUser.flags >> 1) & 1) == 0; var pwdLastSet = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); var lastLogon = new DateTime(1970, 1, 1, 0, 0, 0); if (localUser.passwordAge != 0) { pwdLastSet = DateTime.Now.AddSeconds(-localUser.passwordAge); } if (localUser.last_logon != 0) { lastLogon = lastLogon.AddSeconds(localUser.last_logon).ToLocalTime(); } Beaprint.AnsiPrint($" Computer Name : {computerName}\n" + $" User Name : {localUser.name}\n" + $" User Id : {localUser.user_id}\n" + $" Is Enabled : {enabled}\n" + $" User Type : {(UserPrivType)localUser.priv}\n" + $" Comment : {localUser.comment}\n" + $" Last Logon : {lastLogon}\n" + $" Logons Count : {localUser.num_logons}\n" + $" Password Last Set : {pwdLastSet}\n", colors); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } }
private void PrintFirewallRules() { try { Beaprint.MainPrint("Firewall Rules"); Beaprint.LinkPrint("", "Showing only DENY rules (too many ALLOW rules always)"); Dictionary <string, string> colorsN = new Dictionary <string, string>() { { Globals.StrFalse, Beaprint.ansi_color_bad }, { Globals.StrTrue, Beaprint.ansi_color_good }, }; Beaprint.AnsiPrint(" Current Profiles: " + Firewall.GetFirewallProfiles(), colorsN); foreach (KeyValuePair <string, string> entry in Firewall.GetFirewallBooleans()) { Beaprint.AnsiPrint(string.Format(" {0,-23}: {1}", entry.Key, entry.Value), colorsN); } Beaprint.GrayPrint(" DENY rules:"); foreach (Dictionary <string, string> rule in Firewall.GetFirewallRules()) { string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs)); string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs)); string formString = " ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}"; if (filePerms.Length > 0) { formString += "\n File Permissions: {8}"; } if (folderPerms.Length > 0) { formString += "\n Folder Permissions: {9}"; } formString += "\n {10}"; colorsN = new Dictionary <string, string> { { Globals.StrFalse, Beaprint.ansi_color_bad }, { Globals.StrTrue, Beaprint.ansi_color_good }, { "File Permissions.*|Folder Permissions.*", Beaprint.ansi_color_bad }, { rule["AppName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (filePerms.Length > 0 || folderPerms.Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; Beaprint.AnsiPrint(string.Format(formString, rule["Profiles"], rule["Name"], rule["AppName"], rule["Action"], rule["Protocol"], rule["Direction"], rule["Direction"] == "IN" ? rule["Local"] : rule["Remote"], rule["Direction"] == "IN" ? rule["Remote"] : rule["Local"], filePerms, folderPerms, rule["Description"]), colorsN); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintUserCredsFiles() { try { string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]"; var validExtensions = new HashSet <string> { ".cnf", ".conf", ".doc", ".docx", ".json", ".xlsx", ".xml", ".yaml", ".yml", ".txt", }; var colorF = new Dictionary <string, string>() { { pattern_color, Beaprint.ansi_color_bad }, }; Beaprint.MainPrint("Looking for possible password files in users homes"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); var fileInfos = SearchHelper.SearchUserCredsFiles(); foreach (var fileInfo in fileInfos) { if (!fileInfo.Filename.Contains(".")) { Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF); } else { string extLower = fileInfo.Extension.ToLower(); if (validExtensions.Contains(extLower)) { Beaprint.AnsiPrint(" " + fileInfo.FullPath, colorF); } } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static bool ProcessResult( CustomFileInfo fileInfo, Helpers.YamlConfig.YamlConfig.SearchParameters.FileSettings fileSettings, ref int resultsCount) { // print depending on the options here resultsCount++; if (resultsCount > ListFileLimit) { return(false); } if (fileSettings.type == "f") { var colors = new Dictionary <string, string>(); colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad); Beaprint.AnsiPrint($"File: {fileInfo.FullPath}", colors); if (!(bool)fileSettings.just_list_file) { GrepResult(fileInfo, fileSettings); } } else if (fileSettings.type == "d") { var colors = new Dictionary <string, string>(); colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad); Beaprint.AnsiPrint($"Folder: {fileInfo.FullPath}", colors); // just list the directory if ((bool)fileSettings.just_list_file) { string[] files = Directory.GetFiles(fileInfo.FullPath, "*", SearchOption.TopDirectoryOnly); foreach (var file in files) { Beaprint.BadPrint($" {file}"); } } else { // should not happen } } return(true); }
void PrintScheduled() { try { Beaprint.MainPrint("Scheduled Applications --Non Microsoft--"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries"); List <Dictionary <string, string> > scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft(); foreach (Dictionary <string, string> sapp in scheduled_apps) { List <string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs); List <string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs); string formString = " ({0}) {1}: {2}"; if (fileRights.Count > 0) { formString += "\n Permissions file: {3}"; } if (dirRights.Count > 0) { formString += "\n Permissions folder(DLL Hijacking): {4}"; } if (!string.IsNullOrEmpty(sapp["Trigger"])) { formString += "\n Trigger: {5}"; } if (string.IsNullOrEmpty(sapp["Description"])) { formString += "\n {6}"; } Dictionary <string, string> colorsS = new Dictionary <string, string>() { { "Permissions.*", Beaprint.ansi_color_bad }, { sapp["Action"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; Beaprint.AnsiPrint(string.Format(formString, sapp["Author"], sapp["Name"], sapp["Action"], string.Join(", ", fileRights), string.Join(", ", dirRights), sapp["Trigger"], sapp["Description"]), colorsS); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintDeviceDrivers() { try { Beaprint.MainPrint("Device Drivers --Non Microsoft--"); // this link is not very specific, but its the best on hacktricks Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits."); foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft()) { string pathDriver = driver.Key; List <string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs); List <string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs); Dictionary <string, string> colorsD = new Dictionary <string, string>() { { "Permissions.*", Beaprint.ansi_color_bad }, { "Capcom.sys", Beaprint.ansi_color_bad }, { pathDriver.Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; string formString = " {0} - {1} [{2}]: {3}"; if (fileRights.Count > 0) { formString += "\n Permissions file: {4}"; } if (dirRights.Count > 0) { formString += "\n Permissions folder(DLL Hijacking): {5}"; } Beaprint.AnsiPrint(string.Format(formString, driver.Value.ProductName, driver.Value.ProductVersion, driver.Value.CompanyName, pathDriver, string.Join(", ", fileRights), string.Join(", ", dirRights)), colorsD); //If vuln, end with separator if ((fileRights.Count > 0) || (dirRights.Count > 0)) { Beaprint.PrintLineSeparator(); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintCredentialManager() { try { Beaprint.MainPrint("Checking Credential manager"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); var colorsC = new Dictionary <string, string>() { { "Warning:", Beaprint.YELLOW }, }; Beaprint.AnsiPrint(" [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string\n\n", colorsC); var keywords = new HashSet <string> { nameof(Credential.Password), nameof(Credential.Username), nameof(Credential.Target), nameof(Credential.PersistenceType), nameof(Credential.LastWriteTime), }; colorsC = new Dictionary <string, string>() { { CredentialManager.UnicodeInfoText, Beaprint.LBLUE } }; foreach (var keyword in keywords) { colorsC.Add($"{keyword}:", Beaprint.ansi_color_bad); } var credentials = CredentialManager.GetCredentials(); foreach (var credential in credentials) { Beaprint.AnsiPrint(credential, colorsC); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintDrivesInfo() { try { Beaprint.MainPrint("Drives Information"); Beaprint.LinkPrint("", "Remember that you should search more info inside the other drives"); Dictionary <string, string> colorsSI = new Dictionary <string, string>() { { "Permissions.*", Beaprint.ansi_color_bad } }; foreach (Dictionary <string, string> drive in Info.SystemInfo.SystemInfo.GetDrivesInfo()) { string drive_permissions = string.Join(", ", PermissionsHelper.GetPermissionsFolder(drive["Name"], Checks.CurrentUserSiDs)); string dToPrint = string.Format(" {0} (Type: {1})", drive["Name"], drive["Type"]); if (!string.IsNullOrEmpty(drive["Volume label"])) { dToPrint += "(Volume label: " + drive["Volume label"] + ")"; } if (!string.IsNullOrEmpty(drive["Filesystem"])) { dToPrint += "(Filesystem: " + drive["Filesystem"] + ")"; } if (!string.IsNullOrEmpty(drive["Available space"])) { dToPrint += "(Available space: " + (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString() + " GB)"; } if (drive_permissions.Length > 0) { dToPrint += "(Permissions: " + drive_permissions + ")"; } Beaprint.AnsiPrint(dToPrint, colorsSI); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintUsersInterestingFiles() { try { var colorF = new Dictionary <string, string> { { _patternsFileCredsColor, Beaprint.ansi_color_bad }, }; Beaprint.MainPrint("Searching known files that can contain creds in home"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); var files = SearchHelper.SearchUsersInterestingFiles(); Beaprint.AnsiPrint(" " + string.Join("\n ", files), colorF); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintHistBookChrome() { try { Beaprint.MainPrint("Looking for GET credentials in Chrome history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary <string, List <string> > chromeHistBook = Chrome.GetChromeHistBook(); List <string> history = chromeHistBook["history"]; List <string> bookmarks = chromeHistBook["bookmarks"]; if (history.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in history) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } Console.WriteLine(); } else { Beaprint.NotFoundPrint(); } Beaprint.MainPrint("Chrome bookmarks"); Beaprint.ListPrint(bookmarks); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintAutoLogin() { try { Beaprint.MainPrint("Looking for AutoLogon credentials"); bool ban = false; Dictionary <string, string> autologon = UserInfoHelper.GetAutoLogon(); if (autologon.Count > 0) { foreach (KeyValuePair <string, string> entry in autologon) { if (!string.IsNullOrEmpty(entry.Value)) { if (!ban) { Beaprint.BadPrint(" Some AutoLogon credentials were found"); ban = true; } Beaprint.AnsiPrint(string.Format(" {0,-30}: {1}", entry.Key, entry.Value), ColorsU()); } } if (!ban) { Beaprint.NotFoundPrint(); } } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintHistFavIE() { try { Beaprint.MainPrint("Looking for GET credentials in IE history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); Dictionary <string, List <string> > chromeHistBook = InternetExplorer.GetIEHistFav(); List <string> history = chromeHistBook["history"]; List <string> favorites = chromeHistBook["favorites"]; if (history.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in history) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } Console.WriteLine(); } Beaprint.MainPrint("IE favorites"); Beaprint.ListPrint(favorites); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintAutoRuns() { try { Beaprint.MainPrint("Autorun Applications"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); List <Dictionary <string, string> > apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs); foreach (Dictionary <string, string> app in apps) { var colorsA = new Dictionary <string, string> { { "FolderPerms:.*", Beaprint.ansi_color_bad }, { "FilePerms:.*", Beaprint.ansi_color_bad }, { "(Unquoted and Space detected)", Beaprint.ansi_color_bad }, { "(PATH Injection)", Beaprint.ansi_color_bad }, { "RegPerms: .*", Beaprint.ansi_color_bad }, { (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; string line = ""; if (!string.IsNullOrEmpty(app["Reg"])) { line += "\n RegPath: " + app["Reg"]; } if (app["RegPermissions"].Length > 0) { line += "\n RegPerms: " + app["RegPermissions"]; } if (!string.IsNullOrEmpty(app["RegKey"])) { line += "\n Key: " + app["RegKey"]; } if (!string.IsNullOrEmpty(app["Folder"])) { line += "\n Folder: " + app["Folder"]; } else { if (!string.IsNullOrEmpty(app["Reg"])) { line += "\n Folder: None (PATH Injection)"; } } if (!string.IsNullOrEmpty(app["interestingFolderRights"])) { line += "\n FolderPerms: " + app["interestingFolderRights"]; } string filepath_mod = app["File"].Replace("\"", "").Replace("'", ""); if (!string.IsNullOrEmpty(app["File"])) { line += "\n File: " + filepath_mod; } if (app["isUnquotedSpaced"].ToLower() == "true") { line += " (Unquoted and Space detected)"; } if (!string.IsNullOrEmpty(app["interestingFileRights"])) { line += "\n FilePerms: " + app["interestingFileRights"]; } Beaprint.AnsiPrint(line, colorsA); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintInterestingServices() { try { Beaprint.MainPrint("Interesting Services -non Microsoft-"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); List <Dictionary <string, string> > services_info = ServicesInfoHelper.GetNonstandardServices(); if (services_info.Count < 1) { services_info = ServicesInfoHelper.GetNonstandardServicesFromReg(); } foreach (Dictionary <string, string> serviceInfo in services_info) { List <string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs); List <string> dirRights = new List <string>(); if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "") { dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs); } bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]); string formString = " {0}("; if (serviceInfo["CompanyName"] != null && serviceInfo["CompanyName"].Length > 1) { formString += "{1} - "; } if (serviceInfo["DisplayName"].Length > 1) { formString += "{2}"; } formString += ")"; if (serviceInfo["PathName"].Length > 1) { formString += "[{3}]"; } if (serviceInfo["StartMode"].Length > 1) { formString += " - {4}"; } if (serviceInfo["State"].Length > 1) { formString += " - {5}"; } if (serviceInfo["isDotNet"].Length > 1) { formString += " - {6}"; } if (noQuotesAndSpace) { formString += " - {7}"; } if (modifiableServices.ContainsKey(serviceInfo["Name"])) { if (modifiableServices[serviceInfo["Name"]] == "Start") { formString += "\n You can START this service"; } else { formString += "\n YOU CAN MODIFY THIS SERVICE: " + modifiableServices[serviceInfo["Name"]]; } } if (fileRights.Count > 0) { formString += "\n File Permissions: {8}"; } if (dirRights.Count > 0) { formString += "\n Possible DLL Hijacking in binary folder: {9} ({10})"; } if (serviceInfo["Description"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "{11}"; } { Dictionary <string, string> colorsS = new Dictionary <string, string>() { { "File Permissions:.*", Beaprint.ansi_color_bad }, { "Possible DLL Hijacking.*", Beaprint.ansi_color_bad }, { "No quotes and Space detected", Beaprint.ansi_color_bad }, { "YOU CAN MODIFY THIS SERVICE:.*", Beaprint.ansi_color_bad }, { " START ", Beaprint.ansi_color_bad }, { serviceInfo["PathName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0 || noQuotesAndSpace) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; Beaprint.AnsiPrint(string.Format(formString, serviceInfo["Name"], serviceInfo["CompanyName"], serviceInfo["DisplayName"], serviceInfo["PathName"], serviceInfo["StartMode"], serviceInfo["State"], serviceInfo["isDotNet"], "No quotes and Space detected", string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(serviceInfo["FilteredPath"]) : "", string.Join(", ", dirRights), serviceInfo["Description"]), colorsS); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintWSLDistributions() { Beaprint.MainPrint("Looking for Linux shells/distributions - wsl.exe, bash.exe"); List <string> linuxShells = InterestingFiles.InterestingFiles.GetLinuxShells(); string hive = "HKCU"; string basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss"; const string linpeas = "linpeas.sh"; if (linuxShells.Any()) { foreach (string path in linuxShells) { Beaprint.BadPrint(" " + path); } Beaprint.BadPrint(""); try { var wslKeys = RegistryHelper.GetRegSubkeys(hive, basePath); if (wslKeys.Any()) { const string distribution = "Distribution"; const string rootDirectory = "Root directory"; const string runWith = "Run command"; var colors = new Dictionary <string, string>(); new List <string> { linpeas, distribution, rootDirectory, runWith }.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad)); Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below"); Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors); foreach (var wslKey in wslKeys) { try { string distributionSubKey = $"{basePath}\\{wslKey}"; string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs"; string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName"); Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" + $" {rootDirectory}: \"{distributionRootDirectory}\"\n" + $" {runWith}: wsl.exe --distribution \"{distributionName}\"", colors); Beaprint.PrintLineSeparator(); } catch (Exception) { } } // try to run linpeas.sh in the default distribution Beaprint.ColorPrint($" Running {linpeas} in the default distribution\n" + $" Using linpeas.sh URL: {Checks.LinpeasUrl}", Beaprint.LBLUE); if (Checks.IsLinpeas) { try { WSL.RunLinpeas(Checks.LinpeasUrl); } catch (Exception ex) { Beaprint.PrintException($" Unable to run linpeas.sh: {ex.Message}"); } } else { Beaprint.ColorPrint(" [!] Check skipped, if you want to run it, please specify '-linpeas=[url]' argument", Beaprint.YELLOW); } } else { Beaprint.GoodPrint(" WSL - no installed Linux distributions found."); } } catch (Exception) { } } }
void PrintInterestingProcesses() { try { Beaprint.MainPrint("Interesting Processes -non Microsoft-"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); List <Dictionary <string, string> > processesInfo = ProcessesInfo.GetProcInfo(); foreach (Dictionary <string, string> procInfo in processesInfo) { Dictionary <string, string> colorsP = new Dictionary <string, string>() { { " " + Checks.CurrentUserName, Beaprint.ansi_current_user }, { "Permissions:.*", Beaprint.ansi_color_bad }, { "Possible DLL Hijacking.*", Beaprint.ansi_color_bad }, }; if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"])) { if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]])) { procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]]; } colorsP[procInfo["Product"]] = Beaprint.ansi_color_good; } else if (InterestingProcesses.Definitions.ContainsKey(procInfo["Name"])) { if (!string.IsNullOrEmpty(InterestingProcesses.Definitions[procInfo["Name"]])) { procInfo["Product"] = InterestingProcesses.Definitions[procInfo["Name"]]; } colorsP[procInfo["Product"]] = Beaprint.ansi_color_bad; } List <string> fileRights = PermissionsHelper.GetPermissionsFile(procInfo["ExecutablePath"], Checks.CurrentUserSiDs); List <string> dirRights = new List <string>(); if (procInfo["ExecutablePath"] != null && procInfo["ExecutablePath"] != "") { dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(procInfo["ExecutablePath"]), Checks.CurrentUserSiDs); } colorsP[procInfo["ExecutablePath"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") + "[^\"^']"] = (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good; string formString = " {0}({1})[{2}]"; if (procInfo["Product"] != null && procInfo["Product"].Length > 1) { formString += ": {3}"; } if (procInfo["Owner"].Length > 1) { formString += " -- POwn: {4}"; } if (procInfo["isDotNet"].Length > 1) { formString += " -- {5}"; } if (fileRights.Count > 0) { formString += "\n Permissions: {6}"; } if (dirRights.Count > 0) { formString += "\n Possible DLL Hijacking folder: {7} ({8})"; } if (procInfo["CommandLine"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "Command Line: {9}"; } Beaprint.AnsiPrint(string.Format(formString, procInfo["Name"], procInfo["ProcessID"], procInfo["ExecutablePath"], procInfo["Product"], procInfo["Owner"], procInfo["isDotNet"], string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(procInfo["ExecutablePath"]) : "", string.Join(", ", dirRights), procInfo["CommandLine"]), colorsP); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.GrayPrint(ex.Message); } }
private static void PrintNtlmSettings() { Beaprint.MainPrint($"Enumerating NTLM Settings"); try { var info = Ntlm.GetNtlmSettingsInfo(); string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor); var ntlmSettingsColors = new Dictionary <string, string> { { "True", Beaprint.ansi_color_good }, { "False", Beaprint.ansi_color_bad }, { "No signing", Beaprint.ansi_color_bad }, { "null", Beaprint.ansi_color_bad }, { "Require Signing", Beaprint.ansi_color_good }, { "Negotiate signing", Beaprint.ansi_color_yellow }, { "Unknown", Beaprint.ansi_color_bad }, }; Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE); Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" + $" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" + $" ServerRequireSigning : {info.ServerRequireSigning}\n" + $" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" + $" LdapSigning : {(info.LdapSigning != null ? info.LdapSigningString : "null")} ({info.LdapSigningString})", ntlmSettingsColors); Beaprint.ColorPrint("\n Session Security", Beaprint.LBLUE); if (info.NTLMMinClientSec != null) { var clientSessionSecurity = (SessionSecurity)info.NTLMMinClientSec; var clientSessionSecurityDescription = clientSessionSecurity.GetDescription(); var color = !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !clientSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good; Beaprint.ColorPrint($" NTLMMinClientSec : {info.NTLMMinClientSec} ({clientSessionSecurityDescription})", color); if (info.LanmanCompatibilityLevel < 3 && !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2)) { Beaprint.BadPrint(" [!] NTLM clients support NTLMv1!"); } } if (info.NTLMMinServerSec != null) { var serverSessionSecurity = (SessionSecurity)info.NTLMMinServerSec; var serverSessionSecurityDescription = serverSessionSecurity.GetDescription(); var color = !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !serverSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good; Beaprint.ColorPrint($" NTLMMinServerSec : {info.NTLMMinServerSec} ({serverSessionSecurityDescription})\n", color); if (info.LanmanCompatibilityLevel < 3 && !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2)) { Beaprint.BadPrint(" [!] NTLM services on this machine support NTLMv1!"); } } var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE); Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})"); Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor); Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})"); Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}"); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }