void PrintPossCredsRegs()
{
try
{
string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" };
string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
Beaprint.MainPrint("Looking for possible regs with creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry");
string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
if (!string.IsNullOrEmpty(winVnc4.Trim()))
{
Beaprint.BadPrint(winVnc4);
}
foreach (string regHkcu in passRegHkcu)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
}
foreach (string regHklm in passRegHklm)
{
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHklm), false);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintProcessCreationEvents()
{
try
{
Beaprint.MainPrint("Process creation events - searching logs (EID 4688) for sensitive data.\n");
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
foreach (var eventInfo in ProcessCreation.GetProcessCreationEventInfos())
{
Beaprint.BadPrint($" Created (UTC) : {eventInfo.CreatedAtUtc}\n" +
$" Event Id : {eventInfo.EventId}\n" +
$" User : {eventInfo.User}\n" +
$" Command Line : {eventInfo.Match}\n");
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static bool CheckDirectoryWriteAccess(string directory, out bool isDirectoryExisting, bool isGoodPrint = true)
{
isDirectoryExisting = true;
if (!Directory.Exists(directory))
{
Beaprint.BadPrint($" Directory \"{directory}\" does not exist.");
isDirectoryExisting = false;
}
else
{
var folderPermissions = PermissionsHelper.GetPermissionsFolder(directory, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (folderPermissions.Count > 0)
{
Beaprint.BadPrint($" Directory \"{directory}\" Permissions: " + string.Join(",", folderPermissions));
}
else
{
if (isGoodPrint)
{
Beaprint.GoodPrint($" {directory}");
}
}
return(folderPermissions.Count > 0);
}
return(false);
}
private static void PrintDBsFirefox()
{
try
{
Beaprint.MainPrint("Looking for Firefox DBs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
List <string> firefoxDBs = Firefox.GetFirefoxDbs();
if (firefoxDBs.Count > 0)
{
foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red
{
Beaprint.BadPrint(" Firefox credentials file exists at " + firefoxDB);
}
Beaprint.InfoPrint("Run SharpWeb (https://github.com/djhohnstein/SharpWeb)");
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static bool CheckFileWriteAccess(string path)
{
if (string.IsNullOrWhiteSpace(path))
{
return(false);
}
if (File.Exists(path))
{
var filePermissions = PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (filePermissions.Count > 0)
{
Beaprint.BadPrint($" File \"{path}\" Permissions: " + string.Join(",", filePermissions));
return(true);
}
}
else
{
Beaprint.BadPrint($" File \"{path}\" does not exist.");
}
return(false);
}
private static void PrintAppCmd()
{
try
{
Beaprint.MainPrint("Looking AppCmd.exe");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe");
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
if (File.Exists(appCmdPath))
{
Beaprint.BadPrint($" AppCmd.exe was found in {appCmdPath}");
}
else
{
Beaprint.NotFoundPrint();
}
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var script = AppCmd.GetExtractAppCmdCredsPowerShellScript();
string args = @$ " {script}";
var processStartInfo = new ProcessStartInfo
{
UseShellExecute = false,
CreateNoWindow = true,
FileName = "powershell.exe",
Arguments = args,
RedirectStandardOutput = true,
RedirectStandardError = true,
StandardOutputEncoding = Encoding.UTF8
};
using (var process = Process.Start(processStartInfo))
{
if (process != null)
{
while (!process.StandardOutput.EndOfStream)
{
Beaprint.BadPrint($" {process.StandardOutput.ReadLine()}");
}
while (!process.StandardError.EndOfStream)
{
Console.WriteLine(process.StandardError.ReadLine());
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintOtherUsersInterestingFiles()
{
try
{
Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
// check if admin already, if yes, print a message, if not, try to enumerate all files
if (MyUtils.IsHighIntegrity())
{
Beaprint.BadPrint(" You are already Administrator, check users home folders manually.");
}
else
// get all files and check them
{
var users = User.GetOtherUsersFolders();
foreach (var user in users)
{
Beaprint.GoodPrint($" Checking folder: {user}\n");
var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true);
foreach (var file in files)
{
try
{
FileAttributes attr = File.GetAttributes(file.FullPath);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
{
List <string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (dirRights.Count > 0)
{
Beaprint.BadPrint($" Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights));
}
}
else
{
List <string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (fileRights.Count > 0)
{
Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights));
}
}
}
catch (Exception)
{
}
}
Beaprint.PrintLineSeparator();
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintWifi()
{
try
{
Beaprint.MainPrint("Looking for saved Wifi credentials");
foreach (var @interface in new WlanClient().Interfaces)
{
foreach (var profile in @interface.GetProfiles())
{
var xml = @interface.GetProfileXml(profile.profileName);
XmlDocument xDoc = new XmlDocument();
xDoc.LoadXml(xml);
var keyMaterial = xDoc.GetElementsByTagName("keyMaterial");
if (keyMaterial.Count > 0)
{
string password = keyMaterial[0].InnerText;
Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" +
$" password : '******' \n\n");
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintActiveWindow()
{
try
{
Beaprint.MainPrint("Current Active Window Application");
string title = ApplicationInfoHelper.GetActiveWindowTitle();
List <string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs);
List <string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs);
if (permsFile.Count > 0)
{
Beaprint.BadPrint(" " + title);
Beaprint.BadPrint(" File Permissions: " + string.Join(",", permsFile));
}
else
{
Beaprint.GoodPrint(" " + title);
}
if (permsFolder.Count > 0)
{
Beaprint.BadPrint(" Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title));
Beaprint.BadPrint(" Folder Permissions: " + string.Join(",", permsFile));
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintDBsChrome()
{
try
{
Beaprint.MainPrint("Looking for Chrome DBs");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary <string, string> chromeDBs = Chrome.GetChromeDbs();
if (chromeDBs.ContainsKey("userChromeCookiesPath"))
{
Beaprint.BadPrint(" Chrome cookies database exists at " + chromeDBs["userChromeCookiesPath"]);
Beaprint.InfoPrint("Follow the provided link for further instructions.");
}
if (chromeDBs.ContainsKey("userChromeLoginDataPath"))
{
Beaprint.BadPrint(" Chrome saved login database exists at " + chromeDBs["userChromeCookiesPath"]);
Beaprint.InfoPrint("Follow the provided link for further instructions.");
}
if ((!chromeDBs.ContainsKey("userChromeLoginDataPath")) &&
(!chromeDBs.ContainsKey("userChromeCookiesPath")))
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintModifiableServices()
{
try
{
Beaprint.MainPrint("Modifiable Services");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
if (modifiableServices.Count > 0)
{
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:");
Dictionary <string, string> colorsMS = new Dictionary <string, string>()
{
{ ".*", Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
}
else
{
Beaprint.GoodPrint(" You cannot modify any service");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintAlwaysInstallElevated()
{
try
{
Beaprint.MainPrint("Checking AlwaysInstallElevated");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated");
string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
if (HKLM_AIE == "1")
{
Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKLM!");
}
if (HKCU_AIE == "1")
{
Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKCU!");
}
if (HKLM_AIE != "1" && HKCU_AIE != "1")
{
Beaprint.GoodPrint(" AlwaysInstallElevated isn't available");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintSSHKeysReg()
{
try
{
Beaprint.MainPrint("SSH keys in registry");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys");
if (ssh_reg.Length == 0)
{
Beaprint.NotFoundPrint();
}
else
{
foreach (string ssh_key_entry in ssh_reg)
{
Beaprint.BadPrint(ssh_key_entry);
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(string.Format("{0}", ex));
}
}
private static void PrintSecurityPackagesCredentials()
{
Beaprint.MainPrint("Enumerating Security Packages Credentials");
try
{
var credentials = (SecurityPackages.GetNtlmCredentials() ?? Enumerable.Empty <NtlmHashInfo>()).ToList();
if (credentials.Any())
{
foreach (var credential in credentials)
{
if (credential != null)
{
Beaprint.BadPrint($" Version: {credential.Version}\n" +
$" Hash: {credential.Hash}\n");
Beaprint.PrintLineSeparator();
}
}
}
else
{
Beaprint.GoodPrint(" The NTLM security package does not contain any credentials.");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintExplicitLogonEvents()
{
try
{
var lastDays = 30;
Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n");
if (!MyUtils.IsHighIntegrity())
{
Beaprint.NoColorPrint(" You must be an administrator to run this check");
return;
}
var explicitLogonInfos = Logon.GetExplicitLogonEventsInfos(lastDays);
foreach (var logonInfo in explicitLogonInfos)
{
Beaprint.BadPrint($" Subject User : {logonInfo.SubjectUser}\n" +
$" Subject Domain : {logonInfo.SubjectDomain}\n" +
$" Created (UTC) : {logonInfo.CreatedAtUtc}\n" +
$" IP Address : {logonInfo.IpAddress}\n" +
$" Process : {logonInfo.Process}\n" +
$" Target User : {logonInfo.TargetUser}\n" +
$" Target Domain : {logonInfo.TargetDomain}\n");
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintCloudCreds()
{
try
{
Beaprint.MainPrint("Cloud Credentials");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
List <Dictionary <string, string> > could_creds = KnownFileCredsInfo.ListCloudCreds();
if (could_creds.Count != 0)
{
foreach (Dictionary <string, string> cc in could_creds)
{
string formString = " {0} ({1})\n Accessed:{2} -- Size:{3}";
Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"]));
System.Console.WriteLine("");
}
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintColored(string str, bool isBad)
{
if (isBad)
{
Beaprint.BadPrint(str);
}
else
{
Beaprint.NoColorPrint(str);
}
}
private static void PrintWifi()
{
try
{
Beaprint.MainPrint("Looking for saved Wifi credentials");
WlanClient wlanClient = new WlanClient();
foreach (var @interface in new WlanClient().Interfaces)
{
foreach (var profile in @interface.GetProfiles())
{
var xml = @interface.GetProfileXml(profile.profileName);
XmlDocument xDoc = new XmlDocument();
xDoc.LoadXml(xml);
var keyMaterial = xDoc.GetElementsByTagName("keyMaterial");
if (keyMaterial.Count > 0)
{
string password = keyMaterial[0].InnerText;
Beaprint.BadPrint($" SSID : '{profile.profileName}\n'" +
$" password : '******' \n\n");
}
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
// revert to old way
Beaprint.NoColorPrint("Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'");
Dictionary <string, string> networkConnections = Wifi.Wifi.Retrieve();
Dictionary <string, string> ansi_colors_regexp = new Dictionary <string, string>();
if (networkConnections.Count > 0)
{
//Make sure the passwords are all flagged as ansi_color_bad.
foreach (var connection in networkConnections)
{
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
}
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
}
else
{
Beaprint.NoColorPrint("No saved Wifi credentials found");
}
}
}
private static void PrintLSAInfo()
{
try
{
Beaprint.MainPrint("Enumerate LSA settings - auth packages included\n");
var settings = RegistryHelper.GetRegValues("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Lsa");
if ((settings != null) && (settings.Count != 0))
{
foreach (var kvp in settings)
{
var val = string.Empty;
if (kvp.Value.GetType().IsArray&& (kvp.Value.GetType().GetElementType().ToString() == "System.String"))
{
val = string.Join(",", (string[])kvp.Value);
}
else if (kvp.Value.GetType().IsArray&& (kvp.Value.GetType().GetElementType().ToString() == "System.Byte"))
{
val = System.BitConverter.ToString((byte[])kvp.Value);
}
else
{
val = kvp.Value.ToString();
}
var key = kvp.Key;
Beaprint.NoColorPrint($" {key,-30} : {val}");
if (Regex.IsMatch(key, "Security Packages") && Regex.IsMatch(val, @".*wdigest.*"))
{
Beaprint.BadPrint(" [!] WDigest is enabled - plaintext password extraction is possible!");
}
if (key.Equals("RunAsPPL", System.StringComparison.InvariantCultureIgnoreCase) && val == "1")
{
Beaprint.BadPrint(" [!] LSASS Protected Mode is enabled! You will not be able to access lsass.exe's memory easily.");
}
if (key.Equals("DisableRestrictedAdmin", System.StringComparison.InvariantCultureIgnoreCase) && val == "0")
{
Beaprint.BadPrint(" [!] RDP Restricted Admin Mode is enabled! You can use pass-the-hash to access RDP on this system.");
}
}
}
}
catch (Exception ex)
{
}
}
private static void PrintUsers(HashSet <string> users)
{
if (users == null)
{
return;
}
var set = users.OrderBy(u => u).ToArray();
foreach (var user in set)
{
Beaprint.BadPrint($" {user}");
}
}
private static bool ProcessResult(
CustomFileInfo fileInfo,
Helpers.YamlConfig.YamlConfig.SearchParameters.FileSettings fileSettings,
ref int resultsCount)
{
// print depending on the options here
resultsCount++;
if (resultsCount > ListFileLimit)
{
return(false);
}
if (fileSettings.type == "f")
{
var colors = new Dictionary <string, string>();
colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
Beaprint.AnsiPrint($"File: {fileInfo.FullPath}", colors);
if (!(bool)fileSettings.just_list_file)
{
GrepResult(fileInfo, fileSettings);
}
}
else if (fileSettings.type == "d")
{
var colors = new Dictionary <string, string>();
colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
Beaprint.AnsiPrint($"Folder: {fileInfo.FullPath}", colors);
// just list the directory
if ((bool)fileSettings.just_list_file)
{
string[] files = Directory.GetFiles(fileInfo.FullPath, "*", SearchOption.TopDirectoryOnly);
foreach (var file in files)
{
Beaprint.BadPrint($" {file}");
}
}
else
{
// should not happen
}
}
return(true);
}
static void PrintWdigest()
{
Beaprint.MainPrint("Wdigest");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
if (useLogonCredential == "1")
{
Beaprint.BadPrint(" Wdigest is active");
}
else
{
Beaprint.GoodPrint(" Wdigest is not enabled");
}
}
static void PrintLSAProtection()
{
Beaprint.MainPrint("LSA Protection");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
if (useLogonCredential == "1")
{
Beaprint.GoodPrint(" LSA Protection is active");
}
else
{
Beaprint.BadPrint(" LSA Protection is not enabled");
}
}
void PrintClipboardText()
{
try
{
Beaprint.MainPrint("Clipboard text");
string clipboard = UserInfoHelper.GetClipboardText();
if (!string.IsNullOrEmpty(clipboard))
{
Beaprint.BadPrint(clipboard);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintSAMBackups()
{
try
{
Beaprint.MainPrint("Looking for common SAM & SYSTEM backups");
List <string> sam_files = InterestingFiles.InterestingFiles.GetSAMBackups();
foreach (string path in sam_files)
{
Beaprint.BadPrint(" " + path);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintInstalledApps()
{
try
{
Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software", "Check if you can modify installed software");
SortedDictionary <string, Dictionary <string, string> > installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
string format = " ==> {0} ({1})";
foreach (KeyValuePair <string, Dictionary <string, string> > app in installedAppsPerms)
{
if (string.IsNullOrEmpty(app.Value.ToString())) //If empty, nothing found, is good
{
Beaprint.GoodPrint(app.Key);
}
else //Then, we need to look deeper
{
//Checkeamos si la carpeta (que va a existir como subvalor dentro de si misma) debe ser good
if (string.IsNullOrEmpty(app.Value[app.Key]))
{
Beaprint.GoodPrint(" " + app.Key);
}
else
{
Beaprint.BadPrint(string.Format(" {0}({1})", app.Key, app.Value[app.Key]));
app.Value[app.Key] = ""; //So no reprinted later
}
//Check the rest of the values to see if we have something to print in red (permissions)
foreach (KeyValuePair <string, string> subfolder in app.Value)
{
if (!string.IsNullOrEmpty(subfolder.Value))
{
Beaprint.BadPrint(string.Format(format, subfolder.Key, subfolder.Value));
}
}
}
}
Console.WriteLine();
}
catch (Exception e)
{
Beaprint.PrintException(e.Message);
}
}
static void PrintWSUS()
{
try
{
Beaprint.MainPrint("Checking WSUS");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus");
string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
string using_HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "UseWUServer");
if (HKLM_WSUS.Contains("http://"))
{
Beaprint.BadPrint(" WSUS is using http: " + HKLM_WSUS);
Beaprint.InfoPrint("You can test https://github.com/pimps/wsuxploit to escalate privileges");
if (using_HKLM_WSUS == "1")
{
Beaprint.BadPrint(" And UseWUServer is equals to 1, so it is vulnerable!");
}
else if (using_HKLM_WSUS == "0")
{
Beaprint.GoodPrint(" But UseWUServer is equals to 0, so it is not vulnerable!");
}
else
{
System.Console.WriteLine(" But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
}
}
else
{
if (string.IsNullOrEmpty(HKLM_WSUS))
{
Beaprint.NotFoundPrint();
}
else
{
Beaprint.GoodPrint(" WSUS value: " + HKLM_WSUS);
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintUnattendFiles()
{
try
{
Beaprint.MainPrint("Unattend Files");
//Beaprint.LinkPrint("");
List <string> unattended_files = Unattended.GetUnattendedInstallFiles();
foreach (string path in unattended_files)
{
List <string> pwds = Unattended.ExtractUnattendedPwd(path);
Beaprint.BadPrint(" " + path);
System.Console.WriteLine(string.Join("\n", pwds));
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintCachedCreds()
{
Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
if (!string.IsNullOrEmpty(cachedlogonscount))
{
int clc = Int16.Parse(cachedlogonscount);
if (clc > 0)
{
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
else
{
Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount);
}
}
}
internal static void PrintInfo()
{
Beaprint.MainPrint("Slack files & directories");
Beaprint.ColorPrint(" note: check manually if something is found", Beaprint.YELLOW);
var userDirs = User.GetUsersFolders();
foreach (var userDir in userDirs)
{
try
{
var userSlackDir = Path.Combine(userDir, SlackBasePath);
if (Directory.Exists(userSlackDir))
{
Beaprint.BadPrint($" Directory: {userSlackDir}");
var userSlackCookiesFile = Path.Combine(userSlackDir, "Cookies");
if (File.Exists(userSlackCookiesFile))
{
Beaprint.BadPrint($" File: {userSlackCookiesFile}");
}
var userSlackWorkspacesPath = Path.Combine(userSlackDir, @"storage\slack-workspaces");
if (File.Exists(userSlackWorkspacesPath))
{
Beaprint.BadPrint($" File: {userSlackWorkspacesPath}");
}
var userSlackDownloadsPath = Path.Combine(userSlackDir, @"storage\slack-downloads");
if (File.Exists(userSlackDownloadsPath))
{
Beaprint.BadPrint($" File: {userSlackDownloadsPath}");
}
}
}
catch (Exception)
{
}
}
}
