private void PrintListeningPortsTcpIPv6(Dictionary <int, Process> processesByPid)
{
try
{
Beaprint.ColorPrint(" Enumerating IPv6 connections\n", Beaprint.LBLUE);
string formatString = @"{0,-12} {1,-43} {2,-13} {3,-43} {4,-15} {5,-17} {6,-15} {7}";
Beaprint.NoColorPrint(
string.Format($"{formatString}\n", " Protocol", "Local Address", "Local Port", "Remote Address", "Remote Port", "State", "Process ID", "Process Name"));
foreach (var tcpConnectionInfo in NetworkInfoHelper.GetTcpConnections(IPVersion.IPv6, processesByPid))
{
Beaprint.AnsiPrint(
string.Format(formatString,
" TCP",
$"[{tcpConnectionInfo.LocalAddress}]",
tcpConnectionInfo.LocalPort,
$"[{tcpConnectionInfo.RemoteAddress}]",
tcpConnectionInfo.RemotePort,
tcpConnectionInfo.State.GetDescription(),
tcpConnectionInfo.ProcessId,
tcpConnectionInfo.ProcessName
),
colorsN);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
internal static IEnumerable <CREDENTIAL> CredEnumerate()
{
int count;
IntPtr pCredentials;
var ret = Advapi32.CredEnumerate(null, 0, out count, out pCredentials);
if (ret == false)
{
string exceptionDetails = string.Format("Win32Exception: {0}", new Win32Exception(Marshal.GetLastWin32Error()).ToString());
Beaprint.NoColorPrint($" [!] Unable to enumerate credentials automatically, error: '{exceptionDetails}'");
Beaprint.NoColorPrint("Please run: ");
Beaprint.ColorPrint("cmdkey /list", Beaprint.ansi_color_yellow);
return(Enumerable.Empty <CREDENTIAL>());
}
var credentials = new IntPtr[count];
for (var n = 0; n < count; n++)
{
credentials[n] = Marshal.ReadIntPtr(pCredentials,
n * Marshal.SizeOf(typeof(IntPtr)));
}
return(credentials.Select(ptr => (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL))));
}
private void PrintListeningPortsUdpIPv6(Dictionary <int, Process> processesByPid)
{
try
{
Beaprint.ColorPrint(" Enumerating IPv6 connections\n", Beaprint.LBLUE);
string formatString = @"{0,-12} {1,-43} {2,-13} {3,-30} {4,-17} {5}";
Beaprint.NoColorPrint(
string.Format($"{formatString}\n", " Protocol", "Local Address", "Local Port", "Remote Address:Remote Port", "Process ID", "Process Name"));
foreach (var udpConnectionInfo in NetworkInfoHelper.GetUdpConnections(IPVersion.IPv6, processesByPid))
{
Beaprint.AnsiPrint(
string.Format(formatString,
" UDP",
$"[{udpConnectionInfo.LocalAddress}]",
udpConnectionInfo.LocalPort,
"*:*", // UDP does not have remote address/port
udpConnectionInfo.ProcessId,
udpConnectionInfo.ProcessName
),
colorsN);
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
public static void PrintAppLockerPolicy()
{
Beaprint.MainPrint("Checking AppLocker effective policy");
try
{
string[] ruleTypes = { "All" };
var appLockerSettings = SharpAppLocker.GetAppLockerPolicy(SharpAppLocker.PolicyType.Effective, ruleTypes, string.Empty, false, false);
Beaprint.NoColorPrint($" AppLockerPolicy version: {appLockerSettings.Version}\n listing rules:\n\n");
foreach (var rule in appLockerSettings.RuleCollection)
{
PrintFileHashRules(rule);
PrintFilePathRules(rule);
PrintFilePublisherRules(rule);
}
}
catch (COMException)
{
Beaprint.ColorPrint(" AppLocker unsupported on this Windows version.", Beaprint.ansi_color_yellow);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintFilePublisherRules(AppLockerPolicyRuleCollection rule)
{
if (rule?.FilePublisherRule == null)
{
return;
}
foreach (var filePublisherRule in rule.FilePublisherRule)
{
Beaprint.GoodPrint($" File Publisher Rule\n");
Beaprint.NoColorPrint($" Rule Type: {rule.Type}\n" +
$" Enforcement Mode: {rule.EnforcementMode}\n" +
$" Name: {filePublisherRule.Name}\n" +
$" Description: {filePublisherRule.Description}\n" +
$" Action: {filePublisherRule.Action}");
var color = GetColorBySid(filePublisherRule.UserOrGroupSid);
Beaprint.ColorPrint($" User Or Group Sid: {filePublisherRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
foreach (var condition in filePublisherRule.Conditions)
{
Beaprint.NoColorPrint(
$" Binary Name: {condition.BinaryName}\n" +
$" Binary Version Range: ({condition.BinaryVersionRange.LowSection} - {condition.BinaryVersionRange.HighSection})\n" +
$" Product Name: {condition.ProductName}\n" +
$" Publisher Name: {condition.PublisherName}\n");
}
Beaprint.PrintLineSeparator();
}
}
private void PrintListeningPortsUdp(Dictionary <int, Process> processesByPid)
{
Beaprint.MainPrint("Current UDP Listening Ports");
Beaprint.LinkPrint("", "Check for services restricted from the outside");
PrintListeningPortsUdpIPv4(processesByPid);
Beaprint.ColorPrint("", Beaprint.NOCOLOR);
PrintListeningPortsUdpIPv6(processesByPid);
}
private static void PrintDotNetVersions()
{
try
{
Beaprint.MainPrint("Installed .NET versions\n");
var info = DotNet.GetDotNetInfo();
Beaprint.ColorPrint(" CLR Versions", Beaprint.LBLUE);
foreach (var version in info.ClrVersions)
{
Beaprint.NoColorPrint($" {version}");
}
Beaprint.ColorPrint("\n .NET Versions", Beaprint.LBLUE);
foreach (var version in info.DotNetVersions)
{
Beaprint.NoColorPrint($" {version}");
}
var colors = new Dictionary <string, string>
{
{ "True", Beaprint.ansi_color_good },
{ "False", Beaprint.ansi_color_bad },
};
Beaprint.ColorPrint("\n .NET & AMSI (Anti-Malware Scan Interface) support", Beaprint.LBLUE);
Beaprint.AnsiPrint($" .NET version supports AMSI : {info.IsAmsiSupportedByDotNet}\n" +
$" OS supports AMSI : {info.IsAmsiSupportedByOs}",
colors);
var highestVersion = info.HighestVersion;
var lowestVersion = info.LowestVersion;
if ((highestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (highestVersion.Minor >= DotNetInfo.AmsiSupportedByDotNetMinMinorVersion))
{
Beaprint.NoColorPrint($" [!] The highest .NET version is enrolled in AMSI!");
}
if (
info.IsAmsiSupportedByOs &&
info.IsAmsiSupportedByDotNet &&
((
(lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion - 1)
) ||
((lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (lowestVersion.Minor < DotNetInfo.AmsiSupportedByDotNetMinMinorVersion)))
)
{
Beaprint.NoColorPrint($" [-] You can invoke .NET version {lowestVersion.Major}.{lowestVersion.Minor} to bypass AMSI.");
}
}
catch (Exception e)
{
}
}
private static void PrintInternetSettings()
{
try
{
Beaprint.MainPrint("Enumerating Internet settings, zone and proxy configuration");
var info = InternetSettings.GetInternetSettingsInfo();
Beaprint.ColorPrint(" General Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" {"Hive",-10} {"Key",-40} {"Value"}");
foreach (var i in info.GeneralSettings)
{
Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Value}");
}
Beaprint.ColorPrint("\n Zone Maps", Beaprint.LBLUE);
if (info.ZoneMaps.Count == 0)
{
Beaprint.NoColorPrint(" No URLs configured");
}
else
{
Beaprint.NoColorPrint($" {"Hive",-10} {"Value Name",-40} {"Interpretation"}");
foreach (var i in info.ZoneMaps)
{
Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Interpretation}");
}
}
Beaprint.ColorPrint("\n Zone Auth Settings", Beaprint.LBLUE);
if (info.ZoneAuthSettings.Count == 0)
{
Beaprint.NoColorPrint(" No Zone Auth Settings");
}
else
{
foreach (var i in info.ZoneAuthSettings)
{
Beaprint.NoColorPrint($" {i.Interpretation}");
}
}
}
catch (Exception ex)
{
}
}
private static void PrintRDPSettings()
{
try
{
Beaprint.MainPrint("Remote Desktop Server/Client Settings");
var info = Info.WindowsCreds.RemoteDesktop.GetRDPSettingsInfo();
var server = info.ServerSettings;
Beaprint.ColorPrint(" RDP Server Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" Network Level Authentication : {server.NetworkLevelAuthentication}\n" +
$" Block Clipboard Redirection : {server.BlockClipboardRedirection}\n" +
$" Block COM Port Redirection : {server.BlockComPortRedirection}\n" +
$" Block Drive Redirection : {server.BlockDriveRedirection}\n" +
$" Block LPT Port Redirection : {server.BlockLptPortRedirection}\n" +
$" Block PnP Device Redirection : {server.BlockPnPDeviceRedirection}\n" +
$" Block Printer Redirection : {server.BlockPrinterRedirection}\n" +
$" Allow Smart Card Redirection : {server.AllowSmartCardRedirection}");
Beaprint.ColorPrint("\n RDP Client Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" Disable Password Saving : {info.ClientSettings.DisablePasswordSaving}\n" +
$" Restricted Remote Administration : {info.ClientSettings.RestrictedRemoteAdministration}");
var type = info.ClientSettings.RestrictedRemoteAdministrationType;
if (type != null)
{
var str = GetDescriptionByType(type);
Beaprint.NoColorPrint($" Restricted Remote Administration Type: {str}");
}
var level = info.ClientSettings.ServerAuthLevel;
if (level != null)
{
var str = GetDescriptionByType(level);
Beaprint.NoColorPrint($" Server Authentication Level: {level} - {str}");
}
}
catch (Exception ex)
{
}
}
internal static void PrintInfo()
{
Beaprint.MainPrint("Slack files & directories");
Beaprint.ColorPrint(" note: check manually if something is found", Beaprint.YELLOW);
var userDirs = User.GetUsersFolders();
foreach (var userDir in userDirs)
{
try
{
var userSlackDir = Path.Combine(userDir, SlackBasePath);
if (Directory.Exists(userSlackDir))
{
Beaprint.BadPrint($" Directory: {userSlackDir}");
var userSlackCookiesFile = Path.Combine(userSlackDir, "Cookies");
if (File.Exists(userSlackCookiesFile))
{
Beaprint.BadPrint($" File: {userSlackCookiesFile}");
}
var userSlackWorkspacesPath = Path.Combine(userSlackDir, @"storage\slack-workspaces");
if (File.Exists(userSlackWorkspacesPath))
{
Beaprint.BadPrint($" File: {userSlackWorkspacesPath}");
}
var userSlackDownloadsPath = Path.Combine(userSlackDir, @"storage\slack-downloads");
if (File.Exists(userSlackDownloadsPath))
{
Beaprint.BadPrint($" File: {userSlackDownloadsPath}");
}
}
}
catch (Exception)
{
}
}
}
public virtual void PrintSavedCredentials()
{
Beaprint.MainPrint($"Showing saved credentials for {Name}");
var credentials = (GetSavedCredentials() ?? new List <CredentialModel>()).ToList();
if (credentials.Count == 0)
{
Beaprint.ColorPrint(" Info: if no credentials were listed, you might need to close the browser and try again.", Beaprint.ansi_color_yellow);
}
foreach (var credential in credentials)
{
if (!string.IsNullOrEmpty(credential.Username))
{
Beaprint.BadPrint($" Url: {credential.Url}\n" +
$" Username: {credential.Username}\n" +
$" Password: {credential.Password}\n ");
Beaprint.PrintLineSeparator();
}
}
}
private static void PrintFileHashRules(AppLockerPolicyRuleCollection rule)
{
if (rule?.FileHashRule == null)
{
return;
}
foreach (var fileHashRule in rule.FileHashRule)
{
Beaprint.GoodPrint($" File Hash Rule\n");
Beaprint.NoColorPrint(
$" Rule Type: {rule.Type}\n" +
$" Enforcement Mode: {rule.EnforcementMode}\n" +
$" Name: {fileHashRule.Name}\n" +
$" Description: {fileHashRule.Description}\n" +
$" Action: {fileHashRule.Action}");
var color = GetColorBySid(fileHashRule.UserOrGroupSid);
Beaprint.ColorPrint(
$" User Or Group Sid: {fileHashRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
foreach (var condition in fileHashRule.Conditions)
{
Beaprint.NoColorPrint(
$" Source File Name: {condition.FileHash.SourceFileName}\n" +
$" Data: {condition.FileHash.Data}\n" +
$" Source File Length: {condition.FileHash.SourceFileLength}\n" +
$" Type: {condition.FileHash.Type}\n");
}
Beaprint.PrintLineSeparator();
}
}
internal static void Run(string[] args)
{
//Check parameters
bool isAllChecks = true;
bool wait = false;
FileStream fileStream = null;
StreamWriter fileWriter = null;
TextWriter oldOut = Console.Out;
_systemChecks = new List <SystemCheck>
{
new SystemCheck("systeminfo", new SystemInfo()),
new SystemCheck("eventsinfo", new EventsInfo()),
new SystemCheck("userinfo", new UserInfo()),
new SystemCheck("processinfo", new ProcessInfo()),
new SystemCheck("servicesinfo", new ServicesInfo()),
new SystemCheck("applicationsinfo", new ApplicationsInfo()),
new SystemCheck("networkinfo", new NetworkInfo()),
new SystemCheck("windowscreds", new WindowsCreds()),
new SystemCheck("browserinfo", new BrowserInfo()),
new SystemCheck("filesinfo", new FilesInfo()),
new SystemCheck("fileAnalysis", new FileAnalysis())
};
var systemCheckAllKeys = new HashSet <string>(_systemChecks.Select(i => i.Key));
foreach (string arg in args)
{
if (string.Equals(arg, "--help", StringComparison.CurrentCultureIgnoreCase) ||
string.Equals(arg, "help", StringComparison.CurrentCultureIgnoreCase) ||
string.Equals(arg, "/h", StringComparison.CurrentCultureIgnoreCase) ||
string.Equals(arg, "-h", StringComparison.CurrentCultureIgnoreCase))
{
Beaprint.PrintUsage();
return;
}
if (arg.StartsWith("log", StringComparison.CurrentCultureIgnoreCase))
{
// get logfile argument if present
string logFile = DefaultLogFile;
var parts = arg.Split('=');
if (parts.Length == 2)
{
logFile = parts[1];
if (string.IsNullOrWhiteSpace(logFile))
{
Beaprint.PrintException("Please specify a valid log file.");
return;
}
}
try
{
fileStream = new FileStream(logFile, FileMode.OpenOrCreate, FileAccess.Write);
fileWriter = new StreamWriter(fileStream);
}
catch (Exception ex)
{
Beaprint.PrintException($"Cannot open \"{logFile}\" for writing:\n {ex.Message}");
return;
}
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{logFile}\"", Beaprint.ansi_color_good);
Console.SetOut(fileWriter);
}
if (string.Equals(arg, "notcolor", StringComparison.CurrentCultureIgnoreCase))
{
IsNoColor = true;
}
if (string.Equals(arg, "quiet", StringComparison.CurrentCultureIgnoreCase))
{
Banner = false;
}
if (string.Equals(arg, "wait", StringComparison.CurrentCultureIgnoreCase))
{
wait = true;
}
if (string.Equals(arg, "debug", StringComparison.CurrentCultureIgnoreCase))
{
IsDebug = true;
}
if (string.Equals(arg, "domain", StringComparison.CurrentCultureIgnoreCase))
{
IsDomainEnumeration = true;
}
if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
{
IsLolbas = true;
}
if (arg.StartsWith("-linpeas", StringComparison.CurrentCultureIgnoreCase))
{
IsLinpeas = true;
var parts = arg.Split('=');
if (parts.Length >= 2 && !string.IsNullOrEmpty(parts[1]))
{
LinpeasUrl = parts[1];
var isReachable = MyUtils.IsUrlReachable(LinpeasUrl);
if (!isReachable)
{
Beaprint.ColorPrint($" [!] the provided linpeas.sh url: '{LinpeasUrl}' is invalid / unreachable / returned empty response.", Beaprint.YELLOW);
return;
}
}
}
string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower))
{
_systemCheckSelectedKeysHashSet.Add(argToLower);
isAllChecks = false;
}
}
try
{
CheckRunner.Run(() =>
{
//Start execution
if (IsNoColor)
{
Beaprint.DeleteColors();
}
else
{
CheckRegANSI();
}
Beaprint.PrintInit();
CheckRunner.Run(CreateDynamicLists, IsDebug);
RunChecks(isAllChecks, wait);
SearchHelper.CleanLists();
Beaprint.PrintMarketingBanner();
}, IsDebug, "Total time");
if (IsDebug)
{
MemoryHelper.DisplayMemoryStats();
}
}
finally
{
Console.SetOut(oldOut);
fileWriter?.Close();
fileStream?.Close();
}
}
void PrintWSLDistributions()
{
Beaprint.MainPrint("Looking for Linux shells/distributions - wsl.exe, bash.exe");
List <string> linuxShells = InterestingFiles.InterestingFiles.GetLinuxShells();
string hive = "HKCU";
string basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss";
const string linpeas = "linpeas.sh";
if (linuxShells.Any())
{
foreach (string path in linuxShells)
{
Beaprint.BadPrint(" " + path);
}
Beaprint.BadPrint("");
try
{
var wslKeys = RegistryHelper.GetRegSubkeys(hive, basePath);
if (wslKeys.Any())
{
const string distribution = "Distribution";
const string rootDirectory = "Root directory";
const string runWith = "Run command";
var colors = new Dictionary <string, string>();
new List <string>
{
linpeas,
distribution,
rootDirectory,
runWith
}.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below");
Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors);
foreach (var wslKey in wslKeys)
{
try
{
string distributionSubKey = $"{basePath}\\{wslKey}";
string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs";
string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName");
Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" +
$" {rootDirectory}: \"{distributionRootDirectory}\"\n" +
$" {runWith}: wsl.exe --distribution \"{distributionName}\"",
colors);
Beaprint.PrintLineSeparator();
}
catch (Exception) { }
}
// try to run linpeas.sh in the default distribution
Beaprint.ColorPrint($" Running {linpeas} in the default distribution\n" +
$" Using linpeas.sh URL: {Checks.LinpeasUrl}", Beaprint.LBLUE);
if (Checks.IsLinpeas)
{
try
{
WSL.RunLinpeas(Checks.LinpeasUrl);
}
catch (Exception ex)
{
Beaprint.PrintException($" Unable to run linpeas.sh: {ex.Message}");
}
}
else
{
Beaprint.ColorPrint(" [!] Check skipped, if you want to run it, please specify '-linpeas=[url]' argument", Beaprint.YELLOW);
}
}
else
{
Beaprint.GoodPrint(" WSL - no installed Linux distributions found.");
}
}
catch (Exception) { }
}
}
private static void PrintFilePathRules(AppLockerPolicyRuleCollection rule)
{
if (rule?.FilePathRule == null)
{
return;
}
foreach (var filePathRule in rule.FilePathRule)
{
Beaprint.GoodPrint($" File Path Rule\n");
var normalizedName = NormalizePath(filePathRule.Name);
Beaprint.NoColorPrint($" Rule Type: {rule.Type}\n" +
$" Enforcement Mode: {rule.EnforcementMode}\n" +
$" Name: {filePathRule.Name}\n" +
$" Translated Name: {normalizedName}\n" +
$" Description: {filePathRule.Description}\n" +
$" Action: {filePathRule.Action}");
var color = GetColorBySid(filePathRule.UserOrGroupSid);
Beaprint.ColorPrint($" User Or Group Sid: {filePathRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
foreach (var condition in filePathRule.Conditions)
{
// print wildcards as red and continue
if (condition.Path == "*" || condition.Path == "*.*")
{
Beaprint.ColorPrint(
$" Path: {condition.Path}", Beaprint.ansi_color_bad);
continue;
}
Beaprint.NoColorPrint(
$" Path: {condition.Path}");
// TODO
// cache permissions in a dictionary
var normalizedPath = NormalizePath(condition.Path);
// it's a file rule
if (IsFilePath(normalizedPath))
{
// TODO
// load permissions from cache
// check file
CheckFileWriteAccess(normalizedPath);
// check directories
string directory = Path.GetDirectoryName(normalizedPath);
CheckDirectoryAndParentsWriteAccess(directory);
}
// it's a directory rule
else
{
// TODO
// load permissions from cache
// does the directory exists?
if (Directory.Exists(normalizedPath))
{
// can we write to the directory ?
var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
// we can write
if (folderPermissions.Count > 0)
{
Beaprint.BadPrint($" Directory \"{normalizedPath}\" Permissions: " + string.Join(",", folderPermissions));
}
// we cannot write to the folder
else
{
// first check well known AppLocker bypass locations
if (_appLockerByPassDirectoriesByPath.ContainsKey(normalizedPath))
{
// iterate over applocker bypass directories and check them
foreach (var subfolders in _appLockerByPassDirectoriesByPath[normalizedPath])
{
var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
// we can write
if (subfolderPermissions.Count > 0)
{
Beaprint.BadPrint($" Directory \"{subfolders}\" Permissions: " + string.Join(",", subfolderPermissions));
break;
}
}
}
// the well-known bypass location does not contain the folder
// check file / subfolder write permissions
else
{
// start with the current directory
bool isFileOrSubfolderWriteAccess = CheckFilesAndSubfolders(normalizedPath, rule.Type, 0);
if (!isFileOrSubfolderWriteAccess)
{
Beaprint.ColorPrint($" No potential bypass found while recursively checking files/subfolders " +
$"for write or equivalent permissions with depth: {FolderCheckMaxDepth}\n" +
$" Check permissions manually.", Beaprint.YELLOW);
}
}
}
}
else
{
// do we have write access recursively for the parent folder(s)?
CheckDirectoryAndParentsWriteAccess(normalizedPath);
}
// TODO
// save to cache for faster next search
}
Beaprint.GoodPrint("");
}
Beaprint.PrintLineSeparator();
}
}
private static void PrintWindowsDefenderInfo()
{
Beaprint.MainPrint("Windows Defender configuration");
void DisplayDefenderSettings(WindowsDefenderSettings settings)
{
var pathExclusions = settings.PathExclusions;
var processExclusions = settings.ProcessExclusions;
var extensionExclusions = settings.ExtensionExclusions;
var asrSettings = settings.AsrSettings;
if (pathExclusions.Count != 0)
{
Beaprint.NoColorPrint("\n Path Exclusions:");
foreach (var path in pathExclusions)
{
Beaprint.NoColorPrint($" {path}");
}
}
if (pathExclusions.Count != 0)
{
Beaprint.NoColorPrint("\n PolicyManagerPathExclusions:");
foreach (var path in pathExclusions)
{
Beaprint.NoColorPrint($" {path}");
}
}
if (processExclusions.Count != 0)
{
Beaprint.NoColorPrint("\n Process Exclusions");
foreach (var process in processExclusions)
{
Beaprint.NoColorPrint($" {process}");
}
}
if (extensionExclusions.Count != 0)
{
Beaprint.NoColorPrint("\n Extension Exclusions");
foreach (var ext in extensionExclusions)
{
Beaprint.NoColorPrint($" {ext}");
}
}
if (asrSettings.Enabled)
{
Beaprint.NoColorPrint("\n Attack Surface Reduction Rules:\n");
Beaprint.NoColorPrint($" {"State",-10} Rule\n");
foreach (var rule in asrSettings.Rules)
{
string state;
if (rule.State == 0)
{
state = "Disabled";
}
else if (rule.State == 1)
{
state = "Blocked";
}
else if (rule.State == 2)
{
state = "Audited";
}
else
{
state = $"{rule.State} - Unknown";
}
var asrRule = _asrGuids.ContainsKey(rule.Rule.ToString())
? _asrGuids[rule.Rule.ToString()]
: $"{rule.Rule} - Please report this";
Beaprint.NoColorPrint($" {state,-10} {asrRule}");
}
if (asrSettings.Exclusions.Count > 0)
{
Beaprint.NoColorPrint("\n ASR Exclusions:");
foreach (var exclusion in asrSettings.Exclusions)
{
Beaprint.NoColorPrint($" {exclusion}");
}
}
}
}
try
{
var info = WindowsDefender.GetDefenderSettingsInfo();
Beaprint.ColorPrint(" Local Settings", Beaprint.LBLUE);
DisplayDefenderSettings(info.LocalSettings);
Beaprint.ColorPrint(" Group Policy Settings", Beaprint.LBLUE);
DisplayDefenderSettings(info.GroupPolicySettings);
}
catch (Exception e)
{
}
}
private static void PrintNtlmSettings()
{
Beaprint.MainPrint($"Enumerating NTLM Settings");
try
{
var info = Ntlm.GetNtlmSettingsInfo();
string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor);
var ntlmSettingsColors = new Dictionary <string, string>
{
{ "True", Beaprint.ansi_color_good },
{ "False", Beaprint.ansi_color_bad },
{ "No signing", Beaprint.ansi_color_bad },
{ "null", Beaprint.ansi_color_bad },
{ "Require Signing", Beaprint.ansi_color_good },
{ "Negotiate signing", Beaprint.ansi_color_yellow },
{ "Unknown", Beaprint.ansi_color_bad },
};
Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE);
Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" +
$" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" +
$" ServerRequireSigning : {info.ServerRequireSigning}\n" +
$" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" +
$" LdapSigning : {(info.LdapSigning != null ? info.LdapSigningString : "null")} ({info.LdapSigningString})",
ntlmSettingsColors);
Beaprint.ColorPrint("\n Session Security", Beaprint.LBLUE);
if (info.NTLMMinClientSec != null)
{
var clientSessionSecurity = (SessionSecurity)info.NTLMMinClientSec;
var clientSessionSecurityDescription = clientSessionSecurity.GetDescription();
var color = !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !clientSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ?
Beaprint.ansi_color_bad :
Beaprint.ansi_color_good;
Beaprint.ColorPrint($" NTLMMinClientSec : {info.NTLMMinClientSec} ({clientSessionSecurityDescription})", color);
if (info.LanmanCompatibilityLevel < 3 && !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2))
{
Beaprint.BadPrint(" [!] NTLM clients support NTLMv1!");
}
}
if (info.NTLMMinServerSec != null)
{
var serverSessionSecurity = (SessionSecurity)info.NTLMMinServerSec;
var serverSessionSecurityDescription = serverSessionSecurity.GetDescription();
var color = !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !serverSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ?
Beaprint.ansi_color_bad :
Beaprint.ansi_color_good;
Beaprint.ColorPrint($" NTLMMinServerSec : {info.NTLMMinServerSec} ({serverSessionSecurityDescription})\n", color);
if (info.LanmanCompatibilityLevel < 3 && !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2))
{
Beaprint.BadPrint(" [!] NTLM services on this machine support NTLMv1!");
}
}
var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE);
Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})");
Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor);
Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})");
Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}");
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
