private static void PrintSCClient() { try { Beaprint.MainPrint("Looking SSClient.exe"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm"); if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe"))) { Beaprint.BadPrint(" SCClient.exe was found in " + Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe DLL Side loading?")); } else { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintUACInfo() { try { Beaprint.MainPrint("UAC Status"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC"); Dictionary <string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); Dictionary <string, string> colorsSI = new Dictionary <string, string>() { { badUAC, Beaprint.ansi_color_bad }, { goodUAC, Beaprint.ansi_color_good } }; Beaprint.DictPrint(uacDict, colorsSI, false); if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0")) { Beaprint.BadPrint(" [*] EnableLUA != 1, UAC policies disabled.\r\n [+] Any local account can be used for lateral movement."); } if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] == "1")) { Beaprint.BadPrint(" [*] LocalAccountTokenFilterPolicy set to 1.\r\n [+] Any local account can be used for lateral movement."); } if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] != "1")) { Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.\r\n [-] Only the RID-500 local admin account can be used for lateral movement."); } if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] == "1")) { Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\r\n [-] No local accounts can be used for lateral movement."); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintHistBookChrome() { try { Beaprint.MainPrint("Looking for GET credentials in Chrome history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary <string, List <string> > chromeHistBook = Chrome.GetChromeHistBook(); List <string> history = chromeHistBook["history"]; List <string> bookmarks = chromeHistBook["bookmarks"]; if (history.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in history) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } Console.WriteLine(); } else { Beaprint.NotFoundPrint(); } Beaprint.MainPrint("Chrome bookmarks"); Beaprint.ListPrint(bookmarks); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintRecycleBin() { try { //string pattern_bin = _patternsFileCreds + ";*password*;*credential*"; string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*"; Dictionary <string, string> colorF = new Dictionary <string, string>() { { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, }; Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); List <Dictionary <string, string> > recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); foreach (Dictionary <string, string> rec_file in recy_files) { foreach (string pattern in pattern_bin.Split(';')) { if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success) { Beaprint.DictPrint(rec_file, colorF, true); System.Console.WriteLine(); } } } if (recy_files.Count <= 0) { Beaprint.NotFoundPrint(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
static void PrintCredentialGuard() { Beaprint.MainPrint("Credentials Guard"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags"); if (lsaCfgFlags == "1") { System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator)."); Beaprint.GoodPrint(" CredentialGuard is active with UEFI lock"); } else if (lsaCfgFlags == "2") { System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator)."); Beaprint.GoodPrint(" CredentialGuard is active without UEFI lock"); } else { Beaprint.BadPrint(" CredentialGuard is not enabled"); } CredentialGuard.PrintInfo(); }
void PrintModifiableServices() { try { Beaprint.MainPrint("Modifiable Services"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:"); Dictionary <string, string> colorsMS = new Dictionary <string, string>() { // modify { "AllAccess", Beaprint.ansi_color_bad }, { "ChangeConfig", Beaprint.ansi_color_bad }, { "WriteDac", Beaprint.ansi_color_bad }, { "WriteOwner", Beaprint.ansi_color_bad }, { "AccessSystemSecurity", Beaprint.ansi_color_bad }, { "GenericAll", Beaprint.ansi_color_bad }, { "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad }, // start/stop { "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow }, { "Start", Beaprint.ansi_color_yellow }, { "Stop", Beaprint.ansi_color_yellow }, }; Beaprint.DictPrint(modifiableServices, colorsMS, false, true); } else { Beaprint.GoodPrint(" You cannot modify any service"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintBasicSystemInfo() { try { Beaprint.MainPrint("Basic System Information"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit"); Dictionary <string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo(); basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR; Dictionary <string, string> colorsSI = new Dictionary <string, string> { { Globals.StrTrue, Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(basicDictSystem, colorsSI, false); System.Console.WriteLine(); Watson.FindVulns(); //To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function) //Usually you won't need to do anything with the classes Wmi, Vulnerability and VulnerabilityCollection } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintPathDllHijacking() { try { Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders"); Dictionary <string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking(); foreach (KeyValuePair <string, string> entry in path_dllhijacking) { if (string.IsNullOrEmpty(entry.Value)) { Beaprint.GoodPrint(" " + entry.Key); } else { Beaprint.BadPrint(" (DLL Hijacking) " + entry.Key + ": " + entry.Value); } } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintHistFavIE() { try { Beaprint.MainPrint("Looking for GET credentials in IE history"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); Dictionary <string, List <string> > chromeHistBook = InternetExplorer.GetIEHistFav(); List <string> history = chromeHistBook["history"]; List <string> favorites = chromeHistBook["favorites"]; if (history.Count > 0) { Dictionary <string, string> colorsB = new Dictionary <string, string>() { { Globals.PrintCredStrings, Beaprint.ansi_color_bad }, }; foreach (string url in history) { if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex)) { Beaprint.AnsiPrint(" " + url, colorsB); } } Console.WriteLine(); } Beaprint.MainPrint("IE favorites"); Beaprint.ListPrint(favorites); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
private static void PrintAutoRuns() { try { Beaprint.MainPrint("Autorun Applications"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); List <Dictionary <string, string> > apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs); foreach (Dictionary <string, string> app in apps) { var colorsA = new Dictionary <string, string> { { "FolderPerms:.*", Beaprint.ansi_color_bad }, { "FilePerms:.*", Beaprint.ansi_color_bad }, { "(Unquoted and Space detected)", Beaprint.ansi_color_bad }, { "(PATH Injection)", Beaprint.ansi_color_bad }, { "RegPerms: .*", Beaprint.ansi_color_bad }, { (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, { (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; string line = ""; if (!string.IsNullOrEmpty(app["Reg"])) { line += "\n RegPath: " + app["Reg"]; } if (app["RegPermissions"].Length > 0) { line += "\n RegPerms: " + app["RegPermissions"]; } if (!string.IsNullOrEmpty(app["RegKey"])) { line += "\n Key: " + app["RegKey"]; } if (!string.IsNullOrEmpty(app["Folder"])) { line += "\n Folder: " + app["Folder"]; } else { if (!string.IsNullOrEmpty(app["Reg"])) { line += "\n Folder: None (PATH Injection)"; } } if (!string.IsNullOrEmpty(app["interestingFolderRights"])) { line += "\n FolderPerms: " + app["interestingFolderRights"]; } string filepath_mod = app["File"].Replace("\"", "").Replace("'", ""); if (!string.IsNullOrEmpty(app["File"])) { line += "\n File: " + filepath_mod; } if (app["isUnquotedSpaced"].ToLower() == "true") { line += " (Unquoted and Space detected)"; } if (!string.IsNullOrEmpty(app["interestingFileRights"])) { line += "\n FilePerms: " + app["interestingFileRights"]; } Beaprint.AnsiPrint(line, colorsA); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }
void PrintInterestingProcesses() { try { Beaprint.MainPrint("Interesting Processes -non Microsoft-"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); List <Dictionary <string, string> > processesInfo = ProcessesInfo.GetProcInfo(); foreach (Dictionary <string, string> procInfo in processesInfo) { Dictionary <string, string> colorsP = new Dictionary <string, string>() { { " " + Checks.CurrentUserName, Beaprint.ansi_current_user }, { "Permissions:.*", Beaprint.ansi_color_bad }, { "Possible DLL Hijacking.*", Beaprint.ansi_color_bad }, }; if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"])) { if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]])) { procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]]; } colorsP[procInfo["Product"]] = Beaprint.ansi_color_good; } else if (InterestingProcesses.Definitions.ContainsKey(procInfo["Name"])) { if (!string.IsNullOrEmpty(InterestingProcesses.Definitions[procInfo["Name"]])) { procInfo["Product"] = InterestingProcesses.Definitions[procInfo["Name"]]; } colorsP[procInfo["Product"]] = Beaprint.ansi_color_bad; } List <string> fileRights = PermissionsHelper.GetPermissionsFile(procInfo["ExecutablePath"], Checks.CurrentUserSiDs); List <string> dirRights = new List <string>(); if (procInfo["ExecutablePath"] != null && procInfo["ExecutablePath"] != "") { dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(procInfo["ExecutablePath"]), Checks.CurrentUserSiDs); } colorsP[procInfo["ExecutablePath"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") + "[^\"^']"] = (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good; string formString = " {0}({1})[{2}]"; if (procInfo["Product"] != null && procInfo["Product"].Length > 1) { formString += ": {3}"; } if (procInfo["Owner"].Length > 1) { formString += " -- POwn: {4}"; } if (procInfo["isDotNet"].Length > 1) { formString += " -- {5}"; } if (fileRights.Count > 0) { formString += "\n Permissions: {6}"; } if (dirRights.Count > 0) { formString += "\n Possible DLL Hijacking folder: {7} ({8})"; } if (procInfo["CommandLine"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "Command Line: {9}"; } Beaprint.AnsiPrint(string.Format(formString, procInfo["Name"], procInfo["ProcessID"], procInfo["ExecutablePath"], procInfo["Product"], procInfo["Owner"], procInfo["isDotNet"], string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(procInfo["ExecutablePath"]) : "", string.Join(", ", dirRights), procInfo["CommandLine"]), colorsP); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.GrayPrint(ex.Message); } }
void PrintInterestingServices() { try { Beaprint.MainPrint("Interesting Services -non Microsoft-"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); List <Dictionary <string, string> > services_info = ServicesInfoHelper.GetNonstandardServices(); if (services_info.Count < 1) { services_info = ServicesInfoHelper.GetNonstandardServicesFromReg(); } foreach (Dictionary <string, string> serviceInfo in services_info) { List <string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs); List <string> dirRights = new List <string>(); if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "") { dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs); } bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]); string formString = " {0}("; if (serviceInfo["CompanyName"] != null && serviceInfo["CompanyName"].Length > 1) { formString += "{1} - "; } if (serviceInfo["DisplayName"].Length > 1) { formString += "{2}"; } formString += ")"; if (serviceInfo["PathName"].Length > 1) { formString += "[{3}]"; } if (serviceInfo["StartMode"].Length > 1) { formString += " - {4}"; } if (serviceInfo["State"].Length > 1) { formString += " - {5}"; } if (serviceInfo["isDotNet"].Length > 1) { formString += " - {6}"; } if (noQuotesAndSpace) { formString += " - {7}"; } if (modifiableServices.ContainsKey(serviceInfo["Name"])) { if (modifiableServices[serviceInfo["Name"]] == "Start") { formString += "\n You can START this service"; } else { formString += "\n YOU CAN MODIFY THIS SERVICE: " + modifiableServices[serviceInfo["Name"]]; } } if (fileRights.Count > 0) { formString += "\n File Permissions: {8}"; } if (dirRights.Count > 0) { formString += "\n Possible DLL Hijacking in binary folder: {9} ({10})"; } if (serviceInfo["Description"].Length > 1) { formString += "\n " + Beaprint.ansi_color_gray + "{11}"; } { Dictionary <string, string> colorsS = new Dictionary <string, string>() { { "File Permissions:.*", Beaprint.ansi_color_bad }, { "Possible DLL Hijacking.*", Beaprint.ansi_color_bad }, { "No quotes and Space detected", Beaprint.ansi_color_bad }, { "YOU CAN MODIFY THIS SERVICE:.*", Beaprint.ansi_color_bad }, { " START ", Beaprint.ansi_color_bad }, { serviceInfo["PathName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0 || noQuotesAndSpace) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; Beaprint.AnsiPrint(string.Format(formString, serviceInfo["Name"], serviceInfo["CompanyName"], serviceInfo["DisplayName"], serviceInfo["PathName"], serviceInfo["StartMode"], serviceInfo["State"], serviceInfo["isDotNet"], "No quotes and Space detected", string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(serviceInfo["FilteredPath"]) : "", string.Join(", ", dirRights), serviceInfo["Description"]), colorsS); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }