public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Services Information");
/// Start finding Modifiable services so any function could use them
try
{
CheckRunner.Run(() =>
{
modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
}, isDebug);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
new List <Action>
{
PrintInterestingServices,
PrintModifiableServices,
PrintWritableRegServices,
PrintPathDllHijacking,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Interesting files and registry");
new List <Action>
{
Putty.PrintInfo,
SuperPutty.PrintInfo,
PrintOffice365EndpointsSyncedByOneDrive,
PrintCloudCreds,
PrintUnattendFiles,
PrintSAMBackups,
PrintMcAffeSitelistFiles,
PrintCachedGPPPassword,
PrintPossCredsRegs,
PrintUserCredsFiles,
PrintOracleSQLDeveloperConfigFiles,
Slack.PrintInfo,
PrintLOLBAS,
PrintOutlookDownloads,
PrintMachineAndUserCertificateFiles,
PrintUsersInterestingFiles,
PrintUsersDocsKeys,
PrintOfficeMostRecentFiles,
PrintRecentFiles,
PrintRecycleBin,
PrintHiddenFilesAndFolders,
PrintOtherUsersInterestingFiles,
PrintExecutablesInNonDefaultFoldersWithWritePermissions,
PrintWSLDistributions
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("File Analysis");
new List <Action>
{
PrintYAMLSearchFiles
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Processes Information");
new List <Action>
{
PrintInterestingProcesses,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Browsers Information");
new List <IBrowser>
{
new Firefox(),
new Chrome(),
new Opera(),
new Brave(),
new InternetExplorer(),
}.ForEach(browser => CheckRunner.Run(browser.PrintInfo, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Interesting Events information");
new List <Action>
{
PrintExplicitLogonEvents,
PrintLogonEvents,
PrintProcessCreationEvents,
PrintPowerShellEvents,
PowerOnEvents,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Applications Information");
new List <Action>
{
PrintActiveWindow,
PrintInstalledApps,
PrintAutoRuns,
PrintScheduled,
PrintDeviceDrivers,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
private static void PrintYAMLSearchFiles()
{
try
{
var files = InitializeFileSearch();
var folders = files.Where(f => f.IsDirectory).ToList();
var config = Checks.YamlConfig;
var defaults = config.defaults;
var searchItems = config.search.Where(i => i.value.config.auto_check &&
(i.value.disable == null || !i.value.disable.Contains("winpeas")));
foreach (var searchItem in searchItems)
{
if (searchItem.name != "Wifi Connections")
{
continue;
}
var searchName = searchItem.name;
var value = searchItem.value;
var searchConfig = value.config;
bool somethingFound = false;
CheckRunner.Run(() =>
{
int resultsCount = 0;
bool[] results;
bool isSearchFinished = false;
foreach (var file in value.files)
{
var fileName = file.name.ToLower();
var fileSettings = file.value;
var itemsToSearch = fileSettings.type == "f" ? files : folders;
results = Search(itemsToSearch, fileName, fileSettings, ref resultsCount, searchName, somethingFound);
isSearchFinished = results[0];
somethingFound = results[1];
if (isSearchFinished)
{
break;
}
}
}, Checks.IsDebug);
}
}
catch (Exception e)
{
}
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Network Information");
new List <Action>
{
PrintNetShares,
PrintMappedDrivesWMI,
PrintHostsFile,
PrintNetworkIfaces,
PrintListeningPorts,
PrintFirewallRules,
PrintDNSCache,
PrintInternetSettings,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
static void Main(string[] args)
{
// Uncomment the next four lines, just for debugging...
//while (!Debugger.IsAttached)
//{
// Thread.Sleep(200);
//}
try
{
CheckRunner checkRunner = new CheckRunner();
checkRunner.Run(args);
}
catch (Exception)
{
// Do nothing; the error(s) should be reported through MetaAutomation service.
}
}
private static void PrintYAMLSearchFiles()
{
try
{
var files = InitializeFileSearch();
var folders = files.Where(f => f.IsDirectory).ToList();
var config = Checks.YamlConfig;
var defaults = config.defaults;
var searchItems = config.search.Where(i => i.value.config.auto_check &&
(i.value.disable == null || !i.value.disable.Contains("winpeas")));
foreach (var searchItem in searchItems)
{
var searchName = searchItem.name;
var value = searchItem.value;
var searchConfig = value.config;
CheckRunner.Run(() =>
{
Beaprint.MainPrint($"Analyzing {searchName} Files (limit {ListFileLimit})");
int resultsCount = 0;
bool isSearchFinished = false;
foreach (var file in value.files)
{
var fileName = file.name.ToLower();
var fileSettings = file.value;
var itemsToSearch = fileSettings.type == "f" ? files : folders;
isSearchFinished = Search(itemsToSearch, fileName, fileSettings, ref resultsCount);
if (isSearchFinished)
{
break;
}
}
}, Checks.IsDebug);
}
}
catch (Exception e)
{
}
}
static void Main(string[] args)
{
// DEBUG Uncomment the next four lines and do a complete rebuild, just for debugging...
//while (!Debugger.IsAttached)
//{
// Thread.Sleep(200);
//}
try
{
CheckRunner checkRunner = new CheckRunner();
checkRunner.Run(args);
}
catch (Exception ex)
{
Console.WriteLine(ex);
// Do nothing else; the error(s) should be reported through the artifact from this process
}
}
/// <summary>
/// This method takes the relative path and filename of a check run artifact, and returns the relative path and filename of the check run artifact for the new result.
/// This method is intended to run asynchronously as part of the Task-based Asynchronous Pattern (TAP)
/// </summary>
/// <param name="fullPathNameToCheckRunArtifact"></param>
/// <returns></returns>
public static string RunCheck(string fullPathNameToCheckRunArtifact)
{
// read file to CRA xdoc
XDocument lastCheckRunArtifact = XDocument.Load(fullPathNameToCheckRunArtifact);
string pathToCheckArtifacts = Path.GetDirectoryName(fullPathNameToCheckRunArtifact);
// Make changes as needed to determine the new check run
XDocument checkRunLaunch = AssembleCheckRunLaunch(lastCheckRunArtifact);
// run check
CheckRunner checkRunner = new CheckRunner();
XDocument checkRunArtifact = checkRunner.Run(checkRunLaunch);
// write destination file
string fileName = SaveCheckRunArtifact(pathToCheckArtifacts, checkRunArtifact);
// return new CRA file name
return(fileName);
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Users Information");
new List <Action>
{
PrintCU,
PrintCurrentUserIdleTime,
PrintCurrentTenantInfo,
PrintTokenP,
PrintClipboardText,
PrintLoggedUsers,
PrintLocalUsers,
PrintRdpSessions,
PrintEverLoggedUsers,
PrintHomeFolders,
PrintAutoLogin,
PrintPasswordPolicies,
PrintLogonSessions
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("System Information");
new List <Action>
{
PrintBasicSystemInfo,
PrintMicrosoftUpdatesCOM,
PrintSystemLastShutdownTime,
PrintUserEV,
PrintSystemEV,
PrintAuditInfo,
PrintAuditPoliciesInfo,
PrintWEFInfo,
PrintLAPSInfo,
PrintWdigest,
PrintLSAProtection,
PrintCredentialGuard,
PrintCachedCreds,
PrintAVInfo,
PrintWindowsDefenderInfo,
PrintUACInfo,
PrintPSInfo,
PrintPowerShellSessionSettings,
PrintTranscriptPS,
PrintInetInfo,
PrintDrivesInfo,
PrintWSUS,
PrintAlwaysInstallElevated,
PrintLSAInfo,
PrintNtlmSettings,
PrintLocalGroupPolicy,
AppLockerHelper.PrintAppLockerPolicy,
PrintPrintersWMIInfo,
PrintNamedPipes,
PrintAMSIProviders,
PrintSysmon,
PrintDotNetVersions
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Windows Credentials");
new List <Action>
{
PrintVaultCreds,
PrintCredentialManager,
PrintSavedRDPInfo,
PrintRDPSettings,
PrintRecentRunCommands,
PrintDPAPIMasterKeys,
PrintDpapiCredFiles,
PrintRCManFiles,
PrintKerberosTickets,
//PrintKerberosTGTTickets, #Not working
PrintWifi,
PrintAppCmd,
PrintSCClient,
PrintSCCM,
PrintSecurityPackagesCredentials,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
internal static void Run(string[] args)
{
//Check parameters
bool isAllChecks = true;
bool wait = false;
FileStream fileStream = null;
StreamWriter fileWriter = null;
TextWriter oldOut = Console.Out;
_systemChecks = new List <SystemCheck>
{
new SystemCheck("systeminfo", new SystemInfo()),
new SystemCheck("eventsinfo", new EventsInfo()),
new SystemCheck("userinfo", new UserInfo()),
new SystemCheck("processinfo", new ProcessInfo()),
new SystemCheck("servicesinfo", new ServicesInfo()),
new SystemCheck("applicationsinfo", new ApplicationsInfo()),
new SystemCheck("networkinfo", new NetworkInfo()),
new SystemCheck("windowscreds", new WindowsCreds()),
new SystemCheck("browserinfo", new BrowserInfo()),
new SystemCheck("filesinfo", new FilesInfo()),
new SystemCheck("fileAnalysis", new FileAnalysis())
};
var systemCheckAllKeys = new HashSet <string>(_systemChecks.Select(i => i.Key));
foreach (string arg in args)
{
if (string.Equals(arg, "--help", StringComparison.CurrentCultureIgnoreCase) ||
string.Equals(arg, "help", StringComparison.CurrentCultureIgnoreCase) ||
string.Equals(arg, "/h", StringComparison.CurrentCultureIgnoreCase) ||
string.Equals(arg, "-h", StringComparison.CurrentCultureIgnoreCase))
{
Beaprint.PrintUsage();
return;
}
if (arg.StartsWith("log", StringComparison.CurrentCultureIgnoreCase))
{
// get logfile argument if present
string logFile = DefaultLogFile;
var parts = arg.Split('=');
if (parts.Length == 2)
{
logFile = parts[1];
if (string.IsNullOrWhiteSpace(logFile))
{
Beaprint.PrintException("Please specify a valid log file.");
return;
}
}
try
{
fileStream = new FileStream(logFile, FileMode.OpenOrCreate, FileAccess.Write);
fileWriter = new StreamWriter(fileStream);
}
catch (Exception ex)
{
Beaprint.PrintException($"Cannot open \"{logFile}\" for writing:\n {ex.Message}");
return;
}
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{logFile}\"", Beaprint.ansi_color_good);
Console.SetOut(fileWriter);
}
if (string.Equals(arg, "notcolor", StringComparison.CurrentCultureIgnoreCase))
{
IsNoColor = true;
}
if (string.Equals(arg, "quiet", StringComparison.CurrentCultureIgnoreCase))
{
Banner = false;
}
if (string.Equals(arg, "wait", StringComparison.CurrentCultureIgnoreCase))
{
wait = true;
}
if (string.Equals(arg, "debug", StringComparison.CurrentCultureIgnoreCase))
{
IsDebug = true;
}
if (string.Equals(arg, "domain", StringComparison.CurrentCultureIgnoreCase))
{
IsDomainEnumeration = true;
}
if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
{
IsLolbas = true;
}
if (arg.StartsWith("-linpeas", StringComparison.CurrentCultureIgnoreCase))
{
IsLinpeas = true;
var parts = arg.Split('=');
if (parts.Length >= 2 && !string.IsNullOrEmpty(parts[1]))
{
LinpeasUrl = parts[1];
var isReachable = MyUtils.IsUrlReachable(LinpeasUrl);
if (!isReachable)
{
Beaprint.ColorPrint($" [!] the provided linpeas.sh url: '{LinpeasUrl}' is invalid / unreachable / returned empty response.", Beaprint.YELLOW);
return;
}
}
}
string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower))
{
_systemCheckSelectedKeysHashSet.Add(argToLower);
isAllChecks = false;
}
}
try
{
CheckRunner.Run(() =>
{
//Start execution
if (IsNoColor)
{
Beaprint.DeleteColors();
}
else
{
CheckRegANSI();
}
Beaprint.PrintInit();
CheckRunner.Run(CreateDynamicLists, IsDebug);
RunChecks(isAllChecks, wait);
SearchHelper.CleanLists();
Beaprint.PrintMarketingBanner();
}, IsDebug, "Total time");
if (IsDebug)
{
MemoryHelper.DisplayMemoryStats();
}
}
finally
{
Console.SetOut(oldOut);
fileWriter?.Close();
fileStream?.Close();
}
}