mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-01-19 00:06:10 -08:00
Compare commits
7 Commits
codex-pr-m
...
20260117-4
| Author | SHA1 | Date | |
|---|---|---|---|
|
9c49dfd2bb | ||
|
|
9acc2ef61d | ||
|
|
c447ca993d | ||
|
|
2f44379713 | ||
|
|
c14f9aeb30 | ||
|
|
aca58f36b9 | ||
|
|
3268701ed6 |
@@ -94,6 +94,7 @@ namespace winPEAS.Checks
|
||||
new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
|
||||
new SystemCheck("cloudinfo", new CloudInfo()),
|
||||
new SystemCheck("windowscreds", new WindowsCreds()),
|
||||
new SystemCheck("registryinfo", new RegistryInfo()),
|
||||
new SystemCheck("browserinfo", new BrowserInfo()),
|
||||
new SystemCheck("filesinfo", new FilesInfo()),
|
||||
new SystemCheck("fileanalysis", new FileAnalysis()),
|
||||
|
||||
141
winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs
Normal file
141
winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs
Normal file
@@ -0,0 +1,141 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using winPEAS.Helpers;
|
||||
using winPEAS.Helpers.Registry;
|
||||
|
||||
namespace winPEAS.Checks
|
||||
{
|
||||
internal class RegistryInfo : ISystemCheck
|
||||
{
|
||||
private const string TypingInsightsRelativePath = @"Software\Microsoft\Input\TypingInsights";
|
||||
|
||||
private static readonly string[] KnownWritableSystemKeyCandidates = new[]
|
||||
{
|
||||
@"SOFTWARE\Microsoft\CoreShell",
|
||||
@"SOFTWARE\Microsoft\DRM",
|
||||
@"SOFTWARE\Microsoft\Input\Locales",
|
||||
@"SOFTWARE\Microsoft\Input\Settings",
|
||||
@"SOFTWARE\Microsoft\Shell\Oobe",
|
||||
@"SOFTWARE\Microsoft\Shell\Session",
|
||||
@"SOFTWARE\Microsoft\Tracing",
|
||||
@"SOFTWARE\Microsoft\Windows\UpdateApi",
|
||||
@"SOFTWARE\Microsoft\WindowsUpdate\UX",
|
||||
@"SOFTWARE\WOW6432Node\Microsoft\DRM",
|
||||
@"SOFTWARE\WOW6432Node\Microsoft\Tracing",
|
||||
@"SYSTEM\Software\Microsoft\TIP",
|
||||
@"SYSTEM\ControlSet001\Control\Cryptography\WebSignIn\Navigation",
|
||||
@"SYSTEM\ControlSet001\Control\MUI\StringCacheSettings",
|
||||
@"SYSTEM\ControlSet001\Control\USB\AutomaticSurpriseRemoval",
|
||||
@"SYSTEM\ControlSet001\Services\BTAGService\Parameters\Settings",
|
||||
};
|
||||
|
||||
private static readonly string[] ScanBasePaths = new[]
|
||||
{
|
||||
@"SOFTWARE\Microsoft",
|
||||
@"SOFTWARE\WOW6432Node\Microsoft",
|
||||
@"SYSTEM\CurrentControlSet\Services",
|
||||
@"SYSTEM\CurrentControlSet\Control",
|
||||
@"SYSTEM\ControlSet001\Control",
|
||||
};
|
||||
|
||||
public void PrintInfo(bool isDebug)
|
||||
{
|
||||
Beaprint.GreatPrint("Registry permissions for hive exploitation");
|
||||
|
||||
new List<Action>
|
||||
{
|
||||
PrintTypingInsightsPermissions,
|
||||
PrintKnownSystemWritableKeys,
|
||||
PrintHeuristicWritableKeys,
|
||||
}.ForEach(action => CheckRunner.Run(action, isDebug));
|
||||
}
|
||||
|
||||
private void PrintTypingInsightsPermissions()
|
||||
{
|
||||
Beaprint.MainPrint("Cross-user TypingInsights key (HKCU/HKU)");
|
||||
|
||||
var matches = new List<RegistryWritableKeyInfo>();
|
||||
var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
if (RegistryAclScanner.TryGetWritableKey("HKCU", TypingInsightsRelativePath, out var currentUserKey))
|
||||
{
|
||||
if (seen.Add(currentUserKey.FullPath))
|
||||
{
|
||||
matches.Add(currentUserKey);
|
||||
}
|
||||
}
|
||||
|
||||
foreach (var sid in RegistryHelper.GetUserSIDs())
|
||||
{
|
||||
if (string.IsNullOrEmpty(sid) || sid.Equals(".DEFAULT", StringComparison.OrdinalIgnoreCase) || sid.EndsWith("_Classes", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
string relativePath = $"{sid}\\{TypingInsightsRelativePath}";
|
||||
if (RegistryAclScanner.TryGetWritableKey("HKU", relativePath, out var info) && seen.Add(info.FullPath))
|
||||
{
|
||||
matches.Add(info);
|
||||
}
|
||||
}
|
||||
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
Beaprint.GrayPrint(" [-] TypingInsights key does not grant write access to low-privileged groups.");
|
||||
return;
|
||||
}
|
||||
|
||||
PrintEntries(matches);
|
||||
Beaprint.LinkPrint("https://projectzero.google/2025/05/the-windows-registry-adventure-8-exploitation.html", "Writable TypingInsights enables cross-user hive tampering and DoS.");
|
||||
}
|
||||
|
||||
private void PrintKnownSystemWritableKeys()
|
||||
{
|
||||
Beaprint.MainPrint("Known HKLM descendants writable by standard users");
|
||||
|
||||
var matches = new List<RegistryWritableKeyInfo>();
|
||||
foreach (var path in KnownWritableSystemKeyCandidates)
|
||||
{
|
||||
if (RegistryAclScanner.TryGetWritableKey("HKLM", path, out var info))
|
||||
{
|
||||
matches.Add(info);
|
||||
}
|
||||
}
|
||||
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
Beaprint.GrayPrint(" [-] None of the tracked HKLM keys are writable by low-privileged groups.");
|
||||
return;
|
||||
}
|
||||
|
||||
PrintEntries(matches);
|
||||
}
|
||||
|
||||
private void PrintHeuristicWritableKeys()
|
||||
{
|
||||
Beaprint.MainPrint("Sample of additional writable HKLM keys (depth-limited scan)");
|
||||
|
||||
var matches = RegistryAclScanner.ScanWritableKeys("HKLM", ScanBasePaths, maxDepth: 3, maxResults: 25);
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
Beaprint.GrayPrint(" [-] No additional writable HKLM keys were found within the sampled paths.");
|
||||
return;
|
||||
}
|
||||
|
||||
PrintEntries(matches);
|
||||
Beaprint.GrayPrint(" [*] Showing up to 25 entries from the sampled paths to avoid noisy output.");
|
||||
}
|
||||
|
||||
private static void PrintEntries(IEnumerable<RegistryWritableKeyInfo> entries)
|
||||
{
|
||||
foreach (var entry in entries)
|
||||
{
|
||||
var principals = string.Join(", ", entry.Principals);
|
||||
var rights = entry.Rights.Count > 0 ? string.Join(", ", entry.Rights.Distinct(StringComparer.OrdinalIgnoreCase)) : "Write access";
|
||||
var displayPath = string.IsNullOrEmpty(entry.FullPath) ? $"{entry.Hive}\\{entry.RelativePath}" : entry.FullPath;
|
||||
Beaprint.BadPrint($" [!] {displayPath} -> {principals} ({rights})");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -132,6 +132,7 @@ namespace winPEAS.Helpers
|
||||
Console.WriteLine(LCYAN + " activedirectoryinfo" + GRAY + " Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " windowscreds" + GRAY + " Search windows credentials" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " registryinfo" + GRAY + " Flag writable HKLM/HKU keys that enable hive tampering" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " browserinfo" + GRAY + " Search browser information" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " [NOT RUN BY DEFAULT] Search specific files that can contains credentials and for regexes inside files. Might take several minutes." + NOCOLOR);
|
||||
|
||||
@@ -0,0 +1,221 @@
|
||||
using Microsoft.Win32;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Security.AccessControl;
|
||||
using System.Security.Principal;
|
||||
using winPEAS.Helpers;
|
||||
|
||||
namespace winPEAS.Helpers.Registry
|
||||
{
|
||||
internal class RegistryWritableKeyInfo
|
||||
{
|
||||
public string Hive { get; set; }
|
||||
public string RelativePath { get; set; }
|
||||
public string FullPath { get; set; }
|
||||
public List<string> Principals { get; set; } = new List<string>();
|
||||
public List<string> Rights { get; set; } = new List<string>();
|
||||
}
|
||||
|
||||
internal static class RegistryAclScanner
|
||||
{
|
||||
private static readonly Dictionary<string, string> LowPrivSidMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
|
||||
{
|
||||
{ new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).Value, "BUILTIN\\Users" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null).Value, "Authenticated Users" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.WorldSid, null).Value, "Everyone" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.InteractiveSid, null).Value, "Interactive" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null).Value, "BUILTIN\\Guests" },
|
||||
};
|
||||
|
||||
public static bool TryGetWritableKey(string hive, string relativePath, out RegistryWritableKeyInfo info)
|
||||
{
|
||||
info = null;
|
||||
using (var key = OpenKey(hive, relativePath))
|
||||
{
|
||||
if (key == null)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return TryCollectWritableInfo(hive, relativePath, key, out info);
|
||||
}
|
||||
}
|
||||
|
||||
public static List<RegistryWritableKeyInfo> ScanWritableKeys(string hive, IEnumerable<string> basePaths, int maxDepth, int maxResults)
|
||||
{
|
||||
var results = new List<RegistryWritableKeyInfo>();
|
||||
var seenPaths = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
foreach (var basePath in basePaths ?? Enumerable.Empty<string>())
|
||||
{
|
||||
if (results.Count >= maxResults)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
using (var key = OpenKey(hive, basePath))
|
||||
{
|
||||
if (key == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
Traverse(hive, key, basePath, 0, maxDepth, maxResults, seenPaths, results);
|
||||
}
|
||||
}
|
||||
|
||||
return results;
|
||||
}
|
||||
|
||||
private static void Traverse(string hive, RegistryKey currentKey, string currentPath, int depth, int maxDepth, int maxResults, HashSet<string> seenPaths, List<RegistryWritableKeyInfo> results)
|
||||
{
|
||||
if (currentKey == null || results.Count >= maxResults)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (TryCollectWritableInfo(hive, currentPath, currentKey, out var info))
|
||||
{
|
||||
if (seenPaths.Add(info.FullPath))
|
||||
{
|
||||
results.Add(info);
|
||||
}
|
||||
|
||||
if (results.Count >= maxResults)
|
||||
{
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if (depth >= maxDepth)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
string[] subKeys;
|
||||
try
|
||||
{
|
||||
subKeys = currentKey.GetSubKeyNames();
|
||||
}
|
||||
catch
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var subKeyName in subKeys)
|
||||
{
|
||||
if (results.Count >= maxResults)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
using (var childKey = currentKey.OpenSubKey(subKeyName))
|
||||
{
|
||||
if (childKey == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
string childPath = string.IsNullOrEmpty(currentPath) ? subKeyName : $"{currentPath}\\{subKeyName}";
|
||||
Traverse(hive, childKey, childPath, depth + 1, maxDepth, maxResults, seenPaths, results);
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
// Ignore keys we cannot open
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static bool TryCollectWritableInfo(string hive, string relativePath, RegistryKey key, out RegistryWritableKeyInfo info)
|
||||
{
|
||||
info = null;
|
||||
|
||||
try
|
||||
{
|
||||
var acl = key.GetAccessControl(AccessControlSections.Access);
|
||||
|
||||
var principals = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
var rights = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
foreach (RegistryAccessRule rule in acl.GetAccessRules(true, true, typeof(SecurityIdentifier)))
|
||||
{
|
||||
if (rule.AccessControlType != AccessControlType.Allow)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var sid = rule.IdentityReference as SecurityIdentifier ?? rule.IdentityReference.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier;
|
||||
if (sid == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!LowPrivSidMap.TryGetValue(sid.Value, out var label))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
string interestingRight = PermissionsHelper.PermInt2Str((int)rule.RegistryRights, PermissionType.WRITEABLE_OR_EQUIVALENT_REG);
|
||||
if (string.IsNullOrEmpty(interestingRight))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
principals.Add($"{label} ({sid.Value})");
|
||||
rights.Add(interestingRight);
|
||||
}
|
||||
|
||||
if (principals.Count == 0)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
string normalizedRelativePath = relativePath ?? string.Empty;
|
||||
string fullPath = string.IsNullOrEmpty(normalizedRelativePath) ? key.Name : $"{hive}\\{normalizedRelativePath}";
|
||||
|
||||
info = new RegistryWritableKeyInfo
|
||||
{
|
||||
Hive = hive,
|
||||
RelativePath = normalizedRelativePath,
|
||||
FullPath = fullPath,
|
||||
Principals = principals.ToList(),
|
||||
Rights = rights.ToList(),
|
||||
};
|
||||
return true;
|
||||
}
|
||||
catch
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private static RegistryKey OpenKey(string hive, string path)
|
||||
{
|
||||
if (string.IsNullOrEmpty(path))
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
RegistryKey baseKey = hive switch
|
||||
{
|
||||
"HKLM" => Microsoft.Win32.Registry.LocalMachine,
|
||||
"HKCU" => Microsoft.Win32.Registry.CurrentUser,
|
||||
"HKU" => Microsoft.Win32.Registry.Users,
|
||||
_ => null,
|
||||
};
|
||||
|
||||
return baseKey?.OpenSubKey(path);
|
||||
}
|
||||
catch
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1201,6 +1201,7 @@
|
||||
<Compile Include="Checks\SystemInfo.cs" />
|
||||
<Compile Include="Checks\UserInfo.cs" />
|
||||
<Compile Include="Checks\WindowsCreds.cs" />
|
||||
<Compile Include="Checks\RegistryInfo.cs" />
|
||||
<Compile Include="Helpers\AppLocker\AppLockerHelper.cs" />
|
||||
<Compile Include="Helpers\AppLocker\AppLockerRules.cs" />
|
||||
<Compile Include="Helpers\AppLocker\IAppIdPolicyHandler.cs" />
|
||||
@@ -1469,6 +1470,7 @@
|
||||
<Compile Include="Helpers\CheckRunner.cs" />
|
||||
<Compile Include="Helpers\ReflectionHelper.cs" />
|
||||
<Compile Include="Helpers\Registry\RegistryHelper.cs" />
|
||||
<Compile Include="Helpers\Registry\RegistryAclScanner.cs" />
|
||||
<Compile Include="Helpers\Search\SearchHelper.cs" />
|
||||
<Compile Include="Wifi\Wifi.cs" />
|
||||
<Compile Include="Wifi\NativeWifiApi\Interop.cs" />
|
||||
|
||||
Reference in New Issue
Block a user