def dumptab_installed_software(self):
uninstall = regkey(
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall'
)
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info", "installed_software",
name, publisher, version, date)
if process(os.getpid()).is_wow64():
print '[+] Checking installed software (WoW64 enabled)'
uninstall = regkey(
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall',
view=64)
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info",
"installed_software",
name, publisher, version,
date)
def get_all(self):
if self.processes == []:
pids = win32process.EnumProcesses()
try:
proc_infos = win32ts.WTSEnumerateProcesses(
wpc.conf.remote_server, 1, 0)
except:
proc_infos = []
pass
for pid in pids:
p = process(pid)
self.add(p)
for proc_info in proc_infos:
pid = proc_info[1]
p = self.find_by_pid(pid)
if p: # might fail to find process - race condition
p.set_wts_session_id(proc_info[0])
p.set_wts_name(proc_info[2])
if proc_info[3]: # sometimes None
p.set_wts_sid(principal(proc_info[3]))
TH32CS_SNAPPROCESS = 0x00000002
# See http://msdn2.microsoft.com/en-us/library/ms686701.aspx
CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot
Process32First = ctypes.windll.kernel32.Process32First
Process32Next = ctypes.windll.kernel32.Process32Next
Thread32First = ctypes.windll.kernel32.Thread32First
Thread32Next = ctypes.windll.kernel32.Thread32Next
CloseHandle = ctypes.windll.kernel32.CloseHandle
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
if Process32First(hProcessSnap,
ctypes.byref(pe32)) == win32con.FALSE:
pass
#print >> sys.stderr, "Failed getting first process."
#return
else:
while True:
p = self.find_by_pid(pe32.th32ProcessID)
if p: # might fail to find process - race condition
p.set_short_name(pe32.szExeFile)
if Process32Next(hProcessSnap,
ctypes.byref(pe32)) == win32con.FALSE:
break
CloseHandle(hProcessSnap)
return self.processes
def get_all(self):
if self.processes == []:
pids = win32process.EnumProcesses()
try:
proc_infos = win32ts.WTSEnumerateProcesses(wpc.conf.remote_server, 1, 0)
except:
proc_infos = []
pass
for pid in pids:
p = process(pid)
self.add(p)
for proc_info in proc_infos:
pid = proc_info[1]
p = self.find_by_pid(pid)
if p: # might fail to find process - race condition
p.set_wts_session_id(proc_info[0])
p.set_wts_name(proc_info[2])
if proc_info[3]: # sometimes None
p.set_wts_sid(principal(proc_info[3]))
TH32CS_SNAPPROCESS = 0x00000002
# See http://msdn2.microsoft.com/en-us/library/ms686701.aspx
CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot
Process32First = ctypes.windll.kernel32.Process32First
Process32Next = ctypes.windll.kernel32.Process32Next
Thread32First = ctypes.windll.kernel32.Thread32First
Thread32Next = ctypes.windll.kernel32.Thread32Next
CloseHandle = ctypes.windll.kernel32.CloseHandle
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
if Process32First(hProcessSnap, ctypes.byref(pe32)) == win32con.FALSE:
pass
#print >> sys.stderr, "Failed getting first process."
#return
else:
while True:
p = self.find_by_pid(pe32.th32ProcessID)
if p: # might fail to find process - race condition
p.set_short_name(pe32.szExeFile)
if Process32Next(hProcessSnap, ctypes.byref(pe32)) == win32con.FALSE:
break
CloseHandle(hProcessSnap)
return self.processes
def dumptab_installed_software(self):
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall')
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
if process(os.getpid()).is_wow64():
print '[+] Checking installed software (WoW64 enabled)'
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64)
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [line.strip() for line in open(options.exploitable_by_file)]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [line.strip() for line in open(options.ignoreprincipalfile)]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
# print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
# print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
# print "[D] converting string sid"
# print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
# print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
# print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [
line.strip() for line in open(options.exploitable_by_file)
]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [
line.strip() for line in open(options.ignoreprincipalfile)
]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
)
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
