def dumptab_installed_software(self): uninstall = regkey( 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall' ) if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date) if process(os.getpid()).is_wow64(): print '[+] Checking installed software (WoW64 enabled)' uninstall = regkey( 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64) if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
def get_all(self): if self.processes == []: pids = win32process.EnumProcesses() try: proc_infos = win32ts.WTSEnumerateProcesses( wpc.conf.remote_server, 1, 0) except: proc_infos = [] pass for pid in pids: p = process(pid) self.add(p) for proc_info in proc_infos: pid = proc_info[1] p = self.find_by_pid(pid) if p: # might fail to find process - race condition p.set_wts_session_id(proc_info[0]) p.set_wts_name(proc_info[2]) if proc_info[3]: # sometimes None p.set_wts_sid(principal(proc_info[3])) TH32CS_SNAPPROCESS = 0x00000002 # See http://msdn2.microsoft.com/en-us/library/ms686701.aspx CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot Process32First = ctypes.windll.kernel32.Process32First Process32Next = ctypes.windll.kernel32.Process32Next Thread32First = ctypes.windll.kernel32.Thread32First Thread32Next = ctypes.windll.kernel32.Thread32Next CloseHandle = ctypes.windll.kernel32.CloseHandle hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = ctypes.sizeof(PROCESSENTRY32) if Process32First(hProcessSnap, ctypes.byref(pe32)) == win32con.FALSE: pass #print >> sys.stderr, "Failed getting first process." #return else: while True: p = self.find_by_pid(pe32.th32ProcessID) if p: # might fail to find process - race condition p.set_short_name(pe32.szExeFile) if Process32Next(hProcessSnap, ctypes.byref(pe32)) == win32con.FALSE: break CloseHandle(hProcessSnap) return self.processes
def get_all(self): if self.processes == []: pids = win32process.EnumProcesses() try: proc_infos = win32ts.WTSEnumerateProcesses(wpc.conf.remote_server, 1, 0) except: proc_infos = [] pass for pid in pids: p = process(pid) self.add(p) for proc_info in proc_infos: pid = proc_info[1] p = self.find_by_pid(pid) if p: # might fail to find process - race condition p.set_wts_session_id(proc_info[0]) p.set_wts_name(proc_info[2]) if proc_info[3]: # sometimes None p.set_wts_sid(principal(proc_info[3])) TH32CS_SNAPPROCESS = 0x00000002 # See http://msdn2.microsoft.com/en-us/library/ms686701.aspx CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot Process32First = ctypes.windll.kernel32.Process32First Process32Next = ctypes.windll.kernel32.Process32Next Thread32First = ctypes.windll.kernel32.Thread32First Thread32Next = ctypes.windll.kernel32.Thread32Next CloseHandle = ctypes.windll.kernel32.CloseHandle hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = ctypes.sizeof(PROCESSENTRY32) if Process32First(hProcessSnap, ctypes.byref(pe32)) == win32con.FALSE: pass #print >> sys.stderr, "Failed getting first process." #return else: while True: p = self.find_by_pid(pe32.th32ProcessID) if p: # might fail to find process - race condition p.set_short_name(pe32.szExeFile) if Process32Next(hProcessSnap, ctypes.byref(pe32)) == win32con.FALSE: break CloseHandle(hProcessSnap) return self.processes
def dumptab_installed_software(self): uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall') if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date) if process(os.getpid()).is_wow64(): print '[+] Checking installed software (WoW64 enabled)' uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64) if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
def define_trusted_principals(options): exploitable_by_fq = [] ignore_principals = [] if options.exploitable_by_list: exploitable_by_fq = options.exploitable_by_list if options.exploitable_by_file: try: exploitable_by_fq = exploitable_by_fq + [line.strip() for line in open(options.exploitable_by_file)] except: print "[E] Error reading from file %s" % options.exploitablebyfile sys.exit() if options.ignore_principal_list: ignore_principals = options.ignore_principal_list if options.ignore_principal_file: try: ignore_principals = ignore_principals + [line.strip() for line in open(options.ignoreprincipalfile)] except: print "[E] Error reading from file %s" % options.ignoreprincipalfile sys.exit() # examine token, populate exploitable_by if options.exploitable_by_me: try: p = process(os.getpid()) wpc.conf.exploitable_by.append(p.get_token().get_token_owner()) for g in p.get_token().get_token_groups(): if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1: wpc.conf.exploitable_by.append(g[0]) except: print "[E] Problem examining access token of current process" sys.exit() # check each of the supplied users in exploitable_by and exploitable_by resolve if exploitable_by_fq or wpc.conf.exploitable_by: wpc.conf.privesc_mode = "exploitable_by" for t in exploitable_by_fq: try: sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t) if sid: p = principal(sid) # print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) # print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.exploitable_by.append(p) else: print "[E] can't look up sid for " + t except: pass print "Only reporting privesc issues for these users/groups:" for p in wpc.conf.exploitable_by: print "* " + p.get_fq_name() return else: wpc.conf.privesc_mode = "report_untrusted" # if user has specified list of trusted users, use only their list if ignore_principals: if options.ignorenoone: wpc.conf.trusted_principals_fq = [] wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals else: # otherwise the user has not specified a list of trusted users. we intelligently tweak the list. # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist # See http://support.microsoft.com/kb/238965 for details r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server") if r.is_present(): v = r.get_value("TSUserEnabled") if v is None: print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER" elif v != 0: print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER") else: print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER" else: print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER" print # TODO we only want to ignore this if it doesn't resolve try: # Server Operators group # print "[D] converting string sid" # print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549") p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549")) except: wpc.conf.trusted_principals.append(p) # TODO this always ignored power users. not what we want. # only want to ignore when group doesn't exist. try: p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547")) wpc.conf.trusted_principals.append(p) except: pass # populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq for t in wpc.conf.trusted_principals_fq: try: sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t) if sid: p = principal(sid) # print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) # print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.trusted_principals.append(p) else: print "[E] can't look up sid for " + t except: pass print "Considering these users to be trusted:" for p in wpc.conf.trusted_principals: print "* " + p.get_fq_name() print
def define_trusted_principals(options): exploitable_by_fq = [] ignore_principals = [] if options.exploitable_by_list: exploitable_by_fq = options.exploitable_by_list if options.exploitable_by_file: try: exploitable_by_fq = exploitable_by_fq + [ line.strip() for line in open(options.exploitable_by_file) ] except: print "[E] Error reading from file %s" % options.exploitablebyfile sys.exit() if options.ignore_principal_list: ignore_principals = options.ignore_principal_list if options.ignore_principal_file: try: ignore_principals = ignore_principals + [ line.strip() for line in open(options.ignoreprincipalfile) ] except: print "[E] Error reading from file %s" % options.ignoreprincipalfile sys.exit() # examine token, populate exploitable_by if options.exploitable_by_me: try: p = process(os.getpid()) wpc.conf.exploitable_by.append(p.get_token().get_token_owner()) for g in p.get_token().get_token_groups(): if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1: wpc.conf.exploitable_by.append(g[0]) except: print "[E] Problem examining access token of current process" sys.exit() # check each of the supplied users in exploitable_by and exploitable_by resolve if exploitable_by_fq or wpc.conf.exploitable_by: wpc.conf.privesc_mode = "exploitable_by" for t in exploitable_by_fq: try: sid, _, _ = win32security.LookupAccountName( wpc.conf.remote_server, t) if sid: p = principal(sid) #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) #print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.exploitable_by.append(p) else: print "[E] can't look up sid for " + t except: pass print "Only reporting privesc issues for these users/groups:" for p in wpc.conf.exploitable_by: print "* " + p.get_fq_name() return else: wpc.conf.privesc_mode = "report_untrusted" # if user has specified list of trusted users, use only their list if ignore_principals: if options.ignorenoone: wpc.conf.trusted_principals_fq = [] wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals else: # otherwise the user has not specified a list of trusted users. we intelligently tweak the list. # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist # See http://support.microsoft.com/kb/238965 for details r = regkey( r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server" ) if r.is_present(): v = r.get_value("TSUserEnabled") if v is None: print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER" elif v != 0: print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v wpc.conf.trusted_principals_fq.append( "NT AUTHORITY\TERMINAL SERVER USER") else: print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER" else: print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER" print # TODO we only want to ignore this if it doesn't resolve try: # Server Operators group #print "[D] converting string sid" #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549") p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549")) except: wpc.conf.trusted_principals.append(p) # TODO this always ignored power users. not what we want. # only want to ignore when group doesn't exist. try: p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547")) wpc.conf.trusted_principals.append(p) except: pass # populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq for t in wpc.conf.trusted_principals_fq: try: sid, _, _ = win32security.LookupAccountName( wpc.conf.remote_server, t) if sid: p = principal(sid) #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) #print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.trusted_principals.append(p) else: print "[E] can't look up sid for " + t except: pass print "Considering these users to be trusted:" for p in wpc.conf.trusted_principals: print "* " + p.get_fq_name() print