mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-01-05 17:49:05 -08:00
Compare commits
7 Commits
20250124-7
...
20250215-d
| Author | SHA1 | Date | |
|---|---|---|---|
|
573acee58c | ||
|
|
41e00d5618 | ||
|
|
536913e7f0 | ||
|
|
4d771fb1f6 | ||
|
|
4964033d44 | ||
|
|
092af1413d | ||
|
|
7cd9e6f78b |
@@ -1271,6 +1271,8 @@ search:
|
||||
value:
|
||||
config:
|
||||
auto_check: True
|
||||
exec:
|
||||
- '(pwsh -Command "Save-AzContext -Path /tmp/az-context3489ht.json" && cat /tmp/az-context3489ht.json && rm /tmp/az-context3489ht.json) || echo_not_found "pwsh"'
|
||||
|
||||
files:
|
||||
#- name: "credentials"
|
||||
@@ -1379,13 +1381,54 @@ search:
|
||||
- common
|
||||
|
||||
- name: "AzureRMContext.json"
|
||||
value:
|
||||
bad_regex: "Id.*|Credential.*"
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "clouds.config"
|
||||
value:
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "service_principal_entries.json"
|
||||
value:
|
||||
bad_regex: ".*"
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "ErrorRecords" #Azure logs can contain creentials
|
||||
- name: "msal_token_cache.json"
|
||||
value:
|
||||
bad_regex: ".*"
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "msal_http_cache.bin"
|
||||
value:
|
||||
just_list_file: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "service_principal_entries.bin"
|
||||
value:
|
||||
just_list_file: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "msal_token_cache.bin"
|
||||
value:
|
||||
just_list_file: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "ErrorRecords" #Azure logs can contain crentials
|
||||
value:
|
||||
type: d
|
||||
search_in:
|
||||
|
||||
@@ -26,7 +26,7 @@ print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed
|
||||
print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "Azure VM or Az metadata? ............. $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "Azure APP or IDENTITY_ENDPOINT? ...... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "Azure Automation Account? ............ $is_az_automation_acc\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
|
||||
@@ -19,7 +19,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
|
||||
print_2title "Searching possible password variables inside key folders (limit 140)"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
else
|
||||
timeout 150 find $SEARCH_IN_FOLDER -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" &
|
||||
fi
|
||||
@@ -29,12 +29,12 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then
|
||||
##-- IF) Find possible conf files with passwords
|
||||
print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)"
|
||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
|
||||
ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
|
||||
else
|
||||
ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" -name "*.yml" -name "*.yaml" 2>/dev/null)
|
||||
ppicf=$(timeout 150 find $SEARCH_IN_FOLDER -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null)
|
||||
fi
|
||||
printf "%s\n" "$ppicf" | while read f; do
|
||||
if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' \"$f\" 2>/dev/null; then
|
||||
if grep -qEiI 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null; then
|
||||
echo "$ITALIC $f$NC"
|
||||
grep -HnEiIo 'passwd.*|creden.*|^kind:\W?Secret|\Wenv:|\Wsecret:|\WsecretName:|^kind:\W?EncryptionConfiguration|\-\-encryption\-provider\-config' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${SED_RED},g"
|
||||
fi
|
||||
|
||||
@@ -188,6 +188,9 @@ if [ $? -ne 0 ] ; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# on macOS the built-in echo does not support -n, use /bin/echo instead
|
||||
if [ "$MACPEAS" ] ; then alias echo=/bin/echo ; fi
|
||||
|
||||
print_title(){
|
||||
if [ "$DEBUG" ]; then
|
||||
END_T1_TIME=$(date +%s 2>/dev/null)
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -21,7 +21,7 @@ namespace winPEAS.Checks
|
||||
{
|
||||
new AWSInfo(),
|
||||
new AzureInfo(),
|
||||
new AzureCliInfo(),
|
||||
new AzureTokensInfo(),
|
||||
new GCPInfo(),
|
||||
new GCPJoinedInfo(),
|
||||
new GCDSInfo(),
|
||||
|
||||
@@ -19,21 +19,33 @@ using System.Text.Json.Nodes;
|
||||
|
||||
namespace winPEAS.Info.CloudInfo
|
||||
{
|
||||
internal class AzureCliInfo : CloudInfoBase
|
||||
internal class AzureTokensInfo : CloudInfoBase
|
||||
{
|
||||
public override string Name => "Azure Cli";
|
||||
public override string Name => "Azure Tokens";
|
||||
|
||||
public override bool IsCloud => CheckIfAzureCliInstalled();
|
||||
public override bool IsCloud => CheckIfAzureTokensInstalled();
|
||||
|
||||
private Dictionary<string, List<EndpointData>> _endpointData = null;
|
||||
|
||||
public static bool CheckIfAzureCliInstalled()
|
||||
public static bool CheckIfAzureTokensInstalled()
|
||||
{
|
||||
string homeDirectory = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
|
||||
string AzureFolderPath = Path.Combine(homeDirectory, ".Azure");
|
||||
string azureFolderPath = Path.Combine(homeDirectory, ".azure");
|
||||
|
||||
return Directory.Exists(AzureFolderPath) || Directory.Exists(azureFolderPath);
|
||||
string identityCachePath = Path.Combine(
|
||||
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
|
||||
"Microsoft",
|
||||
"IdentityCache"
|
||||
);
|
||||
|
||||
string tokenBrokerPath = Path.Combine(
|
||||
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
|
||||
"Microsoft",
|
||||
"TokenBroker"
|
||||
);
|
||||
|
||||
return Directory.Exists(AzureFolderPath) || Directory.Exists(azureFolderPath) || Directory.Exists(identityCachePath) || Directory.Exists(tokenBrokerPath);
|
||||
}
|
||||
|
||||
public static string TBRESDecryptedData(string filePath)
|
||||
@@ -79,31 +91,35 @@ namespace winPEAS.Info.CloudInfo
|
||||
azureHomePath = AzureFolderPath;
|
||||
};
|
||||
|
||||
// Files that doesn't need decryption
|
||||
string[] fileNames = {
|
||||
if (Directory.Exists(azureHomePath))
|
||||
{
|
||||
|
||||
// Files that doesn't need decryption
|
||||
string[] fileNames = {
|
||||
@"azureProfile.json",
|
||||
@"clouds.config",
|
||||
@"service_principal_entries.json",
|
||||
@"msal_token_cache.json"
|
||||
};
|
||||
|
||||
foreach (string fileName in fileNames)
|
||||
{
|
||||
string filePath = Path.Combine(azureHomePath, fileName);
|
||||
// Check if the file exists
|
||||
if (File.Exists(filePath))
|
||||
foreach (string fileName in fileNames)
|
||||
{
|
||||
try
|
||||
string filePath = Path.Combine(azureHomePath, fileName);
|
||||
// Check if the file exists
|
||||
if (File.Exists(filePath))
|
||||
{
|
||||
// Read the file content
|
||||
string fileContent = File.ReadAllText(filePath);
|
||||
try
|
||||
{
|
||||
// Read the file content
|
||||
string fileContent = File.ReadAllText(filePath);
|
||||
|
||||
// Add the file path and content to the dictionary
|
||||
AzureCliValues[filePath] = fileContent;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException($"Error reading file '{filePath}': {ex.Message}");
|
||||
// Add the file path and content to the dictionary
|
||||
AzureCliValues[filePath] = fileContent;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException($"Error reading file '{filePath}': {ex.Message}");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -134,14 +150,7 @@ namespace winPEAS.Info.CloudInfo
|
||||
{
|
||||
Beaprint.PrintException($"An error occurred while scanning the identityCache directory: {ex.Message}");
|
||||
}
|
||||
|
||||
|
||||
// Get the IdentityCache directory path and encrypted files with tokens
|
||||
string tokenBrokerPath = Path.Combine(
|
||||
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
|
||||
"Microsoft",
|
||||
"TokenBroker"
|
||||
);
|
||||
|
||||
|
||||
// Files that need decryption
|
||||
string[] fileNamesEncrp = {
|
||||
@@ -189,6 +198,11 @@ namespace winPEAS.Info.CloudInfo
|
||||
|
||||
|
||||
//TBRES files
|
||||
string tokenBrokerPath = Path.Combine(
|
||||
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
|
||||
"Microsoft",
|
||||
"TokenBroker"
|
||||
);
|
||||
|
||||
string[] tbFiles = { };
|
||||
|
||||
@@ -1226,7 +1226,7 @@
|
||||
<Compile Include="Info\CloudInfo\AWSInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\AzureInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\EndpointData.cs" />
|
||||
<Compile Include="Info\CloudInfo\AzureCliInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\AzureTokensInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\GPSInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\GCDSInfo.cs" />
|
||||
<Compile Include="Info\CloudInfo\GWorkspaceInfo.cs" />
|
||||
|
||||
Reference in New Issue
Block a user