Avoid hangs when checking users with console

2026-01-21 00:53:50 -08:00 · 2026-01-20 18:21:06 +01:00
11 changed files with 12 additions and 128 deletions
--- a/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/15_CVE_2021_3560.sh
@@ -31,8 +31,8 @@
 # Small linpeas: 0

 if apt list --installed 2>/dev/null | grep -E 'polkit.*0\.105-26' | grep -qEv 'ubuntu1\.[1-9]' || \
-   yum list installed 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)' || \
-   rpm -qa 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)'; then
+   yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
+   rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
    echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
    echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
@@ -30,7 +30,7 @@
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
-# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled
 # Fat linpeas: 0
 # Small linpeas: 0

--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh
@@ -6,7 +6,7 @@
 # License: GNU GPL
 # Version: 1.2
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
-# Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH
+# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
 # Initial Functions:
 # Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
 # Fat linpeas: 0
@@ -178,11 +178,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
  if [ "$EXTRA_CHECKS" ]; then
    echo ""
    print_3title "Service versions and status:"
-    if [ "$TIMEOUT" ]; then
-      $TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl"
-    else
-      (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
-    fi
+    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
  fi

  # Check systemd path writability
@@ -194,4 +190,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
  fi

  echo ""
-fi
+fi
--- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
@@ -8,7 +8,7 @@
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
 # Initial Functions:
-# Generated Global Variables: $secure_path_line
+# Generated Global Variables:
 # Fat linpeas: 0
 # Small linpeas: 1

--- a/linPEAS/builder/src/linpeasBuilder.py
+++ b/linPEAS/builder/src/linpeasBuilder.py
@@ -405,7 +405,7 @@ class LinpeasBuilder:
                name = entry["name"]
                caseinsensitive = entry.get("caseinsensitive", False)
                regex = entry["regex"]
-                regex = regex.replace("\\", "\\\\").replace('"', '\\"').strip()
+                regex = regex.replace('"', '\\"').strip()
                falsePositives = entry.get("falsePositives", False)

                if falsePositives:
--- a/winPEAS/winPEASbat/winPEAS.bat
+++ b/winPEAS/winPEASbat/winPEAS.bat
@@ -71,7 +71,7 @@ CALL :T_Progress 2
 :ListHotFixes
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic qfe get Caption,Description,HotFixID,InstalledOn
+    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
 ) else (
    powershell -command "Get-HotFix | Format-Table -AutoSize"
 )
@@ -204,7 +204,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
+    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
 ) else (
    powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
 ) 
@@ -238,7 +238,7 @@ CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
 where wmic >nul 2>&1
 if %errorlevel% equ 0 (
-    wmic logicaldisk get caption
+    wmic logicaldisk get caption | more
 ) else (
    fsutil fsinfo drives
 )
@@ -670,7 +670,7 @@ if "%long%" == "true" (
 	ECHO.
 	where wmic >nul 2>&1
 	if !errorlevel! equ 0 (
-		for /f %%x in ('wmic logicaldisk get name') do (
+		for /f %%x in ('wmic logicaldisk get name ^| more') do (
 			set tdrive=%%x
 			if "!tdrive:~1,2!" == ":" (
 				%%x
--- a/winPEAS/winPEASexe/CMakeLists.txt
+++ b/winPEAS/winPEASexe/CMakeLists.txt
@@ -1,26 +0,0 @@
-cmake_minimum_required(VERSION 3.16)
-project(winPEAS_dotnet NONE)
-
-set(PROJECT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/winPEAS.csproj")
-
-find_program(DOTNET_EXECUTABLE dotnet)
-find_program(MSBUILD_EXECUTABLE msbuild)
-find_program(XBUILD_EXECUTABLE xbuild)
-
-if(DOTNET_EXECUTABLE)
-  set(BUILD_TOOL "${DOTNET_EXECUTABLE}")
-  set(BUILD_ARGS build "${PROJECT_FILE}" -c Release)
-elseif(MSBUILD_EXECUTABLE)
-  set(BUILD_TOOL "${MSBUILD_EXECUTABLE}")
-  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
-elseif(XBUILD_EXECUTABLE)
-  set(BUILD_TOOL "${XBUILD_EXECUTABLE}")
-  set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
-else()
-  message(FATAL_ERROR "dotnet, msbuild, or xbuild is required to build winPEAS")
-endif()
-
-add_custom_target(winpeas ALL
-  COMMAND ${BUILD_TOOL} ${BUILD_ARGS}
-  WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-)
--- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
@@ -88,7 +88,6 @@ namespace winPEAS.Checks
                PrintLocalGroupPolicy,
                PrintPotentialGPOAbuse,
                AppLockerHelper.PrintAppLockerPolicy,
-                PrintPrintNightmarePointAndPrint,
                PrintPrintersWMIInfo,
                PrintNamedPipes,
                PrintNamedPipeAbuseCandidates,
@@ -837,39 +836,6 @@ namespace winPEAS.Checks
            }
        }

-        private static void PrintPrintNightmarePointAndPrint()
-        {
-            Beaprint.MainPrint("PrintNightmare PointAndPrint Policies");
-            Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening");
-
-            try
-            {
-                string key = @"Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint";
-                var restrict = RegistryHelper.GetDwordValue("HKLM", key, "RestrictDriverInstallationToAdministrators");
-                var noWarn = RegistryHelper.GetDwordValue("HKLM", key, "NoWarningNoElevationOnInstall");
-                var updatePrompt = RegistryHelper.GetDwordValue("HKLM", key, "UpdatePromptSettings");
-
-                if (restrict == null && noWarn == null && updatePrompt == null)
-                {
-                    Beaprint.NotFoundPrint();
-                    return;
-                }
-
-                Beaprint.NoColorPrint($"      RestrictDriverInstallationToAdministrators: {restrict}\n" +
-                                      $"      NoWarningNoElevationOnInstall: {noWarn}\n" +
-                                      $"      UpdatePromptSettings: {updatePrompt}");
-
-                if (restrict == 0 && noWarn == 1 && updatePrompt == 2)
-                {
-                    Beaprint.BadPrint("      [!] Potentially vulnerable to PrintNightmare misconfiguration");
-                }
-            }
-            catch (Exception ex)
-            {
-                Beaprint.PrintException(ex.Message);
-            }
-        }
-
        private static void PrintPrintersWMIInfo()
        {
            Beaprint.MainPrint("Enumerating Printers (WMI)");
--- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/Structs.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/Structs.cs
@@ -16,10 +16,6 @@ namespace winPEAS.Info.UserInfo.SAM
        {
            get
            {
-                if (_maxPasswordAge == long.MinValue)
-                {
-                    return TimeSpan.MinValue;
-                }
                return -new TimeSpan(_maxPasswordAge);
            }
            set
@@ -32,10 +28,6 @@ namespace winPEAS.Info.UserInfo.SAM
        {
            get
            {
-                if (_minPasswordAge == long.MinValue)
-                {
-                    return TimeSpan.MinValue;
-                }
                return -new TimeSpan(_minPasswordAge);
            }
            set
--- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs
+++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs
@@ -88,10 +88,6 @@ namespace winPEAS.KnownFileCreds
                    if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                    {
                        string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID));
-                        if (subKeys.Length == 0)
-                        {
-                            subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions", SID));
-                        }

                        foreach (string sessionName in subKeys)
                        {
@@ -133,10 +129,6 @@ namespace winPEAS.KnownFileCreds
            else
            {
                string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
-                if (subKeys.Length == 0)
-                {
-                    subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions");
-                }
                RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys           

                if (selfKey != null)
@@ -206,10 +198,6 @@ namespace winPEAS.KnownFileCreds
                    if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
                    {
                        Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
-                        if ((hostKeys == null) || (hostKeys.Count == 0))
-                        {
-                            hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys", SID));
-                        }
                        if ((hostKeys != null) && (hostKeys.Count != 0))
                        {
                            Dictionary<string, string> putty_ssh = new Dictionary<string, string>
@@ -228,10 +216,6 @@ namespace winPEAS.KnownFileCreds
            else
            {
                Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys\\");
-                if ((hostKeys == null) || (hostKeys.Count == 0))
-                {
-                    hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys");
-                }
                if ((hostKeys != null) && (hostKeys.Count != 0))
                {
                    Dictionary<string, string> putty_ssh = new Dictionary<string, string>();
--- a/winPEAS/winPEASps1/winPEAS.ps1
+++ b/winPEAS/winPEASps1/winPEAS.ps1
@@ -821,34 +821,6 @@ $Hotfix = Get-HotFix | Sort-Object -Descending -Property InstalledOn -ErrorActio
 $Hotfix | Format-Table -AutoSize


-# PrintNightmare PointAndPrint policy checks
-Write-Host ""
-if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| PRINTNIGHTMARE POINTANDPRINT POLICY"
-$pnKey = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
-if (Test-Path $pnKey) {
-  $pn = Get-ItemProperty -Path $pnKey -ErrorAction SilentlyContinue
-  $restrict = $pn.RestrictDriverInstallationToAdministrators
-  $noWarn = $pn.NoWarningNoElevationOnInstall
-  $updatePrompt = $pn.UpdatePromptSettings
-
-  Write-Host "RestrictDriverInstallationToAdministrators: $restrict"
-  Write-Host "NoWarningNoElevationOnInstall: $noWarn"
-  Write-Host "UpdatePromptSettings: $updatePrompt"
-
-  $hasAllValues = ($null -ne $restrict) -and ($null -ne $noWarn) -and ($null -ne $updatePrompt)
-  if (-not $hasAllValues) {
-    Write-Host "PointAndPrint policy values are missing or not configured" -ForegroundColor Gray
-  } elseif (($restrict -eq 0) -and ($noWarn -eq 1) -and ($updatePrompt -eq 2)) {
-    Write-Host "Potentially vulnerable to PrintNightmare misconfiguration" -ForegroundColor Red
-  } else {
-    Write-Host "PointAndPrint policy is not in the known risky configuration" -ForegroundColor Green
-  }
-} else {
-  Write-Host "PointAndPrint policy key not found" -ForegroundColor Gray
-}
-
-
 #Show all unique updates installed
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }