Skip to content

winPEAS: Fix network scanning (arg parsing, race condition, port scanner, auto-mode crash)#612

Merged
carlospolop merged 26 commits intopeass-ng:masterfrom
giveen:windows-network-scan
Mar 7, 2026
Merged

winPEAS: Fix network scanning (arg parsing, race condition, port scanner, auto-mode crash)#612
carlospolop merged 26 commits intopeass-ng:masterfrom
giveen:windows-network-scan

Conversation

@giveen
Copy link
Copy Markdown
Contributor

@giveen giveen commented Mar 6, 2026

Summary

This PR fixes several bugs in the winPEAS network scanning feature (-network flag) and improves the overall reliability and output quality of host/port discovery.

Changes

Bug Fixes

1. CLI argument parsing — space-separated values now accepted
The argument parser iterated over args with a foreach, so -network 10.0.0.0/24 would hand the parser only the bare -network token with no value, causing the "not a valid option" error. Converted to a for loop that coerces space-separated flags into key=value form before any other logic runs. Both of these now work:

.\winPEAS.exe -network 10.154.9.0/24
.\winPEAS.exe -network=10.154.9.0/24

2. Auto-mode NullReferenceException (NetworkScanner.Scan())
The if / if / if chain for IPAddressNetmask / IPAddressList branches meant the auto path fell through and called AddRange(null). Changed to else if so only one branch executes.

3. HostsAlive race condition in NetPinger
Concurrent async ping callbacks were writing to a plain List<string>, causing intermittent corruption / lost results. Replaced with ConcurrentBag<string>.

4. Unbound parallelism
The outer host loop and inner port loop had no concurrency cap, causing thread exhaustion on large subnets. Host loop is now capped at MaxDegreeOfParallelism=5, port loop at 50. A PortScanner instance is created per host to eliminate shared-state concerns.

5. Port scan output bypassing Beaprint
Open-port results were written via raw Console.WriteLine, bypassing colour formatting and the -notcolor flag. Replaced with Beaprint.GoodPrint.

6. Network scan wired into NetworkInfo.PrintInfo()
The scan block was previously a detached call in RunChecks() outside the structured check pipeline. Moved into a new PrintNetworkScan() method on NetworkInfo and wired in when IsNetworkScan == true, so it respects logging, timing, and -notcolor like every other check.

Testing

  • .\winPEAS.exe -network 10.154.9.0/24 — no longer errors
  • .\winPEAS.exe -network=auto — no longer crashes with NullReferenceException
  • Large subnet scans complete without thread exhaustion
  • Open ports are colour-highlighted in output and respect -notcolor

giveen added 7 commits March 4, 2026 20:29
@giveen
Fix thread count override and add -z flag to set thread count
e526253
@giveen
Enforce THREADS >= 1 after detection; validate -z range; clarify help…
97af3e7 
… text
@giveen
Strip colours from -z warning; add regression tests for -z getopts/help
2b9aecc
@giveen
Tighten getopts regression test: match 'while getopts' line with regex
b367cc6
@giveen
Fix WinPEAS network host discovery and port scanner bugs
78714c5 
- Fix auto-mode NullReferenceException: change plain 'if' to 'else if'
  for IPAddressNetmask/IPAddressList branches in NetworkScanner.Scan(),
  so the auto path no longer falls through and calls AddRange(null)
- Fix HostsAlive race condition in NetPinger: replace List<string> with
  ConcurrentBag<string> so concurrent async ping callbacks don't corrupt
  the collection
- Fix unbound parallelism: cap outer host loop at MaxDegreeOfParallelism=5
  and inner port loop at 50; create a PortScanner per host to remove
  shared-state concerns
- Fix port scan output bypassing Beaprint: replace raw Console.WriteLine
  with Beaprint.GoodPrint so open-port results are colour-highlighted and
  respect -nocolor
- Move network scan into NetworkInfo.PrintInfo(): add PrintNetworkScan()
  method, wire it into the check list when IsNetworkScan is true, remove
  the detached scan block from RunChecks(), expose NetworkScanOptions and
  PortScannerPorts as public, and remove the now-unused using directive
@giveen
Add compiled binaries (x86/x64/Release), Directory.Build.targets Linu…
e346214 
…x shim, fix Vault enum/struct casing
@giveen
Fix -network/-ports arg parsing to accept space-separated values
e3f5e9a
Copilot AI review requested due to automatic review settings March 6, 2026 18:48
@giveen
Copy link
Copy Markdown
Contributor Author

giveen commented Mar 6, 2026

.\winPEAS.exe -network="10.154.9.0/24"

image

Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes and refactors the winPEAS -network scanning flow (argument parsing, scan-mode selection, concurrency limits, and output formatting), and additionally introduces unrelated build/vault/linPEAS changes.

Changes:

  • Normalize -network / -ports CLI args to support space-separated values and move network scan execution into the NetworkInfo check pipeline.
  • Improve network scan reliability: fix auto-mode branch selection, mitigate ping result race conditions, cap host/port scan parallelism, and route output through Beaprint.
  • Add Linux MSBuild satellite-resource shim, add missing Vault structs/enums, and add linPEAS -z threads flag + regression tests.

Reviewed changes

Copilot reviewed 8 out of 17 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/Structs/VAULT_ITEM_WIN8.cs Adds Vault Win8 struct used by Vault dumping code.
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/Structs/VAULT_ITEM_WIN7.cs Adds Vault Win7 struct used by Vault dumping code.
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/Structs/VAULT_ITEM_ELEMENT.cs Adds Vault element header struct for value parsing.
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/Enums/VAULT_SCHEMA_ELEMENT_ID.cs Adds Vault schema element ID enum.
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/Enums/VAULT_ELEMENT_TYPE.cs Adds Vault element type enum.
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs Caps port-scan concurrency and routes open-port output through Beaprint.
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs Fixes auto-mode branch fallthrough and caps per-host scanning concurrency.
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs Fixes HostsAlive race by using ConcurrentBag and routes output through Beaprint.
winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs Wires network scan into the structured NetworkInfo.PrintInfo() pipeline.
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs Normalizes -network/-ports parsing and removes detached scan invocation from RunChecks().
winPEAS/winPEASexe/Directory.Build.targets Adds non-Windows MSBuild shim to skip satellite resource generation/copy.
linPEAS/tests/test_builder.py Adds regression tests ensuring -z is parsed and documented in built linPEAS script.
linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh Adds -z threads flag parsing/help and fixes THREADS fallback validation.
Comments suppressed due to low confidence (1)

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs:403

  • Network scan is now only executed as part of the NetworkInfo system check. If a user selects a subset of checks (e.g. systeminfo) while also passing -network=..., networkinfo won’t run and the scan will be skipped (previously the scan ran whenever IsNetworkScan was true). Consider ensuring the scan runs whenever Checks.IsNetworkScan is set (e.g., force-select networkinfo, add a dedicated networkscan system check, or restore a separate scan execution path that still goes through CheckRunner).
        private static void RunChecks(bool isAllChecks, bool wait)
        {
            for (int i = 0; i < _systemChecks.Count; i++)
            {
                var systemCheck = _systemChecks[i];

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@giveen giveen requested a review from Copilot March 6, 2026 19:05
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 15 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@giveen giveen requested a review from Copilot March 6, 2026 19:27
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 16 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@carlospolop carlospolop merged commit c9055a7 into peass-ng:master Mar 7, 2026
0 of 3 checks passed
@giveen giveen deleted the windows-network-scan branch March 7, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@giveen @carlospolop