Windows Privilege Escalation Scripts & Techniques
Privilege escalation is an important process part of post exploitation in a penetration test that allow an attacker to obtain a higher level of permissions on a system or network.
Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation.
An attacker can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM privileges. There are a few scripts in the under which makes it easy to do privilege escalation:
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
Windows-Exploit-Suggester - This tool compares a targets patch levels against the Microsoft vulnerability database in…github.com
SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as…github.com
JAWS — Just Another Windows (Enum) Script
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.
Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systemsgithub.com
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.github.com
Windows Privesc Check (WPC-PS)
After trying to fix the code of the original Windows Privesc Check tool and crying rivers of blood I decided to look for a more appropriate tool for the task. This is an experiment to implement similar functionality in Powershell, that is available by default in every Windows installation since Windows 7/Server 2008 R2.
PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.
Metasploit Windows Gather Applied Patches
This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering
Metasploit Local Exploit Suggester Module
This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It’s important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.
BeRoot(s) is a post exploitation tool to check common Windows misconfigurations to find a way to escalate our privilege.
Windows batch script that finds misconfiguration issues which can lead to privilege escalation. Script uses accesschk.exe from Sysinternals. This executable is mandatory. Few checks also use Listdlls.exe and pipelist.exe from Sysinternals. Those executables are optional.
Privesc - Windows batch script that finds misconfiguration issues which can lead to privilege escalation.github.com
Exploit Database (EDB)
The Exploit Database (EDB) is a CVE compliant archive of exploits and vulnerable software. A great resource for penetration testers, vulnerability researchers, and security addicts alike. exploit-db will help you to find out windows local exploit by searching through google or using tools like searchsploit.
By searching in google :
site:exploit-db.com privilege escalation windows 7
Common Windows Privilege Escalation Vectors
- Stored Credentials
- Windows Kernel Exploit
- DLL Injection
- Unattended Answer File
- Insecure File/Folder Permissions
- Insecure Service Permissions
- DLL Hijacking
- Group Policy Preferences
- Unquoted Service Path
- Always Install Elevated
- Token Manipulation
- Insecure Registry Permissions
- Autologon User Credential
- User Account Control (UAC) Bypass
- Insecure Named Pipes Permissions