github/PEASS-ng
1
Fork 0
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-27 14:13:38 +01:00
Code Releases Activity
1faa20fd60
PEASS-ng/winPEAS/winPEASexe
History
carlospolop b467269914 Telegram group: https://t.me/peass
2020-01-17 19:16:05 -05:00
..
images More stable winPEAS & linpeasv2.2.9 2020-01-17 19:00:00 -05:00
packages More stable winPEAS & linpeasv2.2.9 2020-01-17 19:00:00 -05:00
winPEAS More stable winPEAS & linpeasv2.2.9 2020-01-17 19:00:00 -05:00
README.md Telegram group: https://t.me/peass 2020-01-17 19:16:05 -05:00
winPEAS.sln More stable winPEAS & linpeasv2.2.9 2020-01-17 19:00:00 -05:00

README.md

Windows Privilege Escalation Awesome Script (.exe)

WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Check also the Local Windows Privilege Escalation checklist from book.hacktricks.xyz

youtube

Quick Start

Download the latest version from here or compile it yourself.

winpeas.exe cmd searchfast #cmd commands and avoid sleepig (noisy - CTFs)
winpeas.exe #Will execute all checks except the ones that use a CMD
winpeas.exe cmd #All checks
winpeas.exe cmd fast #All except the one that search for files
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
winpeas.exe notcolor #Do not color the output

Basic information

The goal of this project is to search for possible Privilege Escalation Paths in Windows environments.

It should take only a few seconds to execute almost all the checks and some minutes during the last check searching in the whole main drive for known files that could contain passwords (the time depened on the number of files in your drive). Get rid of that time consuming check using the parameter fast.

By default, the progam sleeps 150ms before start searching files in each directory. This is made to consume less resources (stealthier). You can avoid this sleep using searchfast parameter.

The ouput will be colored using ansi colors. If you are executing winpeas.exe from a Windows console, you need to set a registry value to see the colors:

REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Below you have some indications about what does each color means exacty, but keep in mind that Red is for something interesting (from a pentester perspective) and Green is something well configured (from a defender perspective).

The tool is based in SeatBelt.

Help

Colors

Checks

Details

  • System Information

    • Basic System info information
    • Use Watson to search for vulnerabilities
    • PS, Audit, WEF and LAPS Settings
    • Environment Variables
    • Internet Settings
    • Current drives information
    • AV?
    • UAC configuration

  • Users Information

    • Users information
    • Current token privileges
    • Clipboard text
    • Current logged users
    • RDP sessions
    • Ever logged users
    • Autologin credentials
    • Home folders
    • Password policies

  • Processes Information

    • Interesting processes (non Microsoft)

  • Services Information

    • Interesting services (non Microsoft) information
    • Writable service registry binpath
    • PATH Dll Hijacking

  • Applications Information

    • Current Active Window
    • Installed software
    • AutoRuns
    • Scheduled tasks

  • Network Information

    • Current net shares
    • hosts file
    • Network Interfaces
    • Listening ports
    • Firewall rules
    • DNS Cache (limit 70)

  • Windows Credentials

    • Windows Vault
    • Credential Manager
    • Saved RDP connections
    • Recently run commands
    • DPAPI Masterkeys
    • DPAPI Credential files
    • Remote Desktop Connection Manager credentials
    • Kerberos Tickets
    • Wifi
    • AppCmd.exe
    • SSClient.exe
    • AlwaysInstallElevated
    • WSUS

  • Browser Information

    • Firefox DBs
    • Credentials in firefox history
    • Chrome DBs
    • Credentials in chrome history
    • Current IE tabs
    • Credentials in IE history
    • IE Favorites

  • Interesting Files and registry

    • Putty sessions
    • Putty SSH host keys
    • SSH Keys inside registry
    • Cloud credentials
    • Possible registries with credentials
    • Possible credentials files in users homes
    • Possible password files inside the Recycle bin
    • Possible files containing credentials (this take some minutes)
    • User documents (limit 100)

Let's improve PEASS together

If you want to add something and have any cool idea related to this project, please let me know it in the telegram group https://t.me/peass or using github issues and we will update the master version.

Please, if this tool has been useful for you consider to donate

paypal

Looking for a useful Privilege Escalation Course?

Contact me and ask about the Privilege Escalation Course I am preparing for attackers and defenders (100% technical).

TODO

  • Add more checks
  • Mantain updated Watson
  • List wifi networks without using CMD
  • List credentials inside the Credential Manager without using CMD

If you want to help with any of this, you can do it using github issues or you can submit a pull request.

If you find any issue, please report it using github issues.

WinPEAS is being updated every time I find something that could be useful to escalate privileges.

Advisory

All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

License

MIT License

By Polop(TM)