1
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-27 14:13:38 +01:00
PEASS-ng/winPEAS/winPEASbat
2020-02-24 00:07:46 +00:00
..
README.md Winpeas: More checks & fixes 2020-02-24 00:07:46 +00:00
winPEAS.bat Winpeas: More checks & fixes 2020-02-24 00:07:46 +00:00

Windows Privilege Escalation Awesome Script (.bat)

WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Check also the Local Windows Privilege Escalation checklist from book.hacktricks.xyz

WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required)

Unfortunately this script does not support colors so you will need to know what are you looking for in each test and, also, you will have to know how to learn the icacls output, see below.

Windows PE using CMD (.bat)

If you want to search for files and registry that could contain passwords, set to yes the long variable at the beginning of the script.

The script will use acceschk.exe if it is available (with that name). But it is not necessary, it also uses wmic + icacls.

Some of the tests in this script were extracted from here and from here

Main checks

Details
  • Systeminfo --SO version and patches-- (windows suggester)
  • Common known exploits (2K, XP, 2K3, 2K8, Vista, 7)
  • Audit Settings
  • WEF Settings
  • LAPS installed?
  • LSA protection?
  • Credential Guard?
  • WDigest?
  • Number of cached cred
  • UAC Settings
  • AV?
  • PS Settings
  • Mounted disks
  • SCCM installed?
  • Remote Desktop Credentials Manager?
  • WSUS Settings
  • Processes list
  • Interesting file permissions of binaries being executed
  • Interesting file permissions of binaries run at startup
  • AlwaysInstallElevated?
  • Network info (see below)
  • Users info (see below)
  • Current user privileges
  • Service binary permissions
  • Check if permissions to modify any service registy
  • Unquoted Service paths
  • DLL Hijacking in PATH
  • Windows Vault
  • DPAPI Master Keys
  • AppCmd.exe?
  • Check for unattended files
  • Check for SAM & SYSTEM backups
  • Check for cached GPP Passwords
  • Check for McAffe SiteList.xml files
  • Check for Cloud credentials
  • Search for known registry to have passwords and keys inside (Winlogon...)
  • Search for known files to have passwords inside (can take some minutes)
  • If long, search files with passwords inside
  • If long, search registry with passwords inside

More enumeration

  • Date & Time
  • Env
  • Installed Software
  • Running Processes
  • Current Shares
  • Network Interfaces
  • Used Ports
  • Firewall
  • ARP
  • Routes
  • Hosts
  • Cached DNS
  • Info about current user (PRIVILEGES)
  • List groups (info about administrators)
  • Current logon users

Understanding icacls permissions

Icacls is the program used to check the rights that groups and users have in a file or folder.

Iclals is the main binary used here to check permissions.

Its output is not intuitive so if you are not familiar with the command, continue reading. Take into account that in XP you need administrators rights to use icacls (for this OS is very recommended to upload sysinternals accesschk.exe to enumerate rights).

Interesting permissions

D - Delete access
F - Full access (Edit_Permissions+Create+Delete+Read+Write)
N - No access
M - Modify access (Create+Delete+Read+Write)
RX - Read and eXecute access
R - Read-only access
W - Write-only access

We will focus in F (full), M (Modify access) and W (write).

Use of Icacls by WinPEAS

When checking rights of a file or a folder the script search for the strings: (F) or (M) or (W) and the string ":" (so the path of the file being checked will appear inside the output).

It also checks that the found right (F, M or W) can be exploited by the current user.

A typical output where you dont have any nice access is:

C:\Windows\Explorer.EXE NT SERVICE\TrustedInstaller:(F)

An output where you have some interesting privilege will be like:

C:\Users\john\Desktop\desktop.ini NT AUTHORITY\SYSTEM:(I)(F)
                                MYDOMAIN\john:(I)(F)

Here you can see that the privileges of user NT AUTHORITY\SYSTEM appears in the output because it is in the same line as the path of the binary. However, in the next line, you can see that our user (john) has full privileges in that file.

This is the kind of outpuf that you have to look for when usnig the winPEAS.bat script.

More info about icacls here

Let's improve PEASS together

If you want to add something and have any cool idea related to this project, please let me know it in the telegram group https://t.me/peass or using github issues and we will update the master version.

Please, if this tool has been useful for you consider to donate

paypal

Looking for a useful Privilege Escalation Course?

Contact me and ask about the Privilege Escalation Course I am preparing for attackers and defenders (100% technical).

Advisory

All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

License

MIT License

By Polop(TM)