Finding PE Vulns

Though some of the fundamentals of finding the right PE method was explained as part of the introductory page, there are a few useful scripts and executables that can come in handy to identify such vulnerabilities quickly. Here is a short list of such tools.

WinPeas

LinPeas is one of the most popular privilege escalation enumeration script that you can find. Running the script outputs the vulnerabilities in colors indicating the most probable to the least probable or not possible ones.

PEASS-ng/winPEAS at master · carlospolop/PEASS-ngGitHub

Sherlock Script

Powershell script to find missing software patches for local privilege escalation vulnerabilities.

GitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.GitHub

The script has a bunch of functions to validate different vulnerabilities. You can either call a specific function or apply all functions to find any one of the suscptible vulnerabilities. You can add the line "Find-AllVulns" to the bottom of the powershell script and then execute it to list all vulnerabilities.

Powersploit - Powerup

Similar to Sherlock this is another powershell script that can be used to find privilege escalation vectors that rely on misconfigurations.

PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHub

The powerup is ported to a C# executable and available through the following link as SharpUp,

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.GitHub

PrivescCheck

Yet another powershell script to sniff out misconfiguration in a windows system to exploit it to privilege escalate.

PrivescCheck/PrivescCheck.ps1 at master · itm4n/PrivescCheckGitHub

Windows Exploit Suggester

This tool directly compares the patch levels of software withthe Microsoft Vulnerability Database to detect missing patches. It requires the 'systeminfo' command output to compature that with the Microsoft Security Bulletin database.

GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

Just Another Windows Script (JAWS)

Yet another powershell script that identifies potential privilege escalation vectors on Windows.

GitHub - 411Hall/JAWS: JAWS - Just Another Windows (Enum) ScriptGitHub

Rasta Watson

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

GitHub - rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesGitHub

PowerUp Script

The powerup script can be used to identify a modifiable binary in a Windows system. It is available within the Kali OS in the following location,

/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1

The script can be downloaded to the Windows system and the following function can be used to identify the modifiable binary,

Get-ModifiableServiceFile

This also has a function to abuse this vulnerability by adding a default user by the name "john" with the password "Password123!" and adding it to the local administrator group. It can also restart the service if sufficient permissions are available.

Install-ServiceBinary -Name 'xyz'

PreviousOther PE Methods NextSeImpersonatePrivilege

Last updated 1 year ago