Tools ⚙️

Theory

On this page, we'll look at some automated tools we can use to enumerate privilege escalation vectors. These tools can be very useful because of their efficiency, speed and complete coverage. However, using such tools can significantly reduce our OpSec as it can be a very noisy process.

Practice

winPEAS (Windows Privilege Escalation Awesome Scripts) is a powerful and widely used privilege escalation tool to identify security weaknesses and privilege escalation vectors within Windows environments.

# Executables
.\winPEASx64.exe
.\winPEASx86.exe 

# Powershell
Import-Module .\winPEAS.ps1
Start-ACLCheck

PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Import-Module .\PowerUp.ps1
Invoke-AllChecks

JAWS is a PowerShell script designed to quickly identify potential privilege escalation vectors on Windows systems.

.\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

.\Seatbelt.exe -group=all

Compiled binaries can be found here.

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

.\WatsonNet3.5AnyCPU.exe

Precompiled binaries can be found here.

Sherlock is a PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Import-Module .\Sherlock.ps1
Find-AllVulns

Sherlock has been deprecated and replaced by Watson, but can still be relevant.

Last updated 7 months ago