Created
August 6, 2017 21:44
-
-
Save User65k/622aaf85b89fb5d004e0a7fe62e44c94 to your computer and use it in GitHub Desktop.
Script to enumerate basic system info and search common privilege escalation vectors as seen here: http://www.fuzzysecurity.com/tutorials/16.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/env python | |
############################################################################################################### | |
## [Details]: | |
## This script is intended to be executed locally on a Windows box to enumerate basic system info and | |
## search for common privilege escalation vectors as seen here: http://www.fuzzysecurity.com/tutorials/16.html | |
## All Credit to fuzzysecurity and the author of the awesome linuxprivchecker where I borrowed all the code :) | |
##------------------------------------------------------------------------------------------------------------- | |
## [Title]: winprivchecker.py -- a Windows Privilege Escalation Check Script | |
## [Org Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script | |
## [Org Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift | |
##------------------------------------------------------------------------------------------------------------- | |
## [Warning]: | |
## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates, | |
## I did not write it to be efficient and in some cases you may find the functions may not produce the desired | |
## results. | |
##------------------------------------------------------------------------------------------------------------- | |
## [Modification, Distribution, and Attribution]: | |
## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original | |
## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's | |
## worth anything anyway :) | |
############################################################################################################### | |
# conditional import for older versions of python not compatible with subprocess | |
try: | |
import subprocess as sub | |
compatmode = 0 # newer version of python, no need for compatibility mode | |
except ImportError: | |
import os # older version of python, need to use os instead | |
compatmode = 1 | |
# title / formatting | |
bigline = "=================================================================================================" | |
smlline = "-------------------------------------------------------------------------------------------------" | |
print bigline | |
print "WIN PRIVILEGE ESCALATION CHECKER" | |
print bigline | |
# loop through dictionary, execute the commands, store the results, return updated dict | |
def execCmd(cmdDict): | |
for item in cmdDict: | |
cmd = cmdDict[item]["cmd"] | |
if compatmode == 0: # newer version of python, use preferred subprocess | |
out, error = sub.Popen(cmd, stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() | |
results = out.split('\n') | |
else: # older version of python, use os.popen | |
cmd = ' '.join(cmd) | |
echo_stdout = os.popen(cmd, 'r') | |
results = echo_stdout.read().split('\n') | |
cmdDict[item]["results"]=results | |
return cmdDict | |
# print results for each previously executed command, no return value | |
def printResults(cmdDict): | |
for item in cmdDict: | |
msg = cmdDict[item]["msg"] | |
results = cmdDict[item]["results"] | |
print "[+] " + msg | |
for result in results: | |
if result.strip() != "": | |
print " " + result.strip() | |
return | |
def writeResults(msg, results): | |
f = open("privcheckout.txt", "a"); | |
f.write("[+] " + str(len(results)-1) + " " + msg) | |
for result in results: | |
if result.strip() != "": | |
f.write(" " + result.strip()) | |
f.close() | |
return | |
# Basic system info | |
print "[*] GETTING BASIC SYSTEM INFO...\n" | |
results=[] | |
sysInfo = {"OS":{"cmd":["systeminfo"],"msg":"Operating System","results":results}, | |
"HOSTNAME":{"cmd":["hostname"], "msg":"Hostname", "results":results} | |
} | |
sysInfo = execCmd(sysInfo) | |
printResults(sysInfo) | |
# Networking Info | |
print "[*] GETTING NETWORKING INFO...\n" | |
netInfo = {"NETINFO":{"cmd":["ipconfig","/all"], "msg":"Interfaces", "results":results}, | |
"ROUTE":{"cmd":["route","print"], "msg":"Route", "results":results}, | |
"ARP":{"cmd":["arp","-A"], "msg":"ARP", "results":results}, | |
"NETSTAT":{"cmd":["netstat","-ano"], "msg":"Netstat", "results":results}, | |
"FW_STATE":{"cmd":["netsh","firewall","show","state"], "msg":"firewall state", "results":results}, | |
"FW_CONF":{"cmd":["netsh","firewall","show","config"], "msg":"firewall config", "results":results} | |
} | |
netInfo = execCmd(netInfo) | |
printResults(netInfo) | |
# File System Info | |
print "[*] GETTING FILESYSTEM INFO...\n" | |
# Scheduled Cron Jobs | |
cronInfo = {"CRON":{"cmd":["schtasks","/query","/fo","LIST","/v"], "msg":"Scheduled tasks", "results":results} | |
} | |
cronInfo = execCmd(cronInfo) | |
printResults(cronInfo) | |
# User Info | |
print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" | |
userInfo = {"WHOAMI":{"cmd":["whoami"], "msg":"Current User", "results":results}, | |
"ID":{"cmd":["echo","%username%"],"msg":"Current User ID", "results":results}, | |
"ALLUSERS":{"cmd":["net","users"], "msg":"All users", "results":results}, | |
"ENV":{"cmd":["set"], "msg":"Environment", "results":results} | |
} | |
userInfo = execCmd(userInfo) | |
printResults(userInfo) | |
# File/Directory Privs | |
print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" | |
pwdFiles = {"LOGPWDS":{"cmd":["dir","/s","*pass*","==","*cred*","==","*vnc*","==","*.config*"], "msg":"Config Files", "results":results}, | |
"CONFPWDS":{"cmd":["findstr","/s","/i","password","*.xml","*.ini","*.txt"], "msg":"Config files containing keyword 'password'", "results":results}, | |
"HKLM":{"cmd":["reg","query","HKLM","/f","password","/t","REG_SZ","/s"], "msg":"password in reg", "results":results}, | |
"HKCU":{"cmd":["reg","query","HKCU","/f","password","/t","REG_SZ","/s"], "msg":"password in reg", "results":results} | |
} | |
pwdFiles = execCmd(pwdFiles) | |
printResults(pwdFiles) | |
# Processes and Applications | |
print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" | |
getAppProc = {"PROCS":{"cmd":["tasklist","/SVC"], "msg":"Current processes", "results":results}, | |
"SERV":{"cmd":["net","start"], "msg":"Started Services", "results":results}, | |
"DRV":{"cmd":["DRIVERQUERY"], "msg":"Drivers", "results":results} | |
} | |
getAppProc = execCmd(getAppProc) | |
printResults(getAppProc) | |
massRoll = { "sysprepi":{"cmd":["type","c:\sysprep.inf"], "msg":"sysprep", "results":results}, | |
"sysprepx":{"cmd":["type","c:\sysprep\sysprep.xml"], "msg":"sysprep", "results":results}, | |
"Unattended1":{"cmd":["type","%WINDIR%\Panther\Unattend\Unattended.xml"], "msg":"Unattended", "results":results}, | |
"Unattended2":{"cmd":["type","%WINDIR%\Panther\Unattended.xml"], "msg":"Unattended", "results":results} | |
} | |
massRoll = execCmd(massRoll) | |
printResults(massRoll) | |
instEv = { "HKLM":{"cmd":["reg","query","HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"], "msg":"AlwaysInstallElevated", "results":results}, | |
"HKCU":{"cmd":["reg","query","HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"], "msg":"AlwaysInstallElevated", "results":results} | |
} | |
instEv = execCmd(instEv) | |
printResults(instEv) | |
#accesschk.exe -uwcqv "Authenticated Users" * | |
# When executing any of the sysinternals tools for the first time the user will be presented with a GUI pop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flag to automatically accept the EULA. | |
#accesschk.exe /accepteula ... ... ... | |
# Find all weak folder permissions per drive. | |
#accesschk.exe -uwdqs Users c:\ | |
#accesschk.exe -uwdqs "Authenticated Users" c:\ | |
# Find all weak file permissions per drive. | |
#accesschk.exe -uwqs Users c:\*.* | |
#accesschk.exe -uwqs "Authenticated Users" c:\*.* | |
print "Finished" | |
print bigline |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment