Script to enumerate basic system info and search common privilege escalation vectors as seen here: http://www.fuzzysecurity.com/tutorials/16.html

winprivchecker.py

#!/usr/env python

###############################################################################################################
## [Details]: 
## This script is intended to be executed locally on a Windows box to enumerate basic system info and 
## search for common privilege escalation vectors as seen here: http://www.fuzzysecurity.com/tutorials/16.html
## All Credit to fuzzysecurity and the author of the awesome linuxprivchecker where I borrowed all the code :)
##-------------------------------------------------------------------------------------------------------------
## [Title]: winprivchecker.py -- a Windows Privilege Escalation Check Script
## [Org Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
## [Org Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
##-------------------------------------------------------------------------------------------------------------
## [Warning]:
## This script comes as-is with no promise of functionality or accuracy.  I have no plans to maintain updates, 
## I did not write it to be efficient and in some cases you may find the functions may not produce the desired 
## results.
##-------------------------------------------------------------------------------------------------------------   
## [Modification, Distribution, and Attribution]:
## You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original
## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 
## worth anything anyway :)
###############################################################################################################

# conditional import for older versions of python not compatible with subprocess
try:
    import subprocess as sub
    compatmode = 0 # newer version of python, no need for compatibility mode
except ImportError:
    import os # older version of python, need to use os instead
    compatmode = 1

# title / formatting
bigline = "================================================================================================="
smlline = "-------------------------------------------------------------------------------------------------"

print bigline 
print "WIN PRIVILEGE ESCALATION CHECKER"
print bigline
print

# loop through dictionary, execute the commands, store the results, return updated dict
def execCmd(cmdDict):
    for item in cmdDict:
        cmd = cmdDict[item]["cmd"]
        if compatmode == 0: # newer version of python, use preferred subprocess
            out, error = sub.Popen(cmd, stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
            results = out.split('\n')
        else: # older version of python, use os.popen
            cmd = ' '.join(cmd)
            echo_stdout = os.popen(cmd, 'r')  
            results = echo_stdout.read().split('\n')
        cmdDict[item]["results"]=results
    return cmdDict

# print results for each previously executed command, no return value
def printResults(cmdDict):
    for item in cmdDict:
	msg = cmdDict[item]["msg"]
	results = cmdDict[item]["results"]
        print "[+] " + msg
        for result in results:
	    if result.strip() != "":
	        print "    " + result.strip()
	print
    return

def writeResults(msg, results):
    f = open("privcheckout.txt", "a");
    f.write("[+] " + str(len(results)-1) + " " + msg)
    for result in results:
        if result.strip() != "":
            f.write("    " + result.strip())
    f.close()
    return

# Basic system info
print "[*] GETTING BASIC SYSTEM INFO...\n"

results=[]

sysInfo = {"OS":{"cmd":["systeminfo"],"msg":"Operating System","results":results},
	   "HOSTNAME":{"cmd":["hostname"], "msg":"Hostname", "results":results}
	  }

sysInfo = execCmd(sysInfo)
printResults(sysInfo)

# Networking Info

print "[*] GETTING NETWORKING INFO...\n"

netInfo = {"NETINFO":{"cmd":["ipconfig","/all"], "msg":"Interfaces", "results":results},
	   "ROUTE":{"cmd":["route","print"], "msg":"Route", "results":results},
	   "ARP":{"cmd":["arp","-A"], "msg":"ARP", "results":results},
	   "NETSTAT":{"cmd":["netstat","-ano"], "msg":"Netstat", "results":results},
	   "FW_STATE":{"cmd":["netsh","firewall","show","state"], "msg":"firewall state", "results":results},
	   "FW_CONF":{"cmd":["netsh","firewall","show","config"], "msg":"firewall config", "results":results}
	  }

netInfo = execCmd(netInfo)
printResults(netInfo)

# File System Info
print "[*] GETTING FILESYSTEM INFO...\n"

# Scheduled Cron Jobs
cronInfo = {"CRON":{"cmd":["schtasks","/query","/fo","LIST","/v"], "msg":"Scheduled tasks", "results":results}
	   }

cronInfo = execCmd(cronInfo)
printResults(cronInfo)

# User Info
print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"

userInfo = {"WHOAMI":{"cmd":["whoami"], "msg":"Current User", "results":results},
	    "ID":{"cmd":["echo","%username%"],"msg":"Current User ID", "results":results},
	    "ALLUSERS":{"cmd":["net","users"], "msg":"All users", "results":results},
	    "ENV":{"cmd":["set"], "msg":"Environment", "results":results}
	   }

userInfo = execCmd(userInfo)
printResults(userInfo)

# File/Directory Privs
print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"

pwdFiles = {"LOGPWDS":{"cmd":["dir","/s","*pass*","==","*cred*","==","*vnc*","==","*.config*"], "msg":"Config Files", "results":results},
	    "CONFPWDS":{"cmd":["findstr","/s","/i","password","*.xml","*.ini","*.txt"], "msg":"Config files containing keyword 'password'", "results":results},
	    "HKLM":{"cmd":["reg","query","HKLM","/f","password","/t","REG_SZ","/s"], "msg":"password in reg", "results":results},
	    "HKCU":{"cmd":["reg","query","HKCU","/f","password","/t","REG_SZ","/s"], "msg":"password in reg", "results":results}
	   }

pwdFiles = execCmd(pwdFiles)
printResults(pwdFiles)

# Processes and Applications
print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"

getAppProc = {"PROCS":{"cmd":["tasklist","/SVC"], "msg":"Current processes", "results":results},
              "SERV":{"cmd":["net","start"], "msg":"Started Services", "results":results},
              "DRV":{"cmd":["DRIVERQUERY"], "msg":"Drivers", "results":results}
	     }

getAppProc = execCmd(getAppProc)
printResults(getAppProc)

massRoll = { "sysprepi":{"cmd":["type","c:\sysprep.inf"], "msg":"sysprep", "results":results},
	      "sysprepx":{"cmd":["type","c:\sysprep\sysprep.xml"], "msg":"sysprep", "results":results},
	      "Unattended1":{"cmd":["type","%WINDIR%\Panther\Unattend\Unattended.xml"], "msg":"Unattended", "results":results},
	      "Unattended2":{"cmd":["type","%WINDIR%\Panther\Unattended.xml"], "msg":"Unattended", "results":results}
	    }

massRoll = execCmd(massRoll)
printResults(massRoll)

instEv = { "HKLM":{"cmd":["reg","query","HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"], "msg":"AlwaysInstallElevated", "results":results},
            "HKCU":{"cmd":["reg","query","HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"], "msg":"AlwaysInstallElevated", "results":results}
	    }

instEv = execCmd(instEv)
printResults(instEv)

#accesschk.exe -uwcqv "Authenticated Users" *

# When executing any of the sysinternals tools for the first time the user will be presented with a GUI pop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flag to automatically accept the EULA.
#accesschk.exe /accepteula ... ... ...

# Find all weak folder permissions per drive.
#accesschk.exe -uwdqs Users c:\
#accesschk.exe -uwdqs "Authenticated Users" c:\

# Find all weak file permissions per drive.
#accesschk.exe -uwqs Users c:\*.*
#accesschk.exe -uwqs "Authenticated Users" c:\*.*

print 	
print "Finished"
print bigline