Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/itm4n/PrivescCheck
Privilege Escalation Enumeration Script for Windows
https://github.com/itm4n/PrivescCheck
pentest-tool pentesting privilege-escalation windows windows-privilege-escalation
Last synced: about 1 month ago
JSON representation
Privilege Escalation Enumeration Script for Windows
- Host: GitHub
- URL: https://github.com/itm4n/PrivescCheck
- Owner: itm4n
- License: bsd-3-clause
- Created: 2020-01-16T12:28:10.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-10-29T14:55:09.000Z (about 1 month ago)
- Last Synced: 2024-10-29T15:35:18.249Z (about 1 month ago)
- Topics: pentest-tool, pentesting, privilege-escalation, windows, windows-privilege-escalation
- Language: PowerShell
- Homepage:
- Size: 5.48 MB
- Stars: 2,948
- Watchers: 80
- Forks: 426
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - itm4n/PrivescCheck - Privilege Escalation Enumeration Script for Windows (PowerShell)
- jimsghstars - itm4n/PrivescCheck - Privilege Escalation Enumeration Script for Windows (PowerShell)
README
# PrivescCheck
This script aims to identify __Local Privilege Escalation__ (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.
## Getting started
After downloading the [script](https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1) and copying it onto the target Windows machine, run it using one of the commands below.
> [!NOTE]
> You __don't__ need to clone the entire repository. The file `PrivescCheck.ps1` is a standalone PowerShell script that contains all the code required by `PrivescCheck` to run.> [!IMPORTANT]
> In the commands below, the first `.` (dot) is used for "dot sourcing" the script, so that the functions and cmdlets can be used in the __current scope__ (see PowerShell [dot sourcing feature](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_scripts#script-scope-and-dot-sourcing)).### Basic checks only
Quickly identify important issues, such as local privilege escalation vulnerabilities.
```bat
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
```### Extended checks + human-readable reports
Identify important issues, but also gather additional information, and save the results to report files that are easy to read.
```bat
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"
```### All checks + all reports
Perform extended and audit checks, and save the results to human-readable reports, but also machine-readable files, which can later be parsed for automated report generation.
```bat
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML"
```## Check types
All the checks implemented in PrivescCheck have a __Type__. This value, and the flags specified on the command line, will determine if they are run, or not.
### Base
Checks of type `Base` will always be executed, unless the script is run as an administrator. They are mainly intended for identifying privilege escalation vulnerabilities, or other important issues.
### Extended
Checks of type `Extended` can only be executed if the option `-Extended` is specified on the command line. They are mainly intended for providing additional information that could be useful for exploit development, or post-exploitation.
### Audit
Checks of type `Audit` can only be executed if the option `-Audit` is specified on the command line. They are mainly intended for providing information that is relevant in the context of a configuration audit.
### Experimental
Checks of type `Experimental` can only be executed if the option `-Experimental` is specified on the command line. These are unstable checks that need further work. Use them with caution.
## Tips and tricks
### PowerShell execution policy
By default, the PowerShell [execution policy](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies) is set to `Restricted` on clients, and `RemoteSigned` on servers, when a new `powershell.exe` process is started. These policies block the execution of (unsigned) scripts, but they can be overriden within the current scope as follows.
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force
. .\PrivescCheck.ps1
```However, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.
```powershell
Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-Expression
```### PowerShell version 2
A common way to bypass [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) consists in starting PowerShell __version 2__ as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this compatibility.
> [!NOTE]
> Although PowerShell version 2 is still enabled by default on recent versions of Windows, it cannot run without the .Net framework version 2.0, which requires a manual install.## Known issues
### Metasploit timeout
If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.
```console
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.
```It is possible to set a different value thanks to the `-t` option of the `sessions` command ([documentation](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/)). In the following example, a timeout of 2 minutes is set for the session with ID `1`.
```console
msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"
```