- updated README.md
This commit is contained in:
makikvues
parent
6a99882f85
commit
74d4b2dfe9
@ -14,12 +14,13 @@ Check also the **Local Windows Privilege Escalation checklist** from **[book.hac
|
||||
|
||||
Download the **[latest obfuscated version from here](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin/Obfuscated%20Releases)** or **compile it yourself** (read instructions for compilation).
|
||||
```bash
|
||||
winpeas.exe cmd searchall #cmd commands, search all filenames and avoid sleepig (noisy - CTFs)
|
||||
winpeas.exe #Will execute all checks except the ones that use external Windows binaries
|
||||
winpeas.exe cmd #All checks
|
||||
winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs)
|
||||
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
|
||||
winpeas.exe notcolor #Do not color the output
|
||||
winpeas.exe cmd wait #cmd commands and wait between tests
|
||||
winpeas.exe wait #wait for user input between tests
|
||||
winpeas.exe debug #display additional debug information
|
||||
winpeas.exe log #log output to out.txt instead of standard output
|
||||
winpeas.exe -lolbas -linpeas=http://127.0.0.1/linpeas.sh #execute also additional LOLBAS search check and linpeas check (runs linpeas.sh in default WSL distribution) with custom linpeas.sh URL (if not provided, the default URL is: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh)
|
||||
```
|
||||
|
||||
## Basic information
|
||||
@ -28,10 +29,7 @@ The goal of this project is to search for possible **Privilege Escalation Paths*
|
||||
|
||||
It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
|
||||
|
||||
By default, the progam **sleeps 100ms** before start searching files in each directory. This is made to consume less resources (**stealthier**). You can **avoid this sleep using `searchfast` parameter**.
|
||||
|
||||
|
||||
The tool is based in **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
|
||||
The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
|
||||
|
||||
## Where are my COLORS?!?!?!
|
||||
|
||||
@ -78,16 +76,26 @@ Once you have installed and activated it you need to:
|
||||
- **System Information**
|
||||
- [x] Basic System info information
|
||||
- [x] Use Watson to search for vulnerabilities
|
||||
- [x] Enumerate Microsoft updates
|
||||
- [x] PS, Audit, WEF and LAPS Settings
|
||||
- [x] LSA protection?
|
||||
- [x] Credential Guard?
|
||||
- [x] WDigest?
|
||||
- [x] LSA protection
|
||||
- [x] Credential Guard
|
||||
- [x] WDigest
|
||||
- [x] Number of cached cred
|
||||
- [x] Environment Variables
|
||||
- [x] Internet Settings
|
||||
- [x] Current drives information
|
||||
- [x] AV? whitelisted defender paths?
|
||||
- [x] AV
|
||||
- [x] Windows Defender
|
||||
- [x] UAC configuration
|
||||
- [x] NTLM Settings
|
||||
- [x] Local Group Policy
|
||||
- [x] Applocker Configuration & bypass suggestions
|
||||
- [x] Printers
|
||||
- [x] Named Pipes
|
||||
- [x] AMSI Providers
|
||||
- [x] SysMon
|
||||
- [x] .NET Versions
|
||||
|
||||
- **Users Information**
|
||||
- [x] Users information
|
||||
@ -99,12 +107,15 @@ Once you have installed and activated it you need to:
|
||||
- [x] Autologin credentials
|
||||
- [x] Home folders
|
||||
- [x] Password policies
|
||||
- [x] Local User details
|
||||
- [x] Logon Sessions
|
||||
|
||||
- **Processes Information**
|
||||
- [x] Interesting processes (non Microsoft)
|
||||
|
||||
- **Services Information**
|
||||
- [x] Interesting services (non Microsoft) information
|
||||
- [x] Modifiable services
|
||||
- [x] Writable service registry binpath
|
||||
- [x] PATH Dll Hijacking
|
||||
|
||||
@ -113,19 +124,22 @@ Once you have installed and activated it you need to:
|
||||
- [x] Installed software
|
||||
- [x] AutoRuns
|
||||
- [x] Scheduled tasks
|
||||
- [x] Device drivers
|
||||
|
||||
- **Network Information**
|
||||
- [x] Current net shares
|
||||
- [x] Mapped drives (WMI)
|
||||
- [x] hosts file
|
||||
- [x] Network Interfaces
|
||||
- [x] Listening ports
|
||||
- [x] Firewall rules
|
||||
- [x] DNS Cache (limit 70)
|
||||
- [x] Internet Settings
|
||||
|
||||
- **Windows Credentials**
|
||||
- [x] Windows Vault
|
||||
- [x] Credential Manager
|
||||
- [x] Saved RDP connections
|
||||
- [x] Saved RDP settings
|
||||
- [x] Recently run commands
|
||||
- [x] Default PS transcripts files
|
||||
- [x] DPAPI Masterkeys
|
||||
@ -135,6 +149,8 @@ Once you have installed and activated it you need to:
|
||||
- [x] Wifi
|
||||
- [x] AppCmd.exe
|
||||
- [x] SSClient.exe
|
||||
- [x] SCCM
|
||||
- [x] Security Package Credentials
|
||||
- [x] AlwaysInstallElevated
|
||||
- [x] WSUS
|
||||
|
||||
@ -146,21 +162,39 @@ Once you have installed and activated it you need to:
|
||||
- [x] Current IE tabs
|
||||
- [x] Credentials in IE history
|
||||
- [x] IE Favorites
|
||||
- [x] Extracting saved passwords for: Firefox, Chrome, Opera, Brave
|
||||
|
||||
- **Interesting Files and registry**
|
||||
- [x] Putty sessions
|
||||
- [x] Putty SSH host keys
|
||||
- [x] SuperPutty info
|
||||
- [x] Office365 endpoints synced by OneDrive
|
||||
- [x] SSH Keys inside registry
|
||||
- [x] Cloud credentials
|
||||
- [x] Check for unattended files
|
||||
- [x] Check for SAM & SYSTEM backups
|
||||
- [x] Check for cached GPP Passwords
|
||||
- [x] Check for McAffe SiteList.xml files
|
||||
- [x] Check for and extract creds from McAffe SiteList.xml files
|
||||
- [x] Possible registries with credentials
|
||||
- [x] Possible credentials files in users homes
|
||||
- [x] Possible password files inside the Recycle bin
|
||||
- [x] Possible files containing credentials (this take some minutes)
|
||||
- [x] User documents (limit 100)
|
||||
- [x] Oracle SQL Developer config files check
|
||||
- [x] Slack files search
|
||||
- [x] LOLBAS search
|
||||
- [x] Outlook downloads
|
||||
- [x] Machine and user certificate files
|
||||
- [x] Office most recent documents
|
||||
- [x] Hidden files and folders
|
||||
- [x] Executable files in non-default folders with write permissions
|
||||
- [x] WSL check + run linpeas.sh in WSL default distribution
|
||||
|
||||
- **Events Information**
|
||||
- [x] Logon + Explicit Logon Events
|
||||
- [x] Process Creation Events
|
||||
- [x] PowerShell Events
|
||||
- [x] Power On/Off Events
|
||||
|
||||
</details>
|
||||
|
||||
@ -170,11 +204,8 @@ If you want to **add something** and have **any cool idea** related to this proj
|
||||
|
||||
|
||||
## TODO
|
||||
|
||||
- Add more checks
|
||||
- Mantain updated Watson (last JAN 2020)
|
||||
- List wifi networks without using CMD
|
||||
- List credentials inside the Credential Manager without using CMD
|
||||
- Mantain updated Watson (last JAN 2021)
|
||||
|
||||
If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)** or you can submit a pull request.
|
||||
|
||||
@ -190,4 +221,4 @@ All the scripts/binaries of the PEAS Suite should be used for authorized penetra
|
||||
|
||||
MIT License
|
||||
|
||||
By Polop<sup>(TM)</sup>
|
||||
By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user