| .. | ||
| .vs/winPEAS/v16 | ||
| images | ||
| packages | ||
| winPEAS | ||
| privilege-escalation-awesome-script-suite-master.zip | ||
| README.md | ||
| winPEAS.sln | ||
Windows Privilege Escalation Awsome Script (.exe)
WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
Check also the Local Windows Privilege Escalation checklist from book.hacktricks.xyz
Quick Start
Download the latest version from here or compile it yourself.
winpeas.exe ansii #ANSII color for linux consoles (reverse shell)
winpeas.exe #Will execute all checks except the ones that execute MD commands
winpeas.exe cmd #All checks
winpeas.exe cmd fast #All except the one that search for files
winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
Basic information
The goal of this project is to search for possible Privilege Escalation Paths in Windows environments.
It should take only a few seconds to execute almost all the checks and some minutes searching in the whole main drive for known files that could contain passwords (the time depened on the number of files in your drive). Get rif of that time consuming check using the parameter fast.
The ouput will be colored. Below you have some indications about what does each color means exacty, but keep in mind that Red is for something interesting (from a pentester perspective) and Green is something good (from a defender perspective).
The tool is heavily based in SeatBelt.
IMPORTANT TO NOTICE: By default WinPEAS will use colord for Windows terminals (without ANSII characters). If execute winpeas.exe from a reverse shell without any option no color will be printed. To see color in a linux terminal you need to use the ansii parameter.
Help
Colors
Checks
Details
-
System Information
- Basic System info information
- Use Watson to search for vulnerabilities
- PS, Audit, WEF and LAPS Settings
- Environment Variables
- Internet Settings
- Current drives information
- AV?
- UAC configuration
-
Users Information
- Users information
- Current token privileges
- Clipboard text
- Current logged users
- RDP sessions
- Ever logged users
- Autologin credentials
- Home folders
- Password policies
-
Processes Information
- Interesting processes (non Microsoft)
-
Services Information
- Interesting services (non Microsoft) information
- Writable service registry
- PATH Dll Hijacking
-
Applications Information
- Current Active Window
- Installed software
- AutoRuns
- Scheduled tasks
-
Network Information
- Current net shares
- hosts file
- Network Interfaces
- Listening ports
- Firewall rules
- DNS Cache (limit 70)
-
Windows Credentials
- Windows Vault
- Credential Manager
- Saved RDO connections
- Recently run commands
- DPAPI Masterkeys
- DPAPI Credential files
- Remote Desktop Connection Manager credentials
- Kerberos Tickets
- Wifi
- AppCmd.exe
- SSClient.exe
- AlwaysInstallElevated
- WSUS
-
Browser Information
- Firefox DBs
- Credentials in firefox history
- Chrome DBs
- Credentials in chrome history
- Current IE tabs
- Credentials in IE history
- IE Favorites
-
Interesting Files and registry
- Putty sessions
- Putty SSH host keys
- Cloud credentials
- Possible registries with credentials
- Possible credentials files in users homes
- Possible password files inside the Recycle bin
- Possible files containing credentials (this take some minutes)
- User documents (limit 100)
Do not fork it!!
If you want to add something and have any cool idea related to this project, please let me know it using the github issues and we will update the master version.
TODO
- Add more checks
- Mantain updated Watson
- List wifi networks without using CMD
- List credentials inside the Credential Manager without using CMD
If you want to help with any of this, you can do it using github issues or you can submit a pull request.
If you find any issue, please report it using github issues.
WinPEAS is being updated every time I find something that could be useful to escalate privileges.
License
MIT License
By Polop(TM)