-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathWindows-PrivEscalation.ps1
92 lines (80 loc) · 6.82 KB
/
Windows-PrivEscalation.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Usage
# run script directly from powershell for quick standard checks
#
# For quick standard checks directly from CMD:
# powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1
#
# To run extensive file searches use extended parameter (it can take a long time):
# PS C:\> .\WindowsEnum.ps1 extended
# From CMD:
# powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1 extended
param($extended)
$lines="`n------------------------------------------`n"
function whost($a) {
Write-Host
Write-Host -ForegroundColor Green $lines
Write-Host -ForegroundColor Green " "$a
Write-Host -ForegroundColor Green $lines
}
$standard_commands = [ordered]@{
'Basic System Information' = 'Start-Process "systeminfo" -NoNewWindow -Wait';
'Environment Variables' = 'Get-ChildItem Env: | ft Key,Value';
'Network Information' = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
'DNS Servers' = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
'ARP cache' = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
'Routing Table' = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
'Network Connections' = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
'Connected Drives' = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
'Firewall Config' = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
'Current User' = 'Write-Host $env:UserDomain\$env:UserName';
'User Privileges' = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
'Local Users' = 'Get-LocalUser | ft Name,Enabled,LastLogon';
'Logged in Users' = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft';
'Credential Manager' = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
'User Autologon Registry Items' = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
'Local Groups' = 'Get-LocalGroup | ft Name';
'Local Administrators' = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
'User Directories' = 'Get-ChildItem C:\Users | ft Name';
'Searching for SAM backup files' = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
'Running Processes' = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
'Installed Software Directories' = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
'Software in Registry' = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
'Folders with Everyone Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
'Folders with BUILTIN\User Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
'Unquoted Service Paths' = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
'Scheduled Tasks' = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
'Tasks Folder' = 'Get-ChildItem C:\Windows\Tasks | ft';
'Startup Commands' = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
}
$extended_commands = [ordered]@{
'Searching for Unattend and Sysprep files' = 'Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")} | Out-File C:\temp\unattendfiles.txt';
'Searching for web.config files' = 'Get-Childitem –Path C:\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\webconfigfiles.txt';
'Searching for other interesting files' = 'Get-Childitem –Path C:\ -Include *password*,*cred*,*vnc* -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\otherfiles.txt';
'Searching for various config files' = 'Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\configfiles.txt'
'Searching HKLM for passwords' = 'reg query HKLM /f password /t REG_SZ /s | Out-File C:\temp\hklmpasswords.txt';
'Searching HKCU for passwords' = 'reg query HKCU /f password /t REG_SZ /s | Out-File C:\temp\hkcupasswords.txt';
'Searching for files with passwords' = 'Get-ChildItem c:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.PSPath -notlike "*C:\temp*" -and $_.PSParentPath -notlike "*Reference Assemblies*" -and $_.PSParentPath -notlike "*Windows Kits*"}| Select-String -Pattern "password" | Out-File C:\temp\password.txt';
}
function RunCommands($commands) {
ForEach ($command in $commands.GetEnumerator()) {
whost $command.Name
Invoke-Expression $command.Value
}
}
RunCommands($standard_commands)
if ($extended) {
if ($extended.ToLower() -eq 'extended') {
$result = Test-Path C:\temp
if ($result -eq $False) {
New-Item C:\temp -type directory
}
whost "Results writing to C:\temp\
This may take a while..."
RunCommands($extended_commands)
whost "Script Finished! Check your files in C:\temp\"
}
}
else {
whost "Script finished!"
}