A Script to Help Automate Windows Enumeration for Privilege Escalation

Often when I want to learn a skill, I’ll think up a project for myself that forces me to improve that skill. Recently I wanted to improve my Windows post exploitation and privilege escalation so I decided to work on a script to enumerate Windows systems to look for low hanging fruit that can be used to escalate privileges.

The definitive guide to Windows priv esc is http://www.fuzzysecurity.com/tutorials/16.html and a good deal of my commands come from that post or resources mentioned in the post. If you’re working on your Windows privilege escalation, you really should spend some time on that page.

I decided to use a batch file instead of PowerShell since batch should run anywhere and is easy for others to understand and modify. The output of the script is saved to three different text files. The script will be a work in progress, but I wanted to post a copy to try to help others automate the process.

First the script gathers basic enumeration information such as:

  • Hostname
  • Whoami
  • Username
  • net user info
  • syseminfo
  • mounted drives
  • path
  • tasklist /SVC

The script checks to see if .msi files are set to always install with elevated privlidges as well as for the presence of backup copies of the SAM for those juicy, juicy password hashes.

If accesschk.exe from sysinternals is present, the script uses it to check for services that can be modified by unprivileged users.

After a quick check for sysprep files which may contain creds, network information is gathered including

  • Ipconfig /all
  • Net use
  • Net share
  • Arp –a
  • Route print
  • Netstat –nao
  • Netsh firewall show state
  • Netsh firewall show config
  • Netsh wlan export profile key=clear (shows wifi networks and passwords that the system has connected to previously)

No privlidge escalation script would be complete without looking at scheduled tasks so we run

  • Schtasks /query /fo /LIST /v
  • Net start
  • driverquery

The script checks for any mention of “password” in the registry and then changes directories to c:\ . The reason for this change is it is getting ready to search the entire file system for files which may have credentials in them.

The results of the scans so far are saved to output.txt and a c:\temp directory is created for output of the next two text files of information.

The script checks for any file that contains “pass”, “cred”, “vnc” or “.config” in the file name. It then checks for a large number of .xml configuration files which may have creds including unattended install files.

The final file that the script creates is a tree list of all the files on the c:\ drive and the script ends by outputting any services which aren’t properly quotes and may be exploitable to the screen.

I recently had a chance to run this script and it GREATLY sped up the process of looking for low hanging fruit on a Windows system and helped me spot a password in the registry.

As I make modifications to the script I’ll post the updates here but you can download a copy of the script at: https://github.com/azmatt/windowsEnum