itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows
BSD 3-Clause "New" or "Revised" License
2.98k stars 432 forks source link
pentest-tool pentesting privilege-escalation windows windows-privilege-escalation

PrivescCheck

This script aims to identify Local Privilege Escalation (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.

Getting started

After downloading the script and copying it onto the target Windows machine, run it using one of the commands below.

[!NOTE] You don't need to clone the entire repository. The file PrivescCheck.ps1 is a standalone PowerShell script that contains all the code required by PrivescCheck to run.

[!IMPORTANT] In the commands below, the first . (dot) is used for "dot sourcing" the script, so that the functions and cmdlets can be used in the current scope (see PowerShell dot sourcing feature).

Basic checks only

Quickly identify important issues, such as local privilege escalation vulnerabilities.

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Extended checks + human-readable reports

Identify important issues, but also gather additional information, and save the results to report files that are easy to read.

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

All checks + all reports

Perform extended and audit checks, and save the results to human-readable reports, but also machine-readable files, which can later be parsed for automated report generation.

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML"

Check types

All the checks implemented in PrivescCheck have a Type. This value, and the flags specified on the command line, will determine if they are run, or not.

Base

Checks of type Base will always be executed, unless the script is run as an administrator. They are mainly intended for identifying privilege escalation vulnerabilities, or other important issues.

Extended

Checks of type Extended can only be executed if the option -Extended is specified on the command line. They are mainly intended for providing additional information that could be useful for exploit development, or post-exploitation.

Audit

Checks of type Audit can only be executed if the option -Audit is specified on the command line. They are mainly intended for providing information that is relevant in the context of a configuration audit.

Experimental

Checks of type Experimental can only be executed if the option -Experimental is specified on the command line. These are unstable checks that need further work. Use them with caution.

Tips and tricks

PowerShell execution policy

By default, the PowerShell execution policy is set to Restricted on clients, and RemoteSigned on servers, when a new powershell.exe process is started. These policies block the execution of (unsigned) scripts, but they can be overriden within the current scope as follows.

Set-ExecutionPolicy Bypass -Scope Process -Force
. .\PrivescCheck.ps1

However, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.

Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-Expression

PowerShell version 2

A common way to bypass Constrained Language Mode consists in starting PowerShell version 2 as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this compatibility.

[!NOTE] Although PowerShell version 2 is still enabled by default on recent versions of Windows, it cannot run without the .Net framework version 2.0, which requires a manual install.

Known issues

Metasploit timeout

If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.

It is possible to set a different value thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1.

msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"