├── LICENSE ├── README.md └── jaws-enum.ps1 /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 James Hall 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # JAWS - Just Another Windows (Enum) Script 2 | 3 | JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7. 4 | 5 | ## Usage: 6 | 7 | 8 | **Run from within CMD shell and write out to file.** 9 | ``` 10 | CMD C:\temp> powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt 11 | ``` 12 | **Run from within CMD shell and write out to screen.** 13 | ``` 14 | CMD C:\temp> powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 15 | ``` 16 | **Run from within PS Shell and write out to file.** 17 | ``` 18 | PS C:\temp> .\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt 19 | ``` 20 | 21 | ## Current Features 22 | - Network Information (interfaces, arp, netstat) 23 | - Firewall Status and Rules 24 | - Running Processes 25 | - Files and Folders with Full Control or Modify Access 26 | - Mapped Drives 27 | - Potentially Interesting Files 28 | - Unquoted Service Paths 29 | - Recent Documents 30 | - System Install Files 31 | - AlwaysInstallElevated Registry Key Check 32 | - Stored Credentials 33 | - Installed Applications 34 | - Potentially Vulnerable Services 35 | - MuiCache Files 36 | - Scheduled Tasks 37 | 38 | ## Known Issues 39 | 40 | - Output for firewall rules can sometimes be clipped. 41 | - When running from within a shell the script doesnt always tell you its finished. 42 | - When running within some PowerShell reverse shells the running menu isnt shown. 43 | 44 | 45 | 46 | ## To Do 47 | - Add full directory listing with user defined depth 48 | - Read SAM file permissions 49 | - Improve output 50 | -------------------------------------------------------------------------------- /jaws-enum.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Windows enumeration script 4 | .DESCRIPTION 5 | This script is designed to be used in a penetration test or CTF 6 | enviroment. It will enumerate useful information from the host 7 | for privilege escalation. 8 | .EXAMPLE 9 | PS > .\jaws-enum.ps1 10 | will write results out to screen. 11 | .EXAMPLE 12 | PS > .\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt 13 | Writes out results to Jaws-Enum.txt in current directory. 14 | .LINK 15 | https://github.com/411Hall/JAWS 16 | #> 17 | Param( 18 | [String]$OutputFilename = "" 19 | ) 20 | 21 | function JAWS-ENUM { 22 | write-output "`nRunning J.A.W.S. Enumeration" 23 | $output = "" 24 | $output = $output + "############################################################`r`n" 25 | $output = $output + "## J.A.W.S. (Just Another Windows Enum Script) ##`r`n" 26 | $output = $output + "## ##`r`n" 27 | $output = $output + "## https://github.com/411Hall/JAWS ##`r`n" 28 | $output = $output + "## ##`r`n" 29 | $output = $output + "############################################################`r`n" 30 | $output = $output + "`r`n" 31 | $win_version = (Get-WmiObject -class Win32_OperatingSystem) 32 | $output = $output + "Windows Version: " + (($win_version.caption -join $win_version.version) + "`r`n") 33 | $output = $output + "Architecture: " + (($env:processor_architecture) + "`r`n") 34 | $output = $output + "Hostname: " + (($env:ComputerName) + "`r`n") 35 | $output = $output + "Current User: " + (($env:username) + "`r`n") 36 | $output = $output + "Current Time\Date: " + (get-date) 37 | $output = $output + "`r`n" 38 | $output = $output + "`r`n" 39 | write-output " - Gathering User Information" 40 | $output = $output + "-----------------------------------------------------------`r`n" 41 | $output = $output + " Users`r`n" 42 | $output = $output + "-----------------------------------------------------------`r`n" 43 | $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" 44 | $adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object { 45 | $groups = $_.Groups() | Foreach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} 46 | $output = $output + "----------`r`n" 47 | $output = $output + "Username: " + $_.Name + "`r`n" 48 | $output = $output + "Groups: " + $groups + "`r`n" 49 | } 50 | $output = $output + "`r`n" 51 | $output = $output + "-----------------------------------------------------------`r`n" 52 | $output = $output + " Network Information`r`n" 53 | $output = $output + "-----------------------------------------------------------`r`n" 54 | $output = $output + (ipconfig | out-string) 55 | $output = $output + "`r`n" 56 | $output = $output + "-----------------------------------------------------------`r`n" 57 | $output = $output + " Arp`r`n" 58 | $output = $output + "-----------------------------------------------------------`r`n" 59 | $output = $output + (arp -a | out-string) 60 | $output = $output + "`r`n" 61 | $output = $output + "`r`n" 62 | $output = $output + "-----------------------------------------------------------`r`n" 63 | $output = $output + " NetStat`r`n" 64 | $output = $output + "-----------------------------------------------------------`r`n" 65 | $output = $output + (netstat -ano | out-string) 66 | $output = $output + "`r`n" 67 | $output = $output + "`r`n" 68 | $output = $output + "-----------------------------------------------------------`r`n" 69 | $output = $output + " Firewall Status`r`n" 70 | $output = $output + "-----------------------------------------------------------`r`n" 71 | $output = $output + "`r`n" 72 | $Firewall = New-Object -com HNetCfg.FwMgr 73 | $FireProfile = $Firewall.LocalPolicy.CurrentProfile 74 | if ($FireProfile.FirewallEnabled -eq $False) { 75 | $output = $output + ("Firewall is Disabled" + "`r`n") 76 | } else { 77 | $output = $output + ("Firwall is Enabled" + "`r`n") 78 | } 79 | $output = $output + "`r`n" 80 | $output = $output + "-----------------------------------------------------------`r`n" 81 | $output = $output + " FireWall Rules`r`n" 82 | $output = $output + "-----------------------------------------------------------`r`n" 83 | Function Get-FireWallRule 84 | {Param ($Name, $Direction, $Enabled, $Protocol, $profile, $action, $grouping) 85 | $Rules=(New-object -comObject HNetCfg.FwPolicy2).rules 86 | If ($name) {$rules= $rules | where-object {$_.name -like $name}} 87 | If ($direction) {$rules= $rules | where-object {$_.direction -eq $direction}} 88 | If ($Enabled) {$rules= $rules | where-object {$_.Enabled -eq $Enabled}} 89 | If ($protocol) {$rules= $rules | where-object {$_.protocol -eq $protocol}} 90 | If ($profile) {$rules= $rules | where-object {$_.Profiles -bAND $profile}} 91 | If ($Action) {$rules= $rules | where-object {$_.Action -eq $Action}} 92 | If ($Grouping) {$rules= $rules | where-object {$_.Grouping -like $Grouping}} 93 | $rules} 94 | $output = $output + (Get-firewallRule -enabled $true | sort direction,applicationName,name | format-table -property Name , localPorts,applicationname | out-string) 95 | $output = $output + "-----------------------------------------------------------`r`n" 96 | $output = $output + " Hosts File Content`r`n" 97 | $output = $output + "-----------------------------------------------------------`r`n" 98 | $output = $output + "`r`n" 99 | $output = $output + ((get-content $env:windir\System32\drivers\etc\hosts | out-string) + "`r`n") 100 | $output = $output + "`r`n" 101 | write-output " - Gathering Processes, Services and Scheduled Tasks" 102 | $output = $output + "-----------------------------------------------------------`r`n" 103 | $output = $output + " Processes`r`n" 104 | $output = $output + "-----------------------------------------------------------`r`n" 105 | $output = $output + ((Get-WmiObject win32_process | Select-Object Name,ProcessID,@{n='Owner';e={$_.GetOwner().User}},CommandLine | sort name | format-table -wrap -autosize | out-string) + "`r`n") 106 | $output = $output + "-----------------------------------------------------------`r`n" 107 | $output = $output + " Scheduled Tasks`r`n" 108 | $output = $output + "-----------------------------------------------------------`r`n" 109 | $output = $output + "Current System Time: " + (get-date) 110 | $output = $output + (schtasks /query /FO CSV /v | convertfrom-csv | where { $_.TaskName -ne "TaskName" } | select "TaskName","Run As User", "Task to Run" | fl | out-string) 111 | $output = $output + "`r`n" 112 | $output = $output + "-----------------------------------------------------------`r`n" 113 | $output = $output + " Services`r`n" 114 | $output = $output + "-----------------------------------------------------------`r`n" 115 | $output = $output + (get-service | Select Name,DisplayName,Status | sort status | Format-Table -Property * -AutoSize | Out-String -Width 4096) 116 | $output = $output + "`r`n" 117 | write-output " - Gathering Installed Software" 118 | $output = $output + "`r`n" 119 | $output = $output + "-----------------------------------------------------------`r`n" 120 | $output = $output + " Installed Programs`r`n" 121 | $output = $output + "-----------------------------------------------------------`r`n" 122 | $output = $output + (get-wmiobject -Class win32_product | select Name, Version, Caption | ft -hidetableheaders -autosize| out-string -Width 4096) 123 | $output = $output + "`r`n" 124 | $output = $output + "-----------------------------------------------------------`r`n" 125 | $output = $output + " Installed Patches`r`n" 126 | $output = $output + "-----------------------------------------------------------`r`n" 127 | $output = $output + (Get-Wmiobject -class Win32_QuickFixEngineering -namespace "root\cimv2" | select HotFixID, InstalledOn| ft -autosize | out-string ) 128 | $output = $output + "`r`n" 129 | $output = $output + "-----------------------------------------------------------`r`n" 130 | $output = $output + " Program Folders`r`n" 131 | $output = $output + "-----------------------------------------------------------`r`n" 132 | $output = $output + "`n`rC:\Program Files`r`n" 133 | $output = $output + "-------------" 134 | $output = $output + (get-childitem "C:\Program Files" -EA SilentlyContinue | select Name | ft -hidetableheaders -autosize| out-string) 135 | $output = $output + "C:\Program Files (x86)`r`n" 136 | $output = $output + "-------------------" 137 | $output = $output + (get-childitem "C:\Program Files (x86)" -EA SilentlyContinue | select Name | ft -hidetableheaders -autosize| out-string) 138 | $output = $output + "`r`n" 139 | write-output " - Gathering File System Information" 140 | $output = $output + "-----------------------------------------------------------`r`n" 141 | $output = $output + " Files with Full Control and Modify Access`r`n" 142 | $output = $output + "-----------------------------------------------------------`r`n" 143 | $files = get-childitem C:\ 144 | foreach ($file in $files){ 145 | try { 146 | $output = $output + (get-childitem "C:\$file" -include *.ps1,*.bat,*.com,*.vbs,*.txt,*.html,*.conf,*.rdp,.*inf,*.ini -recurse -EA SilentlyContinue | get-acl -EA SilentlyContinue | select path -expand access | 147 | where {$_.identityreference -notmatch "BUILTIN|NT AUTHORITY|EVERYONE|CREATOR OWNER|NT SERVICE"} | where {$_.filesystemrights -match "FullControl|Modify"} | 148 | ft @{Label="";Expression={Convert-Path $_.Path}} -hidetableheaders -autosize | out-string -Width 4096) 149 | } 150 | catch { 151 | $output = $output + "`nFailed to read more files`r`n" 152 | } 153 | } 154 | 155 | $output = $output + "-----------------------------------------------------------`r`n" 156 | $output = $output + " Folders with Full Control and Modify Access`r`n" 157 | $output = $output + "-----------------------------------------------------------`r`n" 158 | $folders = get-childitem C:\ 159 | foreach ($folder in $folders){ 160 | try { 161 | $output = $output + (Get-ChildItem -Recurse "C:\$folder" -EA SilentlyContinue | ?{ $_.PSIsContainer} | get-acl | select path -expand access | 162 | where {$_.identityreference -notmatch "BUILTIN|NT AUTHORITY|CREATOR OWNER|NT SERVICE"} | where {$_.filesystemrights -match "FullControl|Modify"} | 163 | select path,filesystemrights,IdentityReference | ft @{Label="";Expression={Convert-Path $_.Path}} -hidetableheaders -autosize | out-string -Width 4096) 164 | } 165 | catch { 166 | $output = $output + "`nFailed to read more folders`r`n" 167 | } 168 | } 169 | $output = $output + "`r`n" 170 | $output = $output + "-----------------------------------------------------------`r`n" 171 | $output = $output + " Mapped Drives`r`n" 172 | $output = $output + "-----------------------------------------------------------`r`n" 173 | $output = $output + (Get-WmiObject -Class Win32_LogicalDisk | select DeviceID, VolumeName | ft -hidetableheaders -autosize | out-string -Width 4096) 174 | $output = $output + "-----------------------------------------------------------`r`n" 175 | $output = $output + " Unquoted Service Paths`r`n" 176 | $output = $output + "-----------------------------------------------------------`r`n" 177 | $output = $output + (cmd /c 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """') 178 | $output = $output + "`r`n" 179 | $output = $output + "-----------------------------------------------------------`r`n" 180 | $output = $output + " Recent Documents`r`n" 181 | $output = $output + "-----------------------------------------------------------`r`n" 182 | $output = $output + (get-childitem "C:\Users\$env:username\AppData\Roaming\Microsoft\Windows\Recent" -EA SilentlyContinue | select Name | ft -hidetableheaders | out-string ) 183 | $output = $output + "`r`n" 184 | $output = $output + "-----------------------------------------------------------`r`n" 185 | $output = $output + " Potentially Interesting Files in Users Directory `r`n" 186 | $output = $output + "-----------------------------------------------------------`r`n" 187 | $output = $output + (get-childitem "C:\Users\" -recurse -Include *.zip,*.rar,*.7z,*.gz,*.conf,*.rdp,*.kdbx,*.crt,*.pem,*.ppk,*.txt,*.xml,*.vnc.*.ini,*.vbs,*.bat,*.ps1,*.cmd -EA SilentlyContinue | %{$_.FullName } | out-string) 188 | $output = $output + "`r`n" 189 | $output = $output + "-----------------------------------------------------------`r`n" 190 | $output = $output + " 10 Last Modified Files in C:\User`r`n" 191 | $output = $output + "-----------------------------------------------------------`r`n" 192 | $output = $output + (Get-ChildItem 'C:\Users' -recurse -EA SilentlyContinue | Sort {$_.LastWriteTime} | %{$_.FullName } | select -last 10 | ft -hidetableheaders | out-string) 193 | $output = $output + "`r`n" 194 | $output = $output + "-----------------------------------------------------------`r`n" 195 | $output = $output + " MUICache Files`r`n" 196 | $output = $output + "-----------------------------------------------------------`r`n" 197 | get-childitem "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\" -EA SilentlyContinue | 198 | foreach { $CurrentKey = (Get-ItemProperty -Path $_.PsPath) 199 | if ($CurrentKey -match "C:\\") { 200 | $output = $output + ($_.Property -join "`r`n") 201 | } 202 | } 203 | $output = $output + "`r`n" 204 | $output = $output + "`r`n" 205 | write-output " - Looking for Simple Priv Esc Methods" 206 | $output = $output + "-----------------------------------------------------------`r`n" 207 | $output = $output + " System Files with Passwords`r`n" 208 | $output = $output + "-----------------------------------------------------------`r`n" 209 | $files = ("unattended.xml", "sysprep.xml", "autounattended.xml","unattended.inf", "sysprep.inf", "autounattended.inf","unattended.txt", "sysprep.txt", "autounattended.txt") 210 | $output = $output + (get-childitem C:\ -recurse -include $files -EA SilentlyContinue | Select-String -pattern "" | out-string) 211 | $output = $output + "`r`n" 212 | $output = $output + "-----------------------------------------------------------`r`n" 213 | $output = $output + " AlwaysInstalledElevated Registry Key`r`n" 214 | $output = $output + "-----------------------------------------------------------`r`n" 215 | $HKLM = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" 216 | $HKCU = "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" 217 | if (($HKLM | test-path) -eq "True") 218 | { 219 | if (((Get-ItemProperty -Path $HKLM -Name AlwaysInstallElevated).AlwaysInstallElevated) -eq 1) 220 | { 221 | $output = $output + "AlwaysInstallElevated enabled on this host!" 222 | } 223 | } 224 | if (($HKCU | test-path) -eq "True") 225 | { 226 | if (((Get-ItemProperty -Path $HKCU -Name AlwaysInstallElevated).AlwaysInstallElevated) -eq 1) 227 | { 228 | $output = $output + "AlwaysInstallElevated enabled on this host!" 229 | } 230 | } 231 | $output = $output + "`r`n" 232 | $output = $output + "-----------------------------------------------------------`r`n" 233 | $output = $output + " Stored Credentials`r`n" 234 | $output = $output + "-----------------------------------------------------------`r`n" 235 | $output = $output + (cmdkey /list | out-string) 236 | $output = $output + "`r`n" 237 | $output = $output + "-----------------------------------------------------------`r`n" 238 | $output = $output + " Checking for AutoAdminLogon `r`n" 239 | $output = $output + "-----------------------------------------------------------`r`n" 240 | $Winlogon = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 241 | if (get-itemproperty -path $Winlogon -Name AutoAdminLogon -ErrorAction SilentlyContinue) 242 | { 243 | if ((get-itemproperty -path $Winlogon -Name AutoAdminLogon).AutoAdminLogon -eq 1) 244 | { 245 | $Username = (get-itemproperty -path $Winlogon -Name DefaultUserName).DefaultUsername 246 | $output = $output + "The default username is $Username `r`n" 247 | $Password = (get-itemproperty -path $Winlogon -Name DefaultPassword).DefaultPassword 248 | $output = $output + "The default password is $Password `r`n" 249 | $DefaultDomainName = (get-itemproperty -path $Winlogon -Name DefaultDomainName).DefaultDomainName 250 | $output = $output + "The default domainname is $DefaultDomainName `r`n" 251 | } 252 | } 253 | $output = $output + "`r`n" 254 | if ($OutputFilename.length -gt 0) 255 | { 256 | $output | Out-File -FilePath $OutputFileName -encoding utf8 257 | } 258 | else 259 | { 260 | clear-host 261 | write-output $output 262 | } 263 | } 264 | 265 | if ($OutputFilename.length -gt 0) 266 | { 267 | Try 268 | { 269 | [io.file]::OpenWrite($OutputFilename).close() 270 | JAWS-ENUM 271 | } 272 | Catch 273 | { 274 | Write-Warning "`nUnable to write to output file $OutputFilename, Check path and permissions" 275 | } 276 | } 277 | else 278 | { 279 | JAWS-ENUM 280 | } 281 | --------------------------------------------------------------------------------