├── README.md └── windowsEnum.bat /README.md: -------------------------------------------------------------------------------- 1 | # windowsEnum 2 | Batch file to help automate Windows enumeration for privilege escalation 3 | 4 | An explanation of the file and a walkthrough of what it does can be found at: 5 | 6 | http://digitalforensicstips.com/2016/09/a-script-to-help-automate-windows-enumeration-for-privilege-escalation/ 7 | 8 | 9 | -------------------------------------------------------------------------------- /windowsEnum.bat: -------------------------------------------------------------------------------- 1 | REM Windows Enumeration Batch Script v20160910 2 | REM @matt0177 3 | REM HUGE thanks to @FuzzySec and @GradiusX 4 | REM For information on Windows privlidge escalation, be sure to read https://www.fuzzysecurity.com/tutorials/16.html 5 | 6 | 7 | @echo off 8 | echo ##################Hostname > output.txt 9 | hostname >> output.txt 10 | echo. >> output.txt 11 | 12 | echo ##################whoami >> output.txt 13 | whoami >> output.txt 14 | echo. >> output.txt 15 | 16 | echo ##################echo %%USERNAME%% >> output.txt 17 | echo %USERNAME% >> output.txt 18 | echo. >> output.txt 19 | 20 | echo ##################net users >> output.txt 21 | net users >> output.txt 22 | echo. >> output.txt 23 | 24 | echo ##################net user %%USERNAME%% >> output.txt 25 | net user %USERNAME% >> output.txt 26 | echo. >> output.txt 27 | 28 | echo ################## systeminfo >> output.txt 29 | systeminfo >> output.txt 30 | echo. >> output.txt 31 | 32 | echo ################## fsutil fsinfo drives >> output.txt 33 | echo ################## (shows mounted drives) >> output.txt 34 | fsutil fsinfo drives >> output.txt 35 | echo. >> output.txt 36 | 37 | echo ################## path >> output.txt 38 | echo %PATH% >> output.txt 39 | echo. >> output.txt 40 | 41 | echo ################## tasklist /SVC >> output.txt 42 | tasklist /SVC >> output.txt 43 | echo. >> output.txt 44 | 45 | echo ################## Checking if .msi files are always installed with elevated privlidges>> output.txt 46 | echo ################## NOTE: Both values below must be 1 >> output.txt 47 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated /v AlwaysInstallElevated >> output.txt 48 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated /v AlwaysInstallElevated >> output.txt 49 | echo. >> output.txt 50 | 51 | echo #### Checking for backup SAM files >> output.txt 52 | 53 | echo #### dir %SYSTEMROOT%\repair\SAM >> output.txt 54 | dir %%SYSTEMROOT%%\repair\SAM >> output.txt 55 | 56 | echo #### dir %SYSTEMROOT%\system32\config\regback\SAM >> output.txt 57 | dir %%SYSTEMROOT%%\system32\config\regback\SAM >> output.txt 58 | echo. >> output.txt 59 | 60 | echo #### Checking for vulnerable services that can be modified by unprivlidged users >> output.txt 61 | echo #### USES AccessChk from sysinternals >> output.txt 62 | echo #### Reference: http://toshellandback.com/2015/11/24/ms-priv-esc/ and http://www.fuzzysecurity.com/tutorials/16.html>> output.txt 63 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula >> output.txt 64 | accesschk.exe -uwcqv "Users" * /accepteula >> output.txt 65 | accesschk.exe -uwcqv "Everyone" * /accepteula >> output.txt 66 | echo. >> output.txt 67 | 68 | echo ##################################################### >> output.txt 69 | echo ################## Checking for possible creds >> output.txt 70 | echo ##################################################### >> output.txt 71 | 72 | echo ################## type c:\sysprep.inf >> output.txt 73 | type c:\sysprep.inf >> output.txt 74 | echo. >> output.txt 75 | 76 | echo ################## type c:\sysprep\sysprep.xml>> output.txt 77 | type c:\sysprep\sysprep.xml >> output.txt 78 | echo. >> output.txt 79 | 80 | echo ##################################################### >> output.txt 81 | echo ################## Network Information >> output.txt 82 | echo ##################################################### >> output.txt 83 | 84 | echo ################## ipconfig /all >> output.txt 85 | ipconfig /all >> output.txt 86 | echo. >> output.txt 87 | 88 | echo ################## net use (view current connetions) >> output.txt 89 | net use >> output.txt 90 | echo. >> output.txt 91 | 92 | echo ################## net share (view shares) >> output.txt 93 | net share >> output.txt 94 | echo. >> output.txt 95 | 96 | echo ################## arp -a >> output.txt 97 | arp -a >> output.txt 98 | echo. >> output.txt 99 | 100 | echo ################## route print>> output.txt 101 | route print >> output.txt 102 | echo. >> output.txt 103 | 104 | echo ################## netstat -nao >> output.txt 105 | netstat -nao >> output.txt 106 | echo. >> output.txt 107 | 108 | echo ################## netsh firewall show state >> output.txt 109 | netsh firewall show state >> output.txt 110 | echo. >> output.txt 111 | 112 | echo ################## netsh firewall show config >> output.txt 113 | netsh firewall show config >> output.txt 114 | echo. >> output.txt 115 | 116 | echo ################## netsh wlan export profile key=clear >> output.txt 117 | echo ################## Shows wireless network information>> output.txt 118 | netsh wlan export profile key=clear 119 | type wi-fi*.xml >> output.txt 120 | del wi-fi*.xml 121 | echo. >> output.txt 122 | 123 | echo ##################################################### >> output.txt 124 | echo ################## Scheduled Tasks >> output.txt 125 | echo ##################################################### >> output.txt 126 | 127 | echo ################## schtasks /query /fo LIST /v >> output.txt 128 | schtasks /query /fo LIST /v >> output.txt 129 | echo. >> output.txt 130 | 131 | echo ################## net start >> output.txt 132 | net start >> output.txt 133 | echo. >> output.txt 134 | 135 | echo ################## DRIVERQUERY >> output.txt 136 | DRIVERQUERY >> output.txt 137 | echo. >> output.txt 138 | 139 | echo ##################################################### >> output.txt 140 | echo ################## Any mentions of "password" in the registry >> output.txt 141 | echo ##################################################### >> output.txt 142 | 143 | reg query HKLM /f password /t REG_SZ /s >> output.txt 144 | 145 | echo. >> output.txt 146 | 147 | echo ##################################################### >> output.txt 148 | echo ################## Switching to the c:\ directory and making a c:\temp directory for dir scans >> output.txt 149 | echo ##################################################### >> output.txt 150 | echo Switching to C:\ !!!!!!!!!!! 151 | echo Remember to grab all files 152 | mkdir c:\temp 153 | copy output.txt c:\temp\output.txt 154 | cd\ 155 | 156 | 157 | echo ################## Checking for files with pass, cred, vnc or .config in the name > c:\temp\dir_output.txt 158 | 159 | echo ################## dir /s *pass* ####################################################### >> c:\temp\dir_output.txt 160 | dir /s *pass* >>c:\temp\dir_output.txt 161 | 162 | echo ################## dir /s *cred* ####################################################### >> c:\temp\dir_output.txt 163 | dir /s *cred* >>c:\temp\dir_output.txt 164 | 165 | echo ################## dir /s *vnc* ####################################################### >> c:\temp\dir_output.txt 166 | dir /s *vnc* >>c:\temp\dir_output.txt 167 | 168 | echo ################## dir /s *.config ##################################################### >> c:\temp\dir_output.txt 169 | dir /s *.config >>c:\temp\dir_output.txt 170 | 171 | echo. >> c:\temp\dir_output.txt 172 | 173 | echo ################## Checking for files with possible creds >> c:\temp\dir_output.txt 174 | echo ################## Reference: http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html >> c:\temp\dir_output.txt 175 | 176 | echo ################## dir /s groups.xml >> c:\temp\dir_output.txt 177 | dir /s groups.xml >>c:\temp\dir_output.txt 178 | 179 | echo ################## dir /s ScheduledTasks.xml >> c:\temp\dir_output.txt 180 | dir /s ScheduledTasks.xml >>c:\temp\dir_output.txt 181 | 182 | echo ################## dir /s printers.xml >> c:\temp\dir_output.txt 183 | dir /s printers.xml >>c:\temp\dir_output.txt 184 | 185 | echo ################## dir /s drives.xml >> c:\temp\dir_output.txt 186 | dir /s drives.xml >>c:\temp\dir_output.txt 187 | 188 | echo ################## dir /s DataSources.xml >> c:\temp\dir_output.txt 189 | dir /s DataSources.xml >>c:\temp\dir_output.txt 190 | 191 | echo ################## dir /s web.config >> c:\temp\dir_output.txt 192 | dir /s web.config >>c:\temp\dir_output.txt 193 | 194 | echo. >> c:\temp\dir_output.txt 195 | 196 | echo ################## Checking for unattended install files >> c:\temp\dir_output.txt 197 | 198 | echo ################## dir /s unattended.xml >> c:\temp\dir_output.txt 199 | dir /s unattended.xml >>c:\temp\dir_output.txt 200 | 201 | echo ################## dir /s unattend.xml >> c:\temp\dir_output.txt 202 | dir /s unattend.xml >>c:\temp\dir_output.txt 203 | 204 | echo ################## dir /s unattend.txt >> c:\temp\dir_output.txt 205 | dir /s unattend.txt >>c:\temp\dir_output.txt 206 | 207 | echo ################## dir /s autounattend.xml >> c:\temp\dir_output.txt 208 | dir /s autounattend.xml >>c:\temp\dir_output.txt 209 | 210 | echo ################## dir /s sysprep.inf >> c:\temp\dir_output.txt 211 | dir /s sysprep.inf >>c:\temp\dir_output.txt 212 | 213 | echo ################## dir /s sysprep.xml >> c:\temp\dir_output.txt 214 | dir /s sysprep.xml >>c:\temp\dir_output.txt 215 | 216 | echo ################## Creating a tree of the c:\ drive >> c:\temp\dir_output.txt 217 | echo ################## Ouput to "output_of_tree.txt file" >> c:\temp\dir_output.txt 218 | 219 | tree C:\ /f /a > c:\temp\output_of_tree.txt 220 | 221 | echo ##################################################### 222 | echo ################## Checks which don't output to a file!!!! 223 | echo ##################################################### 224 | 225 | echo ################## Checking for services which arn't properly quoted 226 | echo ################## Reference http://toshellandback.com/2015/11/24/ms-priv-esc/ 227 | wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ 228 | 229 | 230 | 231 | --------------------------------------------------------------------------------