Better, up-to-date alternative: https://github.com/itm4n/PrivescCheck
After trying to fix the code of the original Windows Privesc Check tool and crying rivers of blood I decided to look for a more appropriate tool for the task. This is an experiment to implement similar functionality in Powershell, that is available by default in every Windows installation since Windows 7/Server 2008 R2.
This is my first Powershell project, but I still hope that my code will be better than the monolithic Python-Pyinstaller-ASCIIonly predecessor. Pull requests/Issue reports are welcome of course.
- Check insecure permissions on
- Service binaries
- Directories in %PATH%
- Files under %SYSTEMROOT%
- Service related registry keys
I just try to list the most important things here:
- Checks for DLL hijacking (will need PowerShell PETools)
- Checks for Group Policy Preferences
- Checks for Unattended.xml
- Checks for unquoted service binary paths
- Checks for registry key linking
- Checks for Autorun and Startup scripts
- Password policy checks
Similar functionality is implemented by the following tools:
- Windows Privesc Check
- No unicode support (attempt to fix this)
- Awful code base
- Windows Privesc Check 2.0
- Code is still very hard to maintain
- Still painful to use on non-English systems
- PowerUp
- Smart PowerShell cmdlets
- Offensive approach
- Checks only the privileges of the executing user
@andrew_kabai for pointing me to PowerUp
@Carlos_Perez for his fine tutorials: http://www.darkoperator.com/powershellbasics/