Windows

Automated Enumeration

• windows-privesc-check

• waston

• sherlock

• powerSpliot/privesc/powerUp

• windows-Exploit0Suggester

• JAWS

• WinPEAS

• LinPEAS & linEnum

Windows Privilege Escalation

Code	Technique	Mitre
WPE-01	Stored Credentials	NA
WPE-02	Windows Kernel	NA
WPE-03	DLL Injection	NA
WPE-04	Weak Service Permissions	NA
WPE-05	DLL Hijacking	NA
WPE-06	Hot Potato	NA
WPE-07	Group Policy Preferences	NA
WPE-08	Unquoted Service Path	NA
WPE-09	Always Install Elevated	NA
WPE-10	Token Manipulation	NA
WPE-11	Secondary Logon Handle	NA
WPE-12	Insecure Registry Permissions	NA
WPE-13	Intel SYSRET	NA
WPE-14	Print Spooler	NA
WPE-15	HiveNightmare	NA
WPE-16	Resource Based Constrained Delegation	NA

Discovery of Missing Patches

The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can be done easily be executing the following command which will enumerate all the installed patches.

wmic qfe get Caption,Description,HotFixID,InstalledOn
	
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" /C:"KB4018483"

Metasploit

post/windows/gather/enum_patches

Metasploit – Patches Enumeration

PowerShell

There is also a PowerShell script which target to identify patches that can lead to privilege escalation. This script is called Sherlock and it will check a system for the following:

• MS10-015 : User Mode to Ring (KiTrap0D)

• MS10-092 : Task Scheduler

• MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow

• MS13-081 : TrackPopupMenuEx Win32k NULL Page

• MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference

• MS15-051 : ClientCopyImage Win32k

• MS15-078 : Font Driver Buffer Overflow

• MS16-016 : ‘mrxdav.sys’ WebDAV

• MS16-032 : Secondary Logon Handle

• CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc

Privilege Escalation Table

The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.

Operating System	Description	Security Bulletin	KB	Exploit
Windows Server 2016	Windows Kernel Mode Drivers	MS16-135	3199135	Exploit Github
Windows Server 2008 ,7,8,10 Windows Server 2012	Secondary Logon Handle	MS16-032	3143141	GitHub ExploitDB Metasploit
Windows Server 2008, Vista, 7	WebDAV	MS16-016	3136041	Github
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012	Windows Kernel Mode Drivers	MS15-051	3057191	GitHub ExploitDB Metasploit
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8	Win32k.sys	MS14-058	3000061	GitHub ExploitDB Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012	AFD Driver	MS14-040	2975684	Python EXE ExploitDB Github
Windows XP, Windows Server 2003	Windows Kernel	MS14-002	2914368	Metasploit
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012	Kernel Mode Driver	MS13-005	2778930	Metasploit ExploitDB GitHub
Windows Server 2008, 7	Task Scheduler	MS10-092	2305420	Metasploit ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP	KiTrap0D	MS10-015	977165	Exploit ExploitDB GitHub Metasploit
Windows Server 2003, XP	NDProxy	MS14-002	2914368	Exploit ExploitDB ExploitDB Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012	Kernel Driver	MS15-061	3057839	Github
Windows Server 2003, XP	AFD.sys	MS11-080	2592799	EXE Metasploit ExploitDB
Windows Server 2003, XP	NDISTAPI	MS11-062	2566454	ExploitDB
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012	RPC	MS15-076	3067505	Github
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012	Hot Potato	MS16-075	3164038	GitHub PowerShell HotPotato
Windows Server 2003, Windows Server 2008, 7, XP	Kernel Driver	MS15-010	3036220	GitHub ExploitDB
Windows Server 2003, Windows Server 2008, 7, XP	AFD.sys	MS11-046	2503665	EXE ExploitDB