Windows
Automated Enumeration
windows-privesc-check
waston
sherlock
powerSpliot/privesc/powerUp
windows-Exploit0Suggester
JAWS
WinPEAS
LinPEAS & linEnum
Windows Privilege Escalation
Code | Technique | Mitre |
---|---|---|
WPE-01 | ||
WPE-02 | ||
WPE-03 | ||
WPE-04 | ||
WPE-05 | ||
WPE-06 | ||
WPE-07 | ||
WPE-08 | ||
WPE-09 | ||
WPE-10 | ||
WPE-11 | ||
WPE-12 | ||
WPE-13 | ||
WPE-14 | ||
WPE-15 | ||
WPE-16 |
Discovery of Missing Patches
The discovery of missing patches can be identified easily either through manual methods or automatic. Manually this can be done easily be executing the following command which will enumerate all the installed patches.
Metasploit
PowerShell
There is also a PowerShell script which target to identify patches that can lead to privilege escalation. This script is called Sherlock and it will check a system for the following:
MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : ‘mrxdav.sys’ WebDAV
MS16-032 : Secondary Logon Handle
CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
Privilege Escalation Table
The following table has been compiled to assist in the process of privilege escalation due to lack of sufficient patching.
Operating System | Description | Security Bulletin | KB | Exploit |
---|---|---|---|---|
Windows Server 2016 | Windows Kernel Mode Drivers | 3199135 | ||
Windows Server 2008 ,7,8,10 Windows Server 2012 | Secondary Logon Handle | 3143141 | ||
Windows Server 2008, Vista, 7 | WebDAV | 3136041 | ||
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012 | Windows Kernel Mode Drivers | 3057191 | ||
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8 | Win32k.sys | 3000061 | ||
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | AFD Driver | 2975684 | ||
Windows XP, Windows Server 2003 | Windows Kernel | 2914368 | ||
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | Kernel Mode Driver | 2778930 | ||
Windows Server 2008, 7 | Task Scheduler | 2305420 | ||
Windows Server 2003, Windows Server 2008, 7, XP | KiTrap0D | 977165 | ||
Windows Server 2003, XP | NDProxy | 2914368 | ||
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | Kernel Driver | 3057839 | ||
Windows Server 2003, XP | AFD.sys | 2592799 | ||
Windows Server 2003, XP | NDISTAPI | 2566454 | ||
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | RPC | 3067505 | ||
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012 | Hot Potato | 3164038 | ||
Windows Server 2003, Windows Server 2008, 7, XP | Kernel Driver | 3036220 | ||
Windows Server 2003, Windows Server 2008, 7, XP | AFD.sys | 2503665 |
Last updated