diff options
| author | HarmJ0y <will@harmj0y.net> | 2016-12-14 11:53:29 -0500 |
|---|---|---|
| committer | HarmJ0y <will@harmj0y.net> | 2016-12-14 11:53:29 -0500 |
| commit | 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d (patch) | |
| tree | 57e9cfbba515d074f9ca77438245f8dfe46b62aa /Privesc | |
| parent | 5da1774219284bbe1539675e84f5c8b4370b386e (diff) | |
| download | PowerSploit-7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d.tar.gz PowerSploit-7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d.zip | |
Added documentation for PowerUp
Diffstat (limited to 'Privesc')
| -rw-r--r-- | Privesc/PowerUp.ps1 | 190 | ||||
| -rw-r--r-- | Privesc/Privesc.psd1 | 43 | ||||
| -rw-r--r-- | Privesc/README.md | 22 |
3 files changed, 129 insertions, 126 deletions
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 6fffef0..8ad9044 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -739,9 +739,9 @@ function Get-ModifiablePath { Parses a passed string containing multiple possible file/folder paths and returns the file paths where the current user has modification rights. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -935,9 +935,9 @@ function Get-TokenInformation { Helpers that returns token groups or privileges for a passed process/thread token. Used by Get-ProcessTokenGroup and Get-ProcessTokenPrivilege. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1065,9 +1065,9 @@ function Get-ProcessTokenGroup { Returns all SIDs that the current token context is a part of, whether they are disabled or not. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect, Get-TokenInformation +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation .DESCRIPTION @@ -1197,9 +1197,9 @@ function Get-ProcessTokenPrivilege { Returns all privileges for the current (or specified) process ID. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect, Get-TokenInformation +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation .DESCRIPTION @@ -1354,9 +1354,9 @@ function Enable-Privilege { Enables a specific privilege for the current process. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1451,9 +1451,9 @@ function Add-ServiceDacl { Adds a Dacl field to a service object returned by Get-Service. -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1567,9 +1567,9 @@ function Set-ServiceBinaryPath { Sets the binary path for a service to a specified value. -Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1688,9 +1688,9 @@ function Test-ServiceDaclPermission { Tests one or more passed services or service names against a given permission set, returning the service objects where the current user have the specified permissions. -Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: Add-ServiceDacl +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl .DESCRIPTION @@ -1868,9 +1868,9 @@ function Get-UnquotedService { Returns the name and binary path for services with unquoted paths that also have a space in the name. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission .DESCRIPTION @@ -1931,9 +1931,9 @@ function Get-ModifiableServiceFile { Enumerates all services and returns vulnerable service files. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath .DESCRIPTION @@ -1989,9 +1989,9 @@ function Get-ModifiableService { Enumerates all services and returns services for which the current user can modify the binPath. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail .DESCRIPTION @@ -2036,9 +2036,9 @@ function Get-ServiceDetail { Returns detailed information about a specified service by querying the WMI win32_service class for the specified service name. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2109,9 +2109,9 @@ function Invoke-ServiceAbuse { Abuses a function the current user has configuration rights on in order to add a local administrator or execute a custom command. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath .DESCRIPTION @@ -2346,9 +2346,9 @@ function Write-ServiceBinary { Patches in the specified command to a pre-compiled C# service executable and writes the binary out to the specified ServicePath location. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2529,9 +2529,9 @@ function Install-ServiceBinary { Replaces the service binary for the specified service with one that executes a specified command as SYSTEM. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary .DESCRIPTION @@ -2698,9 +2698,9 @@ function Restore-ServiceBinary { Restores a service binary backed up by Install-ServiceBinary. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Get-ModifiablePath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath .DESCRIPTION @@ -2793,9 +2793,9 @@ function Find-ProcessDLLHijack { Finds all DLL hijack locations for currently running processes. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2948,9 +2948,9 @@ function Find-PathDLLHijack { Finds all directories in the system %PATH% that are modifiable by the current user. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ModifiablePath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3001,9 +3001,9 @@ function Write-HijackDll { Patches in the path to a specified .bat (containing the specified command) into a pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3229,9 +3229,9 @@ function Get-RegistryAlwaysInstallElevated { Checks if any of the AlwaysInstallElevated registry keys are set. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3298,9 +3298,9 @@ function Get-RegistryAutoLogon { Finds any autologon credentials left in the registry. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3361,9 +3361,9 @@ function Get-ModifiableRegistryAutoRun { Returns any elevated system autoruns in which the current user can modify part of the path string. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3439,9 +3439,9 @@ function Get-ModifiableScheduledTaskFile { Returns scheduled tasks where the current user can modify any file in the associated task action string. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3518,9 +3518,9 @@ function Get-UnattendedInstallFile { Checks several locations for remaining unattended installation files, which may have deployment credentials. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .EXAMPLE @@ -3577,9 +3577,9 @@ function Get-WebConfig { This script will recover cleartext and encrypted connection strings from all web.config files on the system. Also, it will decrypt them if needed. -Author: Scott Sutherland, Antti Rantasaari -License: BSD 3-Clause -Required Dependencies: None +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3791,9 +3791,9 @@ function Get-ApplicationHost { Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. -Author: Scott Sutherland -License: BSD 3-Clause -Required Dependencies: None +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3952,10 +3952,10 @@ function Get-SiteListPassword { Retrieves the plaintext passwords for found McAfee's SiteList.xml files. Based on Jerome Nokin (@funoverip)'s Python solution (in links). -Author: Jerome Nokin (@funoverip) -PowerShell Port: @harmj0y -License: BSD 3-Clause -Required Dependencies: None +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4153,9 +4153,9 @@ function Get-CachedGPPPassword { Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and left in cached files on the host. -Author: Chris Campbell (@obscuresec), local cache mods by @harmj0y -License: BSD 3-Clause -Required Dependencies: None +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4360,9 +4360,9 @@ function Write-UserAddMSI { Writes out a precompiled MSI installer that prompts for a user/group addition. This function can be used to abuse Get-RegistryAlwaysInstallElevated. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4414,9 +4414,9 @@ function Invoke-WScriptUACBypass { Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. -Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie -License: BSD 3-Clause -Required Dependencies: None +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4650,9 +4650,9 @@ function Invoke-PrivescAudit { Executes all functions that check for various Windows privilege escalation opportunities. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4979,4 +4979,6 @@ $Advapi32 = $Types['advapi32'] $Kernel32 = $Types['kernel32'] $NTDll = $Types['ntdll'] +Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup +Set-Alias Get-UnquotedService Get-UnquotedService Set-Alias Invoke-AllChecks Invoke-PrivescAudit diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index fb66225..6d4e3bd 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -23,37 +23,36 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Add-ServiceDacl', - 'Enable-Privilege', - 'Find-PathDLLHijack', - 'Find-ProcessDLLHijack', - 'Get-ApplicationHost', - 'Get-CachedGPPPassword', 'Get-ModifiablePath', - 'Get-ModifiableRegistryAutoRun', - 'Get-ModifiableScheduledTaskFile', - 'Get-ModifiableService', - 'Get-ModifiableServiceFile', 'Get-ProcessTokenGroup', 'Get-ProcessTokenPrivilege', + 'Enable-Privilege', + 'Add-ServiceDacl', + 'Set-ServiceBinaryPath', + 'Test-ServiceDaclPermission', + 'Get-UnquotedService', + 'Get-ModifiableServiceFile', + 'Get-ModifiableService', + 'Get-ServiceDetail', + 'Invoke-ServiceAbuse', + 'Write-ServiceBinary', + 'Install-ServiceBinary', + 'Restore-ServiceBinary', + 'Find-ProcessDLLHijack', + 'Find-PathDLLHijack', + 'Write-HijackDll', 'Get-RegistryAlwaysInstallElevated', 'Get-RegistryAutoLogon', - 'Get-ServiceDetail', - 'Get-SiteListPassword', - 'Get-TokenInformation', - 'Get-UnquotedService', + 'Get-ModifiableRegistryAutoRun', + 'Get-ModifiableScheduledTaskFile', 'Get-UnattendedInstallFile', 'Get-WebConfig', - 'Install-ServiceBinary', - 'Invoke-ServiceAbuse', + 'Get-ApplicationHost', + 'Get-SiteListPassword', + 'Get-CachedGPPPassword', + 'Write-UserAddMSI', 'Invoke-WScriptUACBypass', 'Invoke-PrivescAudit', - 'Restore-ServiceBinary', - 'Set-ServiceBinaryPath', - 'Test-ServiceDaclPermission', - 'Write-UserAddMSI', - 'Write-HijackDll', - 'Write-ServiceBinary', 'Get-System' ) diff --git a/Privesc/README.md b/Privesc/README.md index d5b499c..ac161d8 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -27,13 +27,18 @@ Required Dependencies: None Optional Dependencies: None -### Service Enumeration: - Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config Get-ModifiableService - returns services the current user can modify Get-ServiceDetail - returns detailed information about a specified service - -### Service Abuse: + Set-ServiceBinaryPath - sets the binary path for a service to a specified value Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command @@ -45,7 +50,7 @@ Optional Dependencies: None Write-HijackDll - writes out a hijackable DLL ### Registry Checks: - Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAutoLogon - checks for Autologon credentials in the registry Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns @@ -59,9 +64,6 @@ Optional Dependencies: None ### Other Helpers/Meta-Functions: Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify - Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not - Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service - Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods - Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set Write-UserAddMSI - write out a MSI installer that prompts for a user to be added - Invoke-AllChecks - runs all current escalation checks and returns a report + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) |