Scripts and Automation!
Scripts have been developed in order to ease our enumeration and information gathering. In my previous post, I detailed pre and post exploitation enumeration methods that are more oriented towards manual discovery. If you have not read through that post, I recommend you read and digest the information before moving on to scripts and programs.
Enumeration & Privilege Escalation Scripts
We’re going to focus mainly on the post-exploitation enumeration scripts for both Windows and Linux machines. These scripts automate several of the manual tasks detailed in my previous post. The main point of post-exploitation enumeration is to, 1. Find methods of Privilege Escalation and 2. Find accessible privileged information.
- LinEnum.sh: (LINUX) [Shell] This is a go-to shell script that automates several of the tedious checks that are necessary in order to properly enumerate a Linux system.
- Unix-privesc-check: (LINUX) [Shell] A Bash script hosted by the PenTestmonkey, is one of many different tools that should be in your arsenal to check for common privilege escalation techniques.
- Linux Exploit Suggestor: (LINUX) [Perl] A Perl script that checks for common Linux vulnerabilities.
- Linux Local Enum: (LINUX) [Shell] Developed by High on Coffee, this is similar to the LinEnum script but, has its differences. Use what you like!
- Linux Priv Checker: (LINUX) [Python] A python script that does the same thing as the Linux scripts above and it’s in Python!
- WindowsEnum: (WINDOWS) [Batch] A batch script that automates gathering common pieces of information such as hostname, system info, and more. The author has a good write-up of the tool here.
- Windows-privesc-check: (WINDOWS) [Python & .exe] Another PenTestMonkey tool: there’s a compiled .exe version as well as a python version. This tool is a bit old but if you are using it on windows 7 and below (Legacy tests), this tool may automate
- Sherlock.ps1: (WINDOWS) [Powershell] An PowerShell script built by rasta-mouse which, if you didn’t know he has built some amazing labs on Hack The Box, that looks for the following common windows vulnerabilities:
- MS10-015 : User Mode to Ring (KiTrap0D)
- MS10-092 : Task Scheduler
- MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
- MS13-081 : TrackPopupMenuEx Win32k NULL Page
- MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
- MS15-051 : ClientCopyImage Win32k
- MS15-078 : Font Driver Buffer Overflow
- MS16-016 : ‘mrxdav.sys’ WebDAV
- MS16-032 : Secondary Logon Handle
- MS16-135 : Win32k Elevation of Privilege
- CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
- Windows Exploit Suggester: (WINDOWS) [Python] Automate the boring stuff, right? This tool is written in Python and is dedicated to finding MS Vulns.
Now, some of you might be asking why I am going through the trouble of even posting most of these scripts and utilities since a lot of the functionality is available with Metasploit Modules. Well, you should be 100% capable of conducting pre-exploit enumeration, reverse shells, post-exploit enumeration, and privilege escalation without using Metasploit. Yes, it’s great to understand how to use such a versatile tool but you sure as hell do not learn as much! When you understand how the exploit works, you’re going to be able to pivot faster and think critically when the shit hits the fan because shit is going to hit the fan!