Pablo Guides

# Course #437: Mastering peass-ng for Windows Privilege Escalation

## Section 1: Introduction to peass-ng

### Overview

Welcome to the first section of our course on **peass-ng**, a powerful tool designed specifically for performing privilege escalation on Windows environments. In this section, we'll delve into the installation and configuration of peass-ng on Kali Linux, followed by a step-by-step walkthrough of its usage in real-world scenarios. Before we begin, ensure you have a basic understanding of penetration testing concepts and a working Kali Linux environment.

### What is peass-ng?

peass-ng (PowerPrivilegeEscalation Awesome Scripts SUITE Next Generation) is a comprehensive suite of scripts designed to aid penetration testers in identifying potential privilege escalation vectors in Windows environments. It leverages various techniques, including the enumeration of misconfigurations, weak permissions, and vulnerable services, to help assess the security posture of Windows systems.

### Installation and Configuration on Kali Linux

To get started with peass-ng, you need to install it on your Kali Linux system. Follow these steps:

1. **Open Terminal**: Launch your terminal in Kali Linux.

2. **Update the System**: Ensure your system packages are up-to-date:

   sudo apt update && sudo apt upgrade -y

 

3. **Install Required Dependencies**: Install necessary tools and libraries:

   sudo apt install git wget -y

 

4. **Clone the peass-ng Repository**: Use Git to clone the repository:

   git clone https://github.com/carlospolop/PEASS-ng.git

 

5. **Navigate to the Directory**: Change into the `PEASS-ng` directory:

   cd PEASS-ng

 

6. **Make the Scripts Executable**: You may need to change permissions to make the scripts executable:

   chmod +x *.sh

 

7. **Configuration**: Although peass-ng is ready to use out of the box, you may want to configure certain parameters based on your needs. Open the configuration file located in the `peass-ng` directory:

   nano config/config.json

 

In this file, you can define your preferences for how the tool operates, including output formats and verbosity levels.

8. **Install Additional Tools**: Depending on your target Windows environment, you may want to install additional tools that work alongside peass-ng. For example, you might need PowerShell, SMB client utilities, or others for comprehensive testing.

### Step-by-Step Usage and Real-World Use Cases

Now that you have installed peass-ng, let’s explore how to use it effectively.

#### 1. Basic Usage

peass-ng offers several scripts and executables. The basic usage of the tool can be initiated via the terminal. Here's how to run the privilege escalation scripts:

"`bash
cd PEASS-ng/linpeas
./linpeas.sh
"`

This command will execute the **linpeas** script, which is designed for Linux systems. For Windows, you would use the `winpeas` script:

"`bash
cd PEASS-ng/winpeas
./winpeas.exe
"`

#### 2. Understanding Output

After executing the script, you will receive a plethora of output detailing potential security issues. The script categorizes findings into areas such as:

– Users and Permissions
– Services and Tasks
– Scheduled Jobs
– Environment Variables

Each category will provide insights into potential privilege escalation vectors. For example, if you see a service running under a user account with weak permissions, this could be a potential escalation point.

#### 3. Real-World Use Case: User Enumeration

Let’s walk through a real-world use case where we will use **peass-ng** to enumerate users and identify privilege escalation paths.

1. **Target the Windows System**: Ensure you have the appropriate access to the target system. You can use tools like Metasploit to gain initial access if needed.

2. **Run winpeas**: Start by running winpeas on the target system:

   .winpeas.exe

 

3. **Analyze the Results**: Pay close attention to sections related to user accounts. Look for any accounts that have administrative privileges but may not have been intended to have such access.

4. **Service Misconfigurations**: Review the services running on the system. You may discover services that are running under a user account that should not have elevated privileges.

5. **Privilege Escalation**: If you identify a misconfigured service, you can use that information to attempt a privilege escalation exploit, potentially running a payload as an administrator.

#### 4. Example Code and Outputs

"`bash
# Run winpeas and save output to a file for analysis
.winpeas.exe > winpeas_output.txt
"`

### Detailed Technical Explanations

#### 1. User Enumeration

User enumeration is a critical first step in privilege escalation. By identifying users on the system, especially those with admin rights, you can target your efforts more effectively. The `winpeas` script automates this process, allowing you to focus on other aspects of your penetration test.

#### 2. Service Misconfigurations

Services that run under user accounts instead of system accounts are often vulnerable to privilege escalation attacks. By examining the services outputted from winpeas, you can identify:

– **Services running as Local System**: This is a high-level account and any misconfigurations here are critical.
– **Services with weak ACLs**: If you have write access to a service executable, you can replace it with a malicious payload.

### External Reference Links

1. [peass-ng GitHub Repository](https://github.com/carlospolop/PEASS-ng)
2. [Windows Privilege Escalation Techniques](https://book.hacktricks.xyz/windows-hardening/windows-privilege-escalation)
3. [Ethical Hacking Resources](https://www.kali.org/docs/)

### Conclusion of Section 1

In this section, we introduced peass-ng, its installation, and usage for Windows privilege escalation. You've learned how to install peass-ng on Kali Linux, run its scripts, and interpret the results. Additionally, you've seen practical examples of how to apply this knowledge in real-world scenarios.

Ensure that you practice these techniques in a safe, legal environment, such as a lab setup. In the following sections, we will explore advanced usage, case studies, and additional tools that complement peass-ng.

—

Made by pablo guides / pablo guides