WinPwnage: A Python repository from jasonadsit

Installing
Importing and usage as module
Build into single executable
Scan for compatible methods
UAC-bypass techniques
Persistence techniques
Elevation techniques

Disclaimer

This tool is provided for educational and research purposes only. The authors of this project are no way responsible for any misuse of this tool.

Installing:

If you're running on python version 3.4 or higher then you don't have to install anything. If you're running Python 2.* or earlier versions of Python 3.4, please use the pip command below.

pip install -r requirements.txt

Building:

This build works on both Python 2 and Python 3 and puts the .exe file into the dist directory. Install pyinstaller using pip command:

pip install pyinstaller

And run the following command:

pyinstaller --onefile main.py

Scanning:

Compares build number against 'Fixed In' build numbers and displays the results.

main.py --scan uac
main.py --scan persist
main.py --scan elevate

Example results when scanning for possible UAC methods

 Id:    Type:           Compatible:     Description:
 ----   ------          -----------     -------------
 1      UAC bypass      No              UAC bypass using runas
 2      UAC bypass      Yes             UAC bypass using fodhelper.exe
 3      UAC bypass      Yes             UAC bypass using slui.exe
 4      UAC bypass      Yes             UAC bypass using silentcleanup scheduled task
 5      UAC bypass      No              UAC bypass using sdclt.exe (isolatedcommand)
 6      UAC bypass      No              UAC bypass using sdclt.exe (App Paths)
 7      UAC bypass      No              UAC bypass using perfmon.exe

UAC bypass techniques:

UAC bypass using runas
- Id: 1
- Method: Windows API, this only works if UAC is set to never notify
- Syntax: main.py --use uac --id 1 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: n/a
UAC bypass using fodhelper.exe
- Id: 2
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 2 --payload c:\\windows\\system32\\cmd.exe
- Works from: 10240
- Fixed in: n/a
UAC bypass using slui.exe
- Id: 3
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 3 --payload c:\\windows\\system32\\cmd.exe
- Works from: 9600
- Fixed in: n/a
UAC bypass using silentcleanup scheduled task
- Id: 4
- Method: Registry key (Environment) manipulation, this bypasses UAC's Always Notify.
- Syntax: main.py --use uac --id 4 --payload c:\\windows\\system32\\cmd.exe
- Works from: 9600
- Fixed in: n/a
UAC bypass using sdclt.exe (isolatedcommand)
- Id: 5
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 5 --payload c:\\windows\\system32\\cmd.exe
- Works from: 10240
- Fixed in: 17025
UAC bypass using sdclt.exe (App Paths)
- Id: 6
- Method: Registry key (App Paths) manipulation
- Syntax: main.py --use uac --id 6 --payload c:\\windows\\system32\\cmd.exe
- Works from: 10240
- Fixed in: 16215
UAC bypass using perfmon.exe
- Id: 7
- Method: Registry key (Volatile Environment) manipulation
- Syntax: main.py --use uac --id 7 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 16299
UAC bypass using eventvwr.exe
- Id: 8
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 8 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 15031
UAC bypass using compmgmtlauncher.exe
- Id: 9
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 9 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 15031
UAC bypass using computerdefaults.exe
- Id: 10
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 10 --payload c:\\windows\\system32\\cmd.exe
- Works from: 10240
- Fixed in: n/a
UAC bypass using cliconfg.exe (DLL payload only)
- Id: 11
- Method: DLL hijack using makecab and wusa
- Syntax: main.py --use uac --id 11 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 9800
UAC bypass using mcx2prov.exe (DLL payload only)
- Id: 12
- Method: DLL hijack using makecab and wusa
- Syntax: main.py --use uac --id 12 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 10147
UAC bypass using migwiz.exe (DLL payload only)
- Id: 13
- Method: DLL hijack using makecab and wusa
- Syntax: main.py --use uac --id 13 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 10147
UAC bypass using sysprep.exe (DLL payload only)
- Id: 14
- Method: DLL hijack using makecab and wusa
- Syntax: main.py --use uac --id 14 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 9600
UAC bypass using token manipulation
- Id: 15
- Method: Token manipulation
- Syntax: main.py --use uac --id 15 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: 17686
UAC bypass using sdclt.exe (Folder)
- Id: 16
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 16 --payload c:\\windows\\system32\\cmd.exe
- Works from: 14393
- Fixed in: n/a
UAC bypass using cmstp.exe
- Id: 17
- Method: Malicious ini file
- Syntax: main.py --use uac --id 16 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: n/a
UAC bypass using .NET Code Profiler (DLL payload only)
- Id: 18
- Method: Registry key (Class) manipulation and DLL hijack
- Syntax: main.py --use uac --id 18 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: n/a
UAC bypass using mocking trusted directories (DLL payload only)
- Id: 19
- Method: Mock SystemRoot directory and DLL hijack
- Syntax: main.py --use uac --id 19 --payload c:\\windows\\system32\\cmd.exe
- Works from: 7600
- Fixed in: n/a
UAC bypass using wsreset.exe
- Id: 20
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 19 --payload c:\\windows\\system32\\cmd.exe
- Works from: 17134
- Fixed in: n/a
UAC bypass using slui.exe and changepk.exe
- Id: 21
- Method: Registry key (Class) manipulation
- Syntax: main.py --use uac --id 21 --payload c:\\windows\\system32\\cmd.exe
- Works from: 17763
- Fixed in: n/a

Persistence techniques:

Persistence using explorer.exe (DLL payload only)
- Id: 1
- Method: DLL hijack using makecab and wusa
- Syntax: main.py --use persist --id 1 --payload c:\\windows\\system32\\cmd.exe
- Requires: n/a
- Works from: 7600
- Fixed in: 9800
Persistence using mofcomp.exe (SYSTEM privileges)
- Id: 2
- Method: Malicious mof file using EventFilter EventConsumer and binding
- Syntax: main.py --use persist --id 2 --payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using schtasks.exe (SYSTEM privileges)
- Id: 3
- Method: Malicious scheduled task
- Syntax: main.py --use persist --id 3 --payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using image file execution option and magnifier.exe
- Id: 4
- Method: Image File Execution Options debugger and accessibility application
- Syntax: main.py --use persist --id 4 --payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using userinit key
- Id: 5
- Method: Registry key (UserInit) manipulation
- Syntax: main.py --use persist --id 5 --payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using HKCU run key
- Id: 6
- Method: Registry key (HKCU Run) manipulation
- Syntax: main.py --use persist --id 6 --payload c:\\windows\\system32\\cmd.exe
- Requires: n/a
- Works from: 7600
- Fixed in: n/a
Persistence using HKLM run key
- Id: 7
- Method: Registry key (HKLM Run) manipulation
- Syntax: main.py --use persist --id 7 --payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using wmic.exe (SYSTEM privileges)
- Id: 8
- Method: Malicious mof file using EventFilter EventConsumer and binding
- Syntax: main.py --use persist --id 8 --payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using startup files
- Id: 9
- Method: Malicious lnk file in startup directory
- Syntax: main.py --use persist --id 9 --payload c:\\windows\\system32\\cmd.exe
- Requires: n/a
- Works from: 7600
- Fixed in: n/a
Persistence using cortana windows app
- Id: 10
- Method: Registry key (Class) manipulation
- Syntax: main.py --use persist --id 10--payload c:\\windows\\system32\\cmd.exe
- Requires: n/a
- Works from: 14393
- Fixed in: n/a
Persistence using people windows app
- Id: 11
- Method: Registry key (Class) manipulation
- Syntax: main.py --use persist --id 11--payload c:\\windows\\system32\\cmd.exe
- Requires: n/a
- Works from: 14393
- Fixed in: n/a
Persistence using bitsadmin.exe
- Id: 12
- Method: Malicious bitsadmin job
- Syntax: main.py --use persist --id 12--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Persistence using Windows Service (SYSTEM privileges)
- Id: 13
- Method: Malicious Windows Service
- Syntax: main.py --use persist --id 13--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a

Elevation techniques:

Elevate from administrator to NT AUTHORITY SYSTEM using handle inheritance
- Id: 1
- Method: Handle inheritance
- Syntax: main.py --use elevate --id 1--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Elevate from administrator to NT AUTHORITY SYSTEM using token impersonation
- Id: 2
- Method: Token impersonation
- Syntax: main.py --use elevate --id 2--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Elevate from administrator to NT AUTHORITY SYSTEM using named pipe impersonation
- Id: 3
- Method: Named pipe impersonation
- Syntax: main.py --use elevate --id 3--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Elevate from administrator to NT AUTHORITY SYSTEM using schtasks.exe (non interactive)
- Id: 4
- Method: Malicious scheduled task that gets deleted once used
- Syntax: main.py --use elevate --id 4--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Elevate from administrator to NT AUTHORITY SYSTEM using wmic.exe (non interactive)
- Id: 5
- Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used
- Syntax: main.py --use elevate --id 5--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Elevate from administrator to NT AUTHORITY SYSTEM using Windows Service (non interactive)
- Id: 6
- Method: Malicious Windows Service that gets deleted once used
- Syntax: main.py --use elevate --id 6--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a
Elevate from administrator to NT AUTHORITY SYSTEM using mofcomp.exe (non interactive)
- Id: 7
- Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used
- Syntax: main.py --use elevate --id 7--payload c:\\windows\\system32\\cmd.exe
- Requires: Administrator rights
- Works from: 7600
- Fixed in: n/a

Importing:

Bypass UAC using uacMethod2

from winpwnage.functions.uac.uacMethod2 import uacMethod2
uacMethod2(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

Persist on system using persistMethod4

from winpwnage.functions.persist.persistMethod4 import persistMethod4
persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

Elevate from administrator to SYSTEM using elevateMethod1

from winpwnage.functions.persist.elevateMethod1 import elevateMethod1
elevateMethod1(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

jasonadsit/WinPwnage