# Tools

| Tool                                                                                                     | Description                                                                                                                                                                                                                                                                                                               |
| -------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Seatbelt](https://github.com/GhostPack/Seatbelt)                                                        | C# project for performing a wide variety of local privilege escalation checks                                                                                                                                                                                                                                             |
| [winPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) | WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. All of the checks are explained [here](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)                                                                                                          |
| [PowerUp](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1)      | PowerShell script for finding common Windows privilege escalation vectors that rely on misconfigurations. It can also be used to exploit some of the issues found                                                                                                                                                         |
| [SharpUp](https://github.com/GhostPack/SharpUp)                                                          | C# version of PowerUp                                                                                                                                                                                                                                                                                                     |
| [JAWS](https://github.com/411Hall/JAWS)                                                                  | PowerShell script for enumerating privilege escalation vectors written in PowerShell 2.0                                                                                                                                                                                                                                  |
| [SessionGopher](https://github.com/Arvanaghi/SessionGopher)                                              | SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information                                                                                                                         |
| [Watson](https://github.com/rasta-mouse/Watson)                                                          | Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.                                                                                                                                                                                                    |
| [LaZagne](https://github.com/AlessandroZ/LaZagne)                                                        | Tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more                                                                             |
| [Windows Exploit Suggester - Next Generation](https://github.com/bitsadmin/wesng)                        | WES-NG is a tool based on the output of Windows' `systeminfo` utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported                 |
| [Sysinternals Suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)         | We will use several tools from Sysinternals in our enumeration including [AccessChk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk), [PipeList](https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist), and [PsService](https://docs.microsoft.com/en-us/sysinternals/downloads/psservice) |

## PowerUp

{% embed url="<https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1>" %}

{% embed url="<https://blog.harmj0y.net/powershell/powerup-a-usage-guide/>" %}

```
PS C:\Users\Peter> Import-Module .\PowerUp.ps1
PS C:\Users\Peter> Invoke-AllChecks
```

<figure><img src="/files/Wm6b6cI8UHUeneHYSiC9" alt=""><figcaption></figcaption></figure>

## SharpUp

{% embed url="<https://github.com/GhostPack/SharpUp>" %}

{% embed url="<https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe>" %}

```
SharpUp.exe audit
#-> Runs all vulnerability checks regardless of integrity level or group membership.

SharpUp.exe HijackablePaths
#-> Check only if there are modifiable paths in the user's %PATH% variable.

SharpUp.exe audit HijackablePaths
#-> Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.
```

### ACEshark

{% embed url="<https://github.com/t3l3machus/ACEshark>" %}

<figure><img src="/files/5CaKoohXKMAZoK0exkDc" alt=""><figcaption></figcaption></figure>

## WinPEAS

{% embed url="<https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin>" %}

## PrivescCheck

{% embed url="<https://github.com/itm4n/PrivescCheck>" %}
PrivescCheck
{% endembed %}

## PrivEsc

{% embed url="<https://github.com/enjoiz/Privesc>" %}

```
# All Check

Invoke-PrivEsc
```

## Carseat

Python implementation of Seatbelt

{% embed url="<https://github.com/0xthirteen/Carseat>" %}

## Windows-Exploit-Suggester

{% embed url="<https://github.com/AonCyberLabs/Windows-Exploit-Suggester>" %}

### WES-NG

{% embed url="<https://github.com/bitsadmin/wesng>" %}

## Watson - Exploit Suggester

{% embed url="<https://github.com/rasta-mouse/Watson>" %}

## BeRoot

{% embed url="<https://github.com/AlessandroZ/BeRoot>" %}
BeRoot
{% endembed %}

## Pre-compiled Tools

{% embed url="<https://github.com/r3motecontrol/Ghostpack-CompiledBinaries>" %}

### All Tools from CPTS pre-compiled

{% embed url="<https://mega.nz/folder/GY8DDBBB#PNRdpDHBsoc3wouWgytiiQ>" %}
Windows Privilege Escalation Tools (CPTS) - Mega
{% endembed %}

Also on my github

{% embed url="<https://github.com/0xSs0rZ/Windows_PrivEsc_Tools_precompiled>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/tools.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.