A long time ago, I started writing a tool to look for local privilege escalation vectors on Windows systems – e.g. weak permissions on files, directories, service registy keys. I never quite got round to finishing it, but the project could still be useful to pentesters and auditors in its current part-finished state.
I’d suggest giving it a try next time you do a security audit with local administrator rights, or next time you get a non-admin logon to a Windows system during a pentest. It was designed to be useful for both.
Trunk contains the best all-round version. It checks some file, directory, registry and service permissions (among other things). Reports are in HTML.
The newer wpc-2.0 branch does a better job at auditing Windows services – but does little else. Reports are in text only.
You only need to download the .exe file. Full source code is available too, though. It’s written in Python, uses pywin32 and “compiled” with pyinstaller. You don’t need to download any dependencies (even python) unless you’re planning to build the .exe yourself.
Why 2 versions?
The code in “trunk” wasn’t object-oriented, making it harder to work with. I rewrote it to create the “wpc-2.0″ branch. Much better – but alas, not finished.
Can I see the source code?
Yes, it’s on google code along with the executables.
Will the program elevate privileges for me?
No. It gives you a report describing any potential vulnerabilities it finds, but doesn’t have any autopwn features. This is mostly to reduce the risk of my code accidentally breaking your client’s system