A long time ago, I started writing a tool to look for local privilege escalation vectors on Windows systems – e.g. weak permissions on files, directories, service registy keys.  I never quite got round to finishing it, but the project could still be useful to pentesters and auditors in its current part-finished state. I’d suggest giving it a […]

Exposing only part of C: over Terminal Services

Ken Johnson gives a useful tip on his blog about limiting access to your local drives when you make a Terminal Services connection.  This is not new, but it’s useful enough to be worth summarizing here. When I audit a system via Terminal Services, I usually map a drive to or from the system depending on […]

The Ultimate Unix Cheat Sheet

I just stumbled across Rosetta Stone for Unix, a brilliant page that lists how to do a large number of tasks in a variety of unix-like operating systems.  I wish I’d found this years ago. It should be very handy for pentesting or auditing those less familiar unix flavours. I’ll definitely taking a copy with […]

unix-privesc-check Update: v1.4

The next version of unix-privesc-check has just been released.  Download it here. This version checks the file permissions of SUID programs.  It should catch issue like the recent Ingres privesc where and SUID programs used a shared object file that could be modified by a non-root user.

unix-privesc-check Update: v1.3

I just updated unix-privesc-check.  Download it here. This release fixes a couple of minor bugs in the reporting of cron-related issues and some problem while running under /bin/sh (as opposed to /bin/bash).

exploit-suggester Update: v0.2

I just released an important update to exploit-suggester.  Download it here. It seems that “showrev -p” sometimes lists multiple revisions for the same patch.  This caused exploit-suggester to return false-positives.


Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be […]