Windows Hacking Pack

Tools here for Windows Hacking Pack are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals). “pes” means “PE Scambled”. It’s useful sometimes.

Remote Exploits For Windows Hacking Pack

Windows 2000 / XP SP1
MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too

Windows XP/NT (beofre SP2)
MS03-026  Microsoft RPC DCOM Interface Overflow (

Windows XP (SP2 and SP3) (can be used also for priv esc)
MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)

Windows Windows 7 and Server 2008 R2 (x64) All Service Packs
MS17-010 aka "Eternal Blue"

Windows Server 2016 (DoS, may lead to exec)
"Fuzzing SMB" video, showing the crash:

Privilege Escalation

First, if you have meterpreter, it may be a good idea to try "getsystem".

Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services.
Example: srvcheck3.exe -m upnphost -H -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"

Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7
MS10-015 / CVE-2010-0232 /

Other ways of exploits listed
Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys

Windows Vista/7 
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)

Windows 10 (and before)
Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.
Technique presented here:

Windows XP SP2 (and before)
srvcheck3.exe - upnp service or SSDPSRV service 

Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys

Windows Vista/7 
CVE: 2010-4398  Elevation of Privileges (UAC Bypass)

Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation

Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"

Windows NT/2K/XP/2K3/Vista/2K8/7/8
KiTrap0D - EPATHOBJ Local Ring Exploit

Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)

Windows XP (and after)
.lnk exploit for receiving NetNTLM hashes remotely.

Backup files if contain sam

Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel
Otherwise just copy.

Dump SAM through shadow volume
If it can be created the database could be copied from this.
Vista command: vssadmin create shadow
Server 2008 command: diskshadow

Windows Credentials Editor
WCE / Windows Credentials Editor can recover password hashes from LSASS -
WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). 

Mimikatz dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam

Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials
fgdump.exe (contains pwdump and cachedump, can read from memory)

SAM dump (hive)
"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."

Dump SAM, then spray hashes
keimpx (try hashes with different users, against domain accounts)

LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel

PassTheHash (before Windows 8.1)
pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 // cmd

PassTheTicket (Kerberos)
mimikatz can do it

Duplicate Access Tokens (if admin access token can be used, it's win)

Token "Kidnapping"
MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)

Other notablelo tools
psexec, smbshell, metasploit’s psexec, etc - It allows to visualize connections in an AD domain and find fast escalation ways.

To Be Added
- --> Stuff for dumping passwords
- openvpn
- evilgrade

Hashes (SHA256) and VirusTotal scans

8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333  AwesomerShell.tar
7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051  KiTrap0D.tar
96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389  LICENSE.txt
b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e  ncat.exe
da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b  ncat_pes.exe
be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b  nc.exe
56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7  nmap-7.12-setup-gui.exe
976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654  plink.exe
952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f  srvcheck3.exe
ca5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170  PEScrambler.exe
8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336  windows-privesc-check.exe
ffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9  fgdump.exe
950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e  Responder.tar
54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448  samdump2.exe
ece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8  wce_getlsasrvaddr.exe
c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7  wce_v1_41beta_universal.exe
ecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6  wce_v1_42beta_x32.exe

5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976  sources/nc110.tgz
47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9  sources/rdp2tcp-0.1.tar.gz
33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78  sources/
f706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56  sources/3proxy-0.8.6.tar.gz
7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc  sources/3proxy-0.9-devel.tgz
dec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81  sources/fgdump-2.1.0.tar.bz2
352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca  sources/impacket_0-9-15.tar
21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4  sources/keimpx-0.3-dev.tar
16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd  sources/
602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526  sources/samdump2-3.0.0.tar.bz2

SHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e

SHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b

SHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976

SHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9

Also Read Bad-PDF To Steal NTLM Hashes From Windows Machines