Windows-Exploit-Suggester
Windows Exploit Suggester (WES-ng) parses systeminfo command output and matches the system configuration against known Windows vulnerabilities with available public exploits.
Installation
# Clone repository
git clone https://github.com/bitsadmin/wesng.git
cd wesng
# Install requirements
pip install -r requirements.txt
# Update vulnerability database
python wes.py --update
# Or download precompiled binary
wget https://github.com/bitsadmin/wesng/releases/download/v1/wes.exeBasic Usage
| Command | Description |
|---|---|
python wes.py systeminfo.txt | Analyze systeminfo output and suggest exploits |
python wes.py -u | Update WES vulnerability database |
python wes.py --help | Display help information |
python wes.py -i systeminfo.txt | Interactive mode to filter results |
python wes.py --impact high systeminfo.txt | Filter by impact level |
python wes.py --type local systeminfo.txt | Filter by exploit type |
Gathering System Information
From Target Windows System
# Get full system information
systeminfo > systeminfo.txt
# Get details with specific queries
systeminfo /fo list > systeminfo.txt
# Get only OS version
systeminfo | find "OS Name"
systeminfo | find "System Boot Time"
systeminfo | find "Processor"
# Get installed hotfixes/patches
wmic qfe list brief /format:table
Get-HotFix | Format-TableFrom Linux/Attacker Machine
# If you have RDP/WinRM access
winrm invoke Create http://schemas.dmtf.org/wbem/wscml/1/common -a @{__osVersion=$null} -r "ipaddress"
# Via psexec or other remote execution
psexec -i \\target cmd /c "systeminfo > C:\systeminfo.txt"Analyzing with WES
Basic Analysis
# Analyze systeminfo.txt against database
python wes.py systeminfo.txt
# Interactive filtering
python wes.py -i systeminfo.txt
# Export results to CSV
python wes.py systeminfo.txt --output csv > results.csv
# Export results to Excel
python wes.py systeminfo.txt --output excel > results.xlsx
# Verbose output with exploitation details
python wes.py systeminfo.txt -vFiltering Exploits
# Filter by impact level (Critical, Important, Moderate, Low)
python wes.py --impact Critical systeminfo.txt
# Filter by exploit type (local, remote)
python wes.py --type local systeminfo.txt
# Filter by specific CVE
python wes.py --cve CVE-2021-1732 systeminfo.txt
# Filter by KB number (installed patch)
python wes.py --kb KB5001635 systeminfo.txt
# Exclude specific CVEs
python wes.py --exclude CVE-2021-1732 systeminfo.txtDatabase Management
Updating Vulnerability Database
# Update WES database from GitHub
python wes.py --update
# Check database version
python wes.py --version
# Force update (clean and redownload)
python wes.py --update --force
# Update from custom source
python wes.py --update --url https://custom-repo/exploits.csvDatabase Inspection
# List all vulnerabilities in database
python wes.py --list
# Count total exploits
python wes.py --list | wc -l
# Search for specific CVE in database
python wes.py --list | grep CVE-2021-1732
# Export database to file
python wes.py --list > exploits.csvCommon Vulnerabilities and Exploits
Privilege Escalation CVEs
CVE-2021-1732 - Win32k Elevation of Privilege
Impact: HIGH - Local privilege escalation via CreateWindowEx
CVE-2021-21224 - Win32k Elevation of Privilege
Impact: CRITICAL - Privilege escalation without user interaction
CVE-2020-1054 - Win32k Privilege Escalation
Impact: HIGH - Exploitation via SetWindowLongPtr
CVE-2019-1215 - Win32k Elevation of Privilege
Impact: CRITICAL - Local privilege escalation vector
CVE-2019-1458 - Win32k Elevation of Privilege
Impact: CRITICAL - UAF vulnerability in Win32k subsystemRemote Code Execution CVEs
CVE-2020-1472 - Zerologon (Netlogon RPC)
Impact: CRITICAL - Domain controller compromise via RPC
CVE-2021-44228 - Log4Shell (if vulnerable application installed)
Impact: CRITICAL - Remote code execution via Java logging
CVE-2022-26923 - Active Directory Kerberos Delegation
Impact: HIGH - Domain escalation via unconstrained delegationInformation Disclosure
CVE-2020-0787 - BITS Service RCE
Impact: HIGH - Privilege escalation via BITS
CVE-2021-34527 - PrintNightmare (Print Spooler)
Impact: CRITICAL - Remote code execution on print serversExploitation Workflow
Step 1: Gather System Information
# On target Windows system
systeminfo > C:\systeminfo.txt
# Copy to attacker machine
# scp user@target:C:/systeminfo.txt .Step 2: Run WES Analysis
# Run initial analysis
python wes.py systeminfo.txt
# Example output:
# [*] Potential Vulnerabilities (23)
# ================================
# CVE-2021-1732 | Win32k EoP | Impact: High | Type: Local
# CVE-2021-21224 | Win32k EoP | Impact: Critical | Type: Local
# CVE-2019-1215 | Win32k EoP | Impact: Critical | Type: LocalStep 3: Prioritize Exploits
# Filter by critical/high impact only
python wes.py --impact Critical systeminfo.txt
# Filter for local privilege escalation exploits
python wes.py --type local systeminfo.txt
# Interactive mode to select exploits
python wes.py -i systeminfo.txtStep 4: Find and Download Exploit Code
# Search Exploit-DB for CVE
searchsploit "CVE-2021-1732"
# Download exploit
searchsploit -m 49999
# Search GitHub for PoC
# https://github.com/search?q=CVE-2021-1732
# Manual compilation and execution
# Download source code and compile with Visual Studio or mingw
gcc exploit.c -o exploit.exeStep 5: Verify Patch Level
# Check if specific KB (patch) is installed
wmic qfe list | find "KB5001635"
# List all installed patches
Get-HotFix | Select HotFixID, Description, InstalledOnOutput Interpretation
High Priority Indicators
[CRITICAL] CVE-2021-44228 - RCE in Log4j
Type: Remote Code Execution
Impact: Immediate system compromise
Requires: Application to use vulnerable Log4j version
[CRITICAL] CVE-2020-1472 - Zerologon
Type: Domain Controller Compromise
Impact: Active Directory takeover
Requires: Network access to DC on port 389
[HIGH] CVE-2021-1732 - Win32k Privilege Escalation
Type: Local Privilege Escalation
Impact: SYSTEM level access from user account
Requires: Local code execution capabilityUnderstanding WES Output
[*] Potential Vulnerabilities (45)
CVE-ID | Vulnerability Title | Impact Level | Exploit Type
Impact Levels:
- Critical: Immediate system compromise possible
- Important: Significant security risk
- Moderate: Limited scope of impact
- Low: Minor security issue
Exploit Types:
- Local: Requires local code execution
- Remote: Exploitable over network
- Admin: Requires administrative privilegesFinding Exploit Code
Trusted Sources
# Exploit-DB (part of Kali Linux)
searchsploit "CVE-2021-1732"
searchsploit -m 49999 # Download exploit
# GitHub repositories
# https://github.com/search?type=code&q=CVE-2021-1732
# Security advisory pages
# https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732
# Metasploit Framework
msfconsole
msf > search type:exploit CVE-2021-1732
msf > use exploit/windows/local/cve_2021_1732Automation and Integration
Batch Processing Multiple Systems
#!/bin/bash
# Scan multiple systems and aggregate results
for target in $(cat targets.txt); do
echo "[*] Scanning $target..."
systeminfo > /tmp/systeminfo_${target}.txt 2>/dev/null
python wes.py /tmp/systeminfo_${target}.txt > results_${target}.txt
done
# Aggregate critical findings
echo "[*] Critical Vulnerabilities:"
grep CRITICAL results_*.txt | sort | uniqIntegration with Metasploit
# Use WES to identify exploits available in Metasploit
python wes.py systeminfo.txt | grep -i "metasploit"
# Automatically check Metasploit for each CVE
for cve in $(python wes.py systeminfo.txt | grep CVE | awk '{print $1}'); do
msfconsole -q -x "search $cve; exit"
doneExport and Reporting
# Generate JSON report
python wes.py systeminfo.txt --output json > report.json
# Parse JSON with jq
cat report.json | jq '.vulnerabilities[] | select(.impact=="Critical")'
# Generate CSV for Excel
python wes.py systeminfo.txt --output csv > results.csvBest Practices
Before Running Exploits
- Verify patch levels - Confirm system is actually vulnerable
- Test in isolated environment - Try exploits on test systems first
- Backup configurations - Document current system state
- Update WES database - Ensure you have latest CVE information
- Cross-reference sources - Verify CVE details from multiple sources
Documentation
# Document findings for remediation
python wes.py systeminfo.txt > vulnerability_audit_$(date +%Y%m%d).txt
# Include system details
systeminfo >> vulnerability_audit_$(date +%Y%m%d).txt
# Note missing patches and priority fixes
echo "Missing patches:" >> vulnerability_audit_$(date +%Y%m%d).txt
wmic qfe list brief | tail -n+2 >> vulnerability_audit_$(date +%Y%m%d).txtRemediation Workflow
# After patching system, verify fix
systeminfo > systeminfo_after_patch.txt
python wes.py systeminfo_after_patch.txt
# Compare vulnerability counts before/after
echo "Before patch:"
python wes.py systeminfo.txt | grep "Potential Vulnerabilities"
echo "After patch:"
python wes.py systeminfo_after_patch.txt | grep "Potential Vulnerabilities"Related Tools
- Seatbelt: .NET enumeration tool for Windows privilege escalation
- winPEAS: Comprehensive Windows enumeration script
- PowerUp: PowerShell privilege escalation enumeration
- Metasploit: Exploit framework with Windows vulnerability modules
- Searchsploit: Offline Exploit-DB search utility
- WMIC: Windows Management Instrumentation Command-line
- Get-HotFix: PowerShell cmdlet for patch enumeration
Complete Workflow Example
# Step 1: Setup
git clone https://github.com/bitsadmin/wesng.git
cd wesng
pip install -r requirements.txt
python wes.py --update
# Step 2: Gather system info from target
# (On target Windows system)
systeminfo > C:\temp\systeminfo.txt
# Step 3: Transfer to attacker machine
scp user@target:C:/temp/systeminfo.txt .
# Step 4: Analyze vulnerabilities
python wes.py systeminfo.txt
# Step 5: Filter critical vulnerabilities
python wes.py --impact Critical systeminfo.txt > critical.txt
# Step 6: Search for exploits
searchsploit "CVE-2021-1732"
# Step 7: Download and compile exploit
searchsploit -m 49999
gcc 49999.c -o exploit.exe
# Step 8: Transfer to target and execute
# (Verify privilege escalation)
whoami
./exploit.exe
whoamiLast updated: March 2026 | GitHub