linWinPwn : A Bash Script That Automates A Number Of Active Directory Enumeration And Vulnerability Checks

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump.

Setup

Git clone the repository and make the script executable

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh

Install requirements on Kali machines using the install.sh script

chmod +x install.sh
sudo ./install.sh

On non-Kali machines, run the install_nonkali.sh script instead

chmod +x install_nonkali.sh
sudo ./install_nonkali.sh

If you’re having DNS issues or time sync errors, run the configure.sh script with -d for DNS update and -n for NTP sync

WARNING: The script will update /etc/resolv.conf

chmod +x configure.sh
sudo ./configure.sh -t -d -n

Usage

Modules

The linWinPwn script contains 4 modules that can be used either separately or simultaneously.

Default (fastest): ad_enum,kerberos (Optional: run OPSEC safe checks only by using -O)

./linWinPwn.sh -d -u -p -t -o

User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum

./linWinPwn.sh -M user -d -u -p -t -o

All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump

./linWinPwn.sh -M all -d -u -p -t -o

Module ad_enum: Active Directory Enumeration

./linWinPwn.sh -M ad_enum -d -u -p -t -o

Use cases

For each of the cases described, the linWinPwn script performs different checks as shown below.

Case 1: Unauthenticated

• Module ad_enum
  • rid bruteforce
  • user enumeration
  • ldapdomaindump anonymous enumeration
  • Check if ldap-signing is enforced, check for LDAP Relay
• Module kerberos
  • kerbrute user spray
  • ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
• Module scan_shares
  • SMB shares anonymous enumeration on identified servers
• Module vuln_checks
  • Enumeration for WebDav and Spooler services on identified servers
  • Check for zerologon, petitpotam, nopac weaknesses

./linWinPwn.sh -M user -t

Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)

• DNS extraction using adidnsdump
• Module ad_enum
  • BloodHound data collection
  • ldapdomaindump enumeration
  • Delegation information extraction
  • GPP Passwords extraction
  • Extract ADCS information using certipy
  • Check if ldap-signing is enforced, check for LDAP Relay
  • Extraction of MachineAccountQuota of user, Password Policy and users’ descriptions containing “pass”
  • LAPS and gMSA dump
• Module kerberos
  • kerbrute user=pass enumeration
  • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
• Module scan_shares
  • SMB shares enumeration on all domain servers
• Module vuln_checks
  • Enumeration for WebDav and Spooler services on all domain servers
  • Check for zerologon, petitpotam, nopac weaknesses
• Module mssql_enum
  • Check mssql privilege escalation paths

./linWinPwn.sh -M user -d -u -p -t

Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)

• All of the “Standard User” checks
• Module pwd_dump
  • secretsdump on all domain servers or on provided list of servers with -S
  • lsassy on on all domain servers or on provided list of servers with -S

./linWinPwn.sh -M all -d -u -p -t -S