A versatile bash script designed for automating Active Directory enumeration and vulnerability assessment.
By leveraging a curated selection of tools and employing clever techniques like dynamic port forwarding, linWinPwn streamlines the process of gathering evidence in AD environments.
Whether you’re working against time constraints or aiming to minimize footprint, this article introduces you to the setup, modules, and parameters of linWinPwn, empowering you to conduct efficient and effective security assessments.
linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script uses a number of tools and serves as wrapper of them.
Tools include: impacket, bloodhound, netexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.
linWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently.
In addition, linWinPwn can replace the use of enumeration tools on Windows in the aim of reducing the number of created artifacts (e.g., PowerShell commands, Windows Events, created files on disk), and bypassing certain Anti-Virus or EDRs.
This can be achieved by performing remote dynamic port forwarding through the creation of an SSH tunnel from the Windows host (e.g., VDI machine or workstation or laptop) to a remote Linux machine (e.g., Pentest laptop or VPS), and running linWinPwn with proxychains.
On the Windows host, run using PowerShell:
ssh kali@<linux_machine> -R 1080 -NCqfOn the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:
proxychains ./linWinPwn.sh -t <Domain_Controller_IP>Git clone the repository and make the script executable
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.shInstall requirements using the install.sh script (using standard account)
chmod +x install.sh
./install.shThe linWinPwn script contains 6 modules that can be used either separately or simultaneously.
Default: interactive – Open interactive menu to run checks separately
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -o <output_dir>]For more information click here
ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…
Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…
SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…
PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…
HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…
What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…