Cyber security

linWinPwn – Active Directory Vulnerability Scanner

A versatile bash script designed for automating Active Directory enumeration and vulnerability assessment.

By leveraging a curated selection of tools and employing clever techniques like dynamic port forwarding, linWinPwn streamlines the process of gathering evidence in AD environments.

Whether you’re working against time constraints or aiming to minimize footprint, this article introduces you to the setup, modules, and parameters of linWinPwn, empowering you to conduct efficient and effective security assessments.

Description

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script uses a number of tools and serves as wrapper of them.

Tools include: impacket, bloodhound, netexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.

linWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently.

In addition, linWinPwn can replace the use of enumeration tools on Windows in the aim of reducing the number of created artifacts (e.g., PowerShell commands, Windows Events, created files on disk), and bypassing certain Anti-Virus or EDRs.

This can be achieved by performing remote dynamic port forwarding through the creation of an SSH tunnel from the Windows host (e.g., VDI machine or workstation or laptop) to a remote Linux machine (e.g., Pentest laptop or VPS), and running linWinPwn with proxychains.

On the Windows host, run using PowerShell:

ssh kali@<linux_machine> -R 1080 -NCqf

On the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:

proxychains ./linWinPwn.sh -t <Domain_Controller_IP>

Setup

Git clone the repository and make the script executable

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh

Install requirements using the install.sh script (using standard account)

chmod +x install.sh
./install.sh

Usage

Modules

The linWinPwn script contains 6 modules that can be used either separately or simultaneously.

Default: interactive – Open interactive menu to run checks separately

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -o <output_dir>]

For more information click here

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolslinWinPwn
1 year ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

14 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

14 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

16 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

19 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

19 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago