linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump.
Setup
Git clone the repository and make the script executable
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
Install requirements on Kali machines using the install.sh script
chmod +x install.sh
sudo ./install.sh
On non-Kali machines, run the install_nonkali.sh script instead
chmod +x install_nonkali.sh
sudo ./install_nonkali.sh
If you’re having DNS issues or time sync errors, run the configure.sh script with -d for DNS update and -n for NTP sync
WARNING: The script will update /etc/resolv.conf
chmod +x configure.sh
sudo ./configure.sh -t -d -n
Usage
Modules
The linWinPwn script contains 4 modules that can be used either separately or simultaneously.
Default (fastest): ad_enum,kerberos (Optional: run OPSEC safe checks only by using -O)
./linWinPwn.sh -d -u -p -t -o
User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum
./linWinPwn.sh -M user -d -u -p -t -o
All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump
./linWinPwn.sh -M all -d -u -p -t -o
Module ad_enum: Active Directory Enumeration
./linWinPwn.sh -M ad_enum -d -u -p -t -o
Use cases
For each of the cases described, the linWinPwn script performs different checks as shown below.
Case 1: Unauthenticated
- Module ad_enum
- rid bruteforce
- user enumeration
- ldapdomaindump anonymous enumeration
- Check if ldap-signing is enforced, check for LDAP Relay
- Module kerberos
- kerbrute user spray
- ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Module scan_shares
- SMB shares anonymous enumeration on identified servers
- Module vuln_checks
- Enumeration for WebDav and Spooler services on identified servers
- Check for zerologon, petitpotam, nopac weaknesses
./linWinPwn.sh -M user -t
Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)
- DNS extraction using adidnsdump
- Module ad_enum
- BloodHound data collection
- ldapdomaindump enumeration
- Delegation information extraction
- GPP Passwords extraction
- Extract ADCS information using certipy
- Check if ldap-signing is enforced, check for LDAP Relay
- Extraction of MachineAccountQuota of user, Password Policy and users’ descriptions containing “pass”
- LAPS and gMSA dump
- Module kerberos
- kerbrute user=pass enumeration
- ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Module scan_shares
- SMB shares enumeration on all domain servers
- Module vuln_checks
- Enumeration for WebDav and Spooler services on all domain servers
- Check for zerologon, petitpotam, nopac weaknesses
- Module mssql_enum
- Check mssql privilege escalation paths
./linWinPwn.sh -M user -d -u -p -t
Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)
- All of the “Standard User” checks
- Module pwd_dump
- secretsdump on all domain servers or on provided list of servers with
-S - lsassy on on all domain servers or on provided list of servers with
-S
- secretsdump on all domain servers or on provided list of servers with
./linWinPwn.sh -M all -d -u -p -t -S
