(Created page with "Category:Tools = linWinPwn - Active Directory Vulnerability Scanner = == Description == linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others. linWinPwn is particularly useful when you have access to an Active...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Tools]] | [[Category:Tools]] | ||
== Description == | == Description == | ||
| Line 14: | Line 12: | ||
<pre>proxychains ./linWinPwn.sh -t <Domain_Controller_IP></pre> | <pre>proxychains ./linWinPwn.sh -t <Domain_Controller_IP></pre> | ||
== Setup == | == Setup == | ||
| Line 25: | Line 22: | ||
<syntaxhighlight lang="bash">chmod +x install.sh | <syntaxhighlight lang="bash">chmod +x install.sh | ||
./install.sh</syntaxhighlight> | ./install.sh</syntaxhighlight> | ||
== Usage == | |||
The linWinPwn script contains 6 modules that can be used either separately or simultaneously. | The linWinPwn script contains 6 modules that can be used either separately or simultaneously. | ||
| Line 61: | Line 57: | ||
<syntaxhighlight lang="bash">./linWinPwn.sh -t <Domain_Controller_IP> -M pwd_dump [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]</syntaxhighlight> | <syntaxhighlight lang="bash">./linWinPwn.sh -t <Domain_Controller_IP> -M pwd_dump [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]</syntaxhighlight> | ||
== Credits == | == Credits == | ||
Latest revision as of 16:19, 20 January 2023
Description
linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.
linWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently. In addition, linWinPwn can replace the use of enumeration tools on Windows in the aim of reducing the number of created artifacts (e.g., PowerShell commands, Windows Events, created files on disk), and bypassing certain Anti-Virus or EDRs. This can be achieved by performing remote dynamic port forwarding through the creation of an SSH tunnel from the Windows host (e.g., VDI machine or workstation or laptop) to a remote Linux machine (e.g., Pentest laptop or VPS), and running linWinPwn with proxychains.
On the Windows host, run using PowerShell:
ssh kali@<linux_machine> -R 1080 -NCqf
On the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:
proxychains ./linWinPwn.sh -t <Domain_Controller_IP>
Setup
Git clone the repository and make the script executable
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
Install requirements using the install.sh script (using standard account)
chmod +x install.sh
./install.sh
Usage
The linWinPwn script contains 6 modules that can be used either separately or simultaneously.
Default: interactive - Open interactive menu to run checks separately
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Enable NTP sync - Run NTP sync with target DC before running the modules (parameter should be set at the end)
./linWinPwn.sh -t <Domain_Controller_IP> --ntp
User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum
./linWinPwn.sh -t <Domain_Controller_IP> -M user [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump
./linWinPwn.sh -t <Domain_Controller_IP> -M all [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Module ad_enum: Active Directory Enumeration
./linWinPwn.sh -t <Domain_Controller_IP> -M ad_enum [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Module kerberos: Kerberos Based Attacks
./linWinPwn.sh -t <Domain_Controller_IP> -M kerberos [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Module scan_shares: Network Shares Scan
./linWinPwn.sh -t <Domain_Controller_IP> -M scan_shares [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Module vuln_checks: Vulnerability Checks
./linWinPwn.sh -t <Domain_Controller_IP> -M vuln_checks [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Module mssql_enum: MSSQL Enumeration
./linWinPwn.sh -t <Domain_Controller_IP> -M mssql_enum [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Module pwd_dump: Password Dump
./linWinPwn.sh -t <Domain_Controller_IP> -M pwd_dump [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
Credits
- S3cur3Th1sSh1t - WinPwn
- SecureAuth - impacket
- byt3bl33d3r, mpgn and all contributors - crackmapexec
- Fox-IT - bloodhound-python
- dirkjanm - ldapdomaindump, adidnsdump
- zer1t0 - certi.py
- ly4k - Certipy
- ShawnDEvans - smbmap
- ropnop - windapsearch, kerbrute
- login-securite - DonPAPI
- layer8secure - SilentHound