WinPwn- Automation For Inner Home windows Penetration Testing
In lots of previous inside penetration exams, typically had issues with the prevailing Powershell Recon / Exploitation scripts resulting from lacking proxy help. For that reason I wrote my very own script with computerized proxy recognition and integration.
The script is generally based mostly on well-known massive different offensive safety Powershell tasks. I solely load them one after the opposite into RAM through IEX Downloadstring and partially automate the execution to avoid wasting time.
Sure it’s not a C# and it might be flagged by antivirus options. Home windows Defender for instance blocks a few of the identified scripts/features.
Totally different native recon modules, area recon modules, pivilege escalation and exploitation modules. Any solutions, suggestions and feedback are welcome!
Simply Import the Modules with “Import-Module .WinPwn_v0.7.ps1” or with iex (new-object internet.webclient).downloadstring(‘https://uncooked.githubusercontent.com/SecureThisShit/WinPwn/grasp/WinPwn_v0.7.ps1’)
Capabilities accessible after Import:
- WinPwn -> Guides the consumer by all features/Modules with easy questions.
- Inveigh -> Executes Inveigh in a brand new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay assaults with Session administration afterwards
- sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher)
- Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit)
- localreconmodules -> Collects system Informations, Executes passhunt (https://github.com/Dionach/PassHunt), Executes Get-Computerdetails and Simply one other Home windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Corridor/JAWS)
- JAWS –> Simply one other Home windows Privilege Escalation script will get executed
- domainreconmodules -> Totally different Powerview situal consciousness features get executed and the output saved on disk. In Addition a Userlist for DomainpasswordSpray will get saved on disk. An AD-Report is generated in CSV Recordsdata (or XLS if excel is put in) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray)
- Privescmodules -> Executes totally different privesc scripts in reminiscence (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Recordsdata, WCMDump)
- lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne)
- latmov -> Searches for Programs with Admin-Entry within the area for lateral motion. Mass-Mimikatz can be utilized after for the discovered programs. Domainpassword-Spray for brand new Credentials may also be used right here.
- empirelauncher -> Launch powershell empire oneliner on distant Programs (https://github.com/EmpireProject/Empire)
- shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)
- groupsearch -> Get-DomainGPOUserLocalGroupMapping – discover Programs the place you’ve gotten Admin-access or RDP entry to through Group Coverage Mapping (Powerview / Powersploit)
- Kerberoasting -> Executes Invoke-Kerberoast in a brand new window and shops the hashes for later cracking
- isadmin -> Checks for native admin entry on the native system
- Sharphound -> Downloads Sharphound and collects Info for the Bloodhound DB
- adidnswildcard -> Create a Lively Listing-Built-in DNS Wildcard Document and run Inveigh for mass hash gathering. (https://weblog.netspi.com/exploiting-adidns/#wildcard)
- The “oBEJHzXyARrq.exe”-Executable is an obfuscated Model of jaredhaights PSAttack Instrument for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).
Todo:
- Get the scripts from my very own creds repository (https://github.com/SecureThisShit/Creds) to be unbiased from modifications within the authentic repositories.
- Proxy Choices through PAC-File will not be appropriately discovered within the second
- Obfuscate all Scripts for AV-Evasion
Disclaimer:
WinPwn is simply utilizing for academic objective solely
