Home Security Tools WinPwn- Automation For Inner Home windows Penetration Testing

WinPwn- Automation For Inner Home windows Penetration Testing

by ethhack

WinPwn- Automation For Inner Home windows Penetration Testing

In lots of previous inside penetration exams, typically had issues with the prevailing Powershell Recon / Exploitation scripts resulting from lacking proxy help. For that reason I wrote my very own script with computerized proxy recognition and integration.

The script is generally based mostly on well-known massive different offensive safety Powershell tasks. I solely load them one after the opposite into RAM through IEX Downloadstring and partially automate the execution to avoid wasting time.

Sure it’s not a C# and it might be flagged by antivirus options. Home windows Defender for instance blocks a few of the identified scripts/features.

Totally different native recon modules, area recon modules, pivilege escalation and exploitation modules. Any solutions, suggestions and feedback are welcome!

Simply Import the Modules with “Import-Module .WinPwn_v0.7.ps1” or with iex (new-object internet.webclient).downloadstring(‘https://uncooked.githubusercontent.com/SecureThisShit/WinPwn/grasp/WinPwn_v0.7.ps1’)

Capabilities accessible after Import:

  • WinPwn -> Guides the consumer by all features/Modules with easy questions.
  • Inveigh -> Executes Inveigh in a brand new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay assaults with Session administration afterwards
  • sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher)
  • Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit)
  • localreconmodules -> Collects system Informations, Executes passhunt (https://github.com/Dionach/PassHunt), Executes Get-Computerdetails and Simply one other Home windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Corridor/JAWS)
  • JAWS –> Simply one other Home windows Privilege Escalation script will get executed
  • domainreconmodules -> Totally different Powerview situal consciousness features get executed and the output saved on disk. In Addition a Userlist for DomainpasswordSpray will get saved on disk. An AD-Report is generated in CSV Recordsdata (or XLS if excel is put in) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray)
  • Privescmodules -> Executes totally different privesc scripts in reminiscence (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Recordsdata, WCMDump)
  • lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne)
  • latmov -> Searches for Programs with Admin-Entry within the area for lateral motion. Mass-Mimikatz can be utilized after for the discovered programs. Domainpassword-Spray for brand new Credentials may also be used right here.
  • empirelauncher -> Launch powershell empire oneliner on distant Programs (https://github.com/EmpireProject/Empire)
  • shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)
  • groupsearch -> Get-DomainGPOUserLocalGroupMapping – discover Programs the place you’ve gotten Admin-access or RDP entry to through Group Coverage Mapping (Powerview / Powersploit)
  • Kerberoasting -> Executes Invoke-Kerberoast in a brand new window and shops the hashes for later cracking
  • isadmin -> Checks for native admin entry on the native system
  • Sharphound -> Downloads Sharphound and collects Info for the Bloodhound DB
  • adidnswildcard -> Create a Lively Listing-Built-in DNS Wildcard Document and run Inveigh for mass hash gathering. (https://weblog.netspi.com/exploiting-adidns/#wildcard)
  • The “oBEJHzXyARrq.exe”-Executable is an obfuscated Model of jaredhaights PSAttack Instrument for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).


  • Get the scripts from my very own creds repository (https://github.com/SecureThisShit/Creds) to be unbiased from modifications within the authentic repositories.
  • Proxy Choices through PAC-File will not be appropriately discovered within the second
  • Obfuscate all Scripts for AV-Evasion


WinPwn is simply utilizing for academic objective solely

Download WinPwn

Source link

Related Articles

Leave a Comment