linWinPwn: Swiss-Army knife for Active Directory Pentesting using Linux

linWinPwn

linWinPwn is a bash script that wraps many Active Directory tools for enumeration (LDAP, RPC, ADCS, MSSQL, Kerberos), vulnerability checks (noPac, ZeroLogon, MS17-010, MS14-068), object modifications (password change, add user to the group, RBCD, Shadow Credentials) and password dumping (secretsdump, lsassy, nanodump, DonPAPI). The script streamlines the use of a large number of tools: impacket, bloodhound, netexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, bloodyAD, DonPAPI and many others.

Install

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
chmod +x install.sh
./install.sh

Use

Mode

The linWinPwn script can be executed in interactive mode (default), or automated mode (enumeration only).

1. Interactive Mode (Default) – Open the interactive menu to run checks separately

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]> -o <output_dir>]

2. Automated Mode – Using the --auto parameter, run enumeration tools (no exploitation, modifications or password dumping)

When using the automated mode, different checks are performed based on the authentication method.

  • Unauthenticated (no credentials provided)
    • Anonymous enumeration using netexec, enum4linux-ng, ldapdomaindump, ldeep
    • RID bruteforce using netexec
    • kerbrute user spray
    • Pre2k authentication check on a collected list of computers
    • ASREPRoast using a collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Blind Kerberoast
    • CVE-2022-33679 exploit
    • Check for DNS unsecure updates for AS-REQ abuse using krbjack
    • SMB shares anonymous enumeration on identified servers
    • Enumeration for WebDav, dfscoerce, shadowcoerce, and Spooler services on identified servers
    • Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses
./linWinPwn.sh -t <Domain_Controller_IP> --auto [-o <output_dir>]
  • Authenticated (using password, NTLM hash, Kerberos ticket, AES key or pfx Certificate)
    • DNS extraction using adidnsdump
    • BloodHound data collection
    • Enumeration using netexec, enum4linux-ng, ldapdomaindump, bloodyAD, sccmhunter, rdwatool, sccmhunter, GPOwned
    • Generate wordlist for password cracking
    • netexec find accounts with user=pass
    • Pre2k authentication check on domain computers
    • Extract ADCS information using certipy and certi.py
    • kerbrute find accounts with user=pas
    • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Targeted Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • SMB shares enumeration on all domain servers using smbmap, FindUncommonShares and cme’s spider_plus
    • Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers (using cme, Coercer and RPC Dump)
    • Check for ms17-010, ms14-068, zerologon, petitpotam, nopac, smb-signing, ntlmv1, runasppl, certifried weaknesses
    • Check mssql privilege escalation paths
    • Check mssql relay possibilities
proxychains ./linWinPwn.sh -t <Domain_Controller_IP>  -d <AD_domain> -u <AD_user> [-p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]>] [-o <output_dir>] --auto

Tutorial

Copyright (c) 2021 lefayjey