linWinPwn: Swiss-Army knife for Active Directory Pentesting using Linux

linWinPwn

linWinPwn is a bash script that wraps many Active Directory tools for enumeration (LDAP, RPC, ADCS, MSSQL, Kerberos), vulnerability checks (noPac, ZeroLogon, MS17-010, MS14-068), object modifications (password change, add user to the group, RBCD, Shadow Credentials) and password dumping (secretsdump, lsassy, nanodump, DonPAPI). The script streamlines the use of a large number of tools: impacket, bloodhound, netexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, bloodyAD, DonPAPI and many others.

Install

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
chmod +x install.sh
./install.sh

Use

The linWinPwn script can be executed in interactive mode (default), or automated mode (enumeration only).

1. Interactive Mode (Default) – Open the interactive menu to run checks separately

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]> -o <output_dir>]

2. Automated Mode – Using the --auto parameter, run enumeration tools (no exploitation, modifications or password dumping)

When using the automated mode, different checks are performed based on the authentication method.

• Unauthenticated (no credentials provided)
  • Anonymous enumeration using netexec, enum4linux-ng, ldapdomaindump, ldeep
  • RID bruteforce using netexec
  • kerbrute user spray
  • Pre2k authentication check on a collected list of computers
  • ASREPRoast using a collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Blind Kerberoast
  • CVE-2022-33679 exploit
  • Check for DNS unsecure updates for AS-REQ abuse using krbjack
  • SMB shares anonymous enumeration on identified servers
  • Enumeration for WebDav, dfscoerce, shadowcoerce, and Spooler services on identified servers
  • Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses

./linWinPwn.sh -t <Domain_Controller_IP> --auto [-o <output_dir>]

• Authenticated (using password, NTLM hash, Kerberos ticket, AES key or pfx Certificate)
  • DNS extraction using adidnsdump
  • BloodHound data collection
  • Enumeration using netexec, enum4linux-ng, ldapdomaindump, bloodyAD, sccmhunter, rdwatool, sccmhunter, GPOwned
  • Generate wordlist for password cracking
  • netexec find accounts with user=pass
  • Pre2k authentication check on domain computers
  • Extract ADCS information using certipy and certi.py
  • kerbrute find accounts with user=pas
  • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Targeted Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • SMB shares enumeration on all domain servers using smbmap, FindUncommonShares and cme’s spider_plus
  • Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers (using cme, Coercer and RPC Dump)
  • Check for ms17-010, ms14-068, zerologon, petitpotam, nopac, smb-signing, ntlmv1, runasppl, certifried weaknesses
  • Check mssql privilege escalation paths
  • Check mssql relay possibilities

proxychains ./linWinPwn.sh -t <Domain_Controller_IP>  -d <AD_domain> -u <AD_user> [-p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]>] [-o <output_dir>] --auto

Tutorial

Copyright (c) 2021 lefayjey