linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, and others.
Git clone the repository and make the script executable
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
Install requirements on Kali machines using the install.sh
script
chmod +x install.sh
sudo ./install.sh
On non-Kali machines, run the install_nonkali.sh
script instead
chmod +x install_nonkali.sh
sudo ./install_nonkali.sh
If you're having DNS issues or time sync errors, run the configure.sh
script with -d
for DNS update and -n
for NTP sync
WARNING: The script will update /etc/resolv.conf
chmod +x configure.sh
sudo ./configure.sh -t <DC_IP> -d -n
The linWinPwn script contains 6 modules that can be used either separately or simultaneously.
Default: interactive - Open interactive menu to run checks separately
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]
User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M user
All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M all
Module ad_enum: Active Directory Enumeration
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M ad_enum
Module kerberos: Kerberos Based Attacks
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M kerberos
Module scan_shares: Network Shares Scan
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M scan_shares
Module vuln_checks: Vulnerability Checks
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M vuln_checks
Module mssql_enum: MSSQL Enumeration
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M mssql_enum
Module pwd_dump: Password Dump
./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M pwd_dump
- HackTheBox Forest
- TryHackme AttacktiveDirectory
For each of the cases described, the linWinPwn script performs different checks as shown below.
Case 1: Unauthenticated
- Module ad_enum
- rid bruteforce
- user enumeration
- ldapdomaindump anonymous enumeration
- Check if ldap-signing is enforced, check for LDAP Relay
- Module kerberos
- kerbrute user spray
- ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Module scan_shares
- SMB shares anonymous enumeration on identified servers
- Module vuln_checks
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on identified servers
- Check for ms17-010, zerologon, petitpotam, nopac, ntlmv1, runasppl weaknesses
./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -M user
Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)
- DNS extraction using adidnsdump
- Module ad_enum
- BloodHound data collection
- ldapdomaindump enumeration
- Delegation information extraction
- GPP Passwords extraction
- Extract ADCS information using certipy
- Check if ldap-signing is enforced, check for LDAP Relay
- Extraction of MachineAccountQuota of user, Password Policy and users' descriptions containing "pass"
- Module kerberos
- kerbrute user=pass enumeration
- ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Module scan_shares
- SMB shares enumeration on all domain servers
- KeePass files and processes discovery on all domain servers
- Module vuln_checks
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers
- Check for ms17-010, zerologon, petitpotam, nopac, ntlmv1, runasppl weaknesses
- Module mssql_enum
- Check mssql privilege escalation paths
./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -M user
Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)
- All of the "Standard User" checks
- Module pwd_dump
- LAPS and gMSA dump
- secretsdump on all domain servers
- lsassy on on all domain servers
./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -M all
- Add more enumeration and exploitation tools...
- S3cur3Th1sSh1t - WinPwn
- SecureAuth - impacket
- byt3bl33d3r, mpgn, Porchetta Industries - crackmapexec
- Fox-IT - bloodhound-python
- dirkjanm - ldapdomaindump, adidnsdump
- Hackndo - lsassy
- zer1t0 - certi.py
- ly4k - Certipy
- micahvandeusen - gMSADumper
- ShawnDEvans - smbmap
- ropnop - windapsearch, kerbrute
Usage of linWinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.