Offensive Security Tool: linWinPwn

by | Nov 25, 2022 | Tools

Post Views: 2,706

Premium Content

Patreon
Subscribe to Patreon to watch this episode.

Reading Time: 4 Minutes

linWinPwn

linWinPwn is a bash script written by lefayjey that automates several Active Directory Enumeration and Vulnerability checks. The script uses several tools such as: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, and others. Red Teams find this tool particularly useful when you have access to an Active Directory environment for a limited time only and wish to automate the enumeration process and efficiently collect evidence. In addition, linWinPwn can replace the use of enumeration tools on Windows to reduce the number of created artifacts and bypass certain Anti-Virus or EDRs. This can be achieved by performing remote dynamic port forwarding through the creation of an SSH tunnel from the Windows host (e.g., VDI machine or workstation or laptop) to a remote Linux machine (e.g., Pentest laptop or VPS), and running linWinPwn with proxychains.

On the Windows host, run using PowerShell:

ssh kali@<linux_machine> -R 1080 -NCqf

proxychains ./linWinPwn.sh -t <Domain_Controller_IP>

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

Setup

Git clone the repository and make the script executable

git clone https://github.com/lefayjey/linWinPwn

cd linWinPwn; chmod +x linWinPwn.sh

Install requirements on Kali machines using the install.sh script

chmod +x install.sh

sudo ./install.sh

On non-Kali machines, run the install_nonkali.sh script instead

chmod +x install_nonkali.sh

sudo ./install_nonkali.sh

If you’re having DNS issues or time sync errors, run the configure.sh script with -d for DNS update and -n for NTP sync

chmod +x configure.sh

sudo ./configure.sh -t -d -n

Trending: Offensive Security Tool: Mangle

Trending: Recon Tool: Maigret

 

Usage

Modules

The linWinPwn script contains 6 modules that can be used either separately or simultaneously.

Default: interactive – Open interactive menu to run checks separately

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]

User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M user

All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M all

Module ad_enum: Active Directory Enumeration

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M ad_enum

Module kerberos: Kerberos Based Attacks

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M kerberos

Module scan_shares: Network Shares Scan

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M scan_shares

Module vuln_checks: Vulnerability Checks

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M vuln_checks

Module mssql_enum: MSSQL Enumeration

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M mssql_enum

Module pwd_dump: Password Dump

./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] -M pwd_dump
 

Trending: Exploit XSS Injections in a one-line powerful Technique

 

Demos

  • HackTheBox Forest

Interactive Mode:

 

Automated Mode:

 

  • TryHackme AttacktiveDirectory

Use cases

For each of the cases described, the linWinPwn script performs different checks as shown below.

Case 1: Unauthenticated

  • Module ad_enum
    • rid bruteforce
    • user enumeration
    • ldapdomaindump anonymous enumeration
    • Check if ldap-signing is enforced, check for LDAP Relay
  • Module kerberos
    • kerbrute user spray
    • ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Blind Kerberoast
    • CVE-2022-33679 exploit
  • Module scan_shares
    • SMB shares anonymous enumeration on identified servers
  • Module vuln_checks
    • Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on identified servers
    • Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses

 

./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -M user

Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)

  • DNS extraction using adidnsdump
  • Module ad_enum
    • BloodHound data collection
    • ldapdomaindump enumeration
    • crackmapexec user=pass enumeration
    • Delegation information extraction
    • GPP Passwords extraction
    • Extract ADCS information using certipy
    • Check if ldap-signing is enforced, check for LDAP Relay
    • Extraction of MachineAccountQuota of user, Password Policy and users’ descriptions containing “pass”
  • Module kerberos
    • kerbrute user=pass enumeration
    • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_shares
    • SMB shares enumeration on all domain servers
    • KeePass files and processes discovery on all domain servers
  • Module vuln_checks
    • Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers
    • Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses
  • Module mssql_enum
    • Check mssql privilege escalation paths

 

./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -M user

Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)

  • All of the “Standard User” checks
  • Module pwd_dump
    • LAPS and gMSA dump
    • secretsdump on all domain servers
    • Dump lsass on all domain servers using: procdump, lsassy, nanodump, handlekatz, masky
    • Extract backup keys using DonPAPI

 

./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -M all
 

 

 

Disclaimer: 

Usage of linWinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

 

 

Clone the repo from here: GitHub Link

See Also: Hacking Stories: Albert Gonzalez and the ‘Get Rich or Die Trying’ Crew who stole 130 million credit card numbers

Merch

Recent Tools

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This