linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump.

Setup

Git clone the repository and make the script executable

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh

Install requirements on Kali machines using the install.sh script

chmod +x install.sh
sudo ./install.sh

On non-Kali machines, run the install_nonkali.sh script instead

chmod +x install_nonkali.sh
sudo ./install_nonkali.sh

If you’re having DNS issues or time sync errors, run the configure.sh script with -d for DNS update and -n for NTP sync

WARNING: The script will update /etc/resolv.conf

chmod +x configure.sh
sudo ./configure.sh -t -d -n

Usage

Modules

The linWinPwn script contains 4 modules that can be used either separately or simultaneously.

Default (fastest): ad_enum,kerberos (Optional: run OPSEC safe checks only by using -O)

./linWinPwn.sh -d -u -p -t -o

User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum

./linWinPwn.sh -M user -d -u -p -t -o

All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump

./linWinPwn.sh -M all -d -u -p -t -o

Module ad_enum: Active Directory Enumeration

./linWinPwn.sh -M ad_enum -d -u -p -t -o

Use cases

For each of the cases described, the linWinPwn script performs different checks as shown below.

Case 1: Unauthenticated

  • Module ad_enum
    • rid bruteforce
    • user enumeration
    • ldapdomaindump anonymous enumeration
    • Check if ldap-signing is enforced, check for LDAP Relay
  • Module kerberos
    • kerbrute user spray
    • ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_shares
    • SMB shares anonymous enumeration on identified servers
  • Module vuln_checks
    • Enumeration for WebDav and Spooler services on identified servers
    • Check for zerologon, petitpotam, nopac weaknesses

./linWinPwn.sh -M user -t

Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)

  • DNS extraction using adidnsdump
  • Module ad_enum
    • BloodHound data collection
    • ldapdomaindump enumeration
    • Delegation information extraction
    • GPP Passwords extraction
    • Extract ADCS information using certipy
    • Check if ldap-signing is enforced, check for LDAP Relay
    • Extraction of MachineAccountQuota of user, Password Policy and users’ descriptions containing “pass”
    • LAPS and gMSA dump
  • Module kerberos
    • kerbrute user=pass enumeration
    • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_shares
    • SMB shares enumeration on all domain servers
  • Module vuln_checks
    • Enumeration for WebDav and Spooler services on all domain servers
    • Check for zerologon, petitpotam, nopac weaknesses
  • Module mssql_enum
    • Check mssql privilege escalation paths

./linWinPwn.sh -M user -d -u -p -t

Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)

  • All of the “Standard User” checks
  • Module pwd_dump
    • secretsdump on all domain servers or on provided list of servers with -S
    • lsassy on on all domain servers or on provided list of servers with -S

./linWinPwn.sh -M all -d -u -p -t -S

Share:

administrator

ahmedaljanahy Creative Designer @al.janahy Founder of @inkhost I hope to stay passionate in what I doing

Leave a Reply

Your email address will not be published. Required fields are marked *