WinPwn: Automation for internal Windows Penetration Testing


Automation for internal Windows Penetration Testing.

1) Automatic Proxy Detection
2) Elevated or unelevated Detection
3) Forensic Mode oder Pentest Mode
a. Forensik -> Loki + PSRECON + Todo: Threathunting functions
b. Pentest -> Internal Windows Domain System
i. Inveigh NBNS/SMB/HTTPS Spoofing
ii. Local Reconing -> Hostenum, SessionGopher, FileSearch, PSRecon
iii. Domain Reconing -> GetExploitableSystems, Powerview functions, ACL-Analysis, ADRecon
1) Todo: Grouper for Group Policy overview
iv. Privilege Escalation -> Powersploit (Allchecks), GPP-Passwords, MS-Exploit Search (Sherlock), WCMDump, JAWS
v. Lazagne Password recovery
vi. Exploitation -> Kerberoasting, Mimikittenz, Mimikatz with Admin-rights
vii. LateralMovement -> FindLocalAdminAccess
1) Invoke-MassMimikatz || Powershell Empire Remote Launcher Execution over WMI
2) DomainPasswordspray

viii. Share Enumeration
ix. FindGPOLocation –> Search for user/group rights
x. Find-Fruit

Just Import the Modules with “Import-Module .\WinPwn_v0.4.ps1” or with iex (new-object net.webclient).downloadstring(‘’)

Functions available after Import:

  1. isadmin -> Checks for local admin access

  2. Inveigh -> Executes Inveigh in a new Console window

  3. sessionGopher -> Executes Sessiongopher in memory

  4. Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz after with admin rights (PowerSploit)

  5. localreconmodules -> Executes different Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (PowerSploitWINspectJAWS)

  6. JAWS -> Just another Windows Privilege Escalation script gets executed

  7. domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition, a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated as CSV Files (or XLS if excel is installed) with ADRecon. (PowerSploitDomainPasswordSpray)

  8. Privescmodules -> Executes different privesc scripts in memory (Sherlock, PowerUp, GPP-Files, WCMDump)

  9. lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV)

  10. latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be done here.

  11. empirelauncher -> Launch powershell empire oneliner for remote Systems

  12. shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)

  13. groupsearch -> FindGPOLocation (Powerview / Powersploit)

  14. Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking

  15. WinPwn -> Guides the user through all functions/Modules with simple questions.

The “oBEJHzXyARrq.exe”-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass.


Legal disclaimer:

Usage of WinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

Author: @securethisshit