linWinPwn - A Bash Script That Automates A Number Of Active Directory Enumeration And Vulnerability Checks

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump.

Setup

Git clone the repository and make the script executable

Install Linux and Python packages

On non-Kali machines, uncomment the lines under #Non-Kali variables and run the following commands

If you're having DNS issues, run the update_dns script WARNING: The script will update /etc/resolv.conf, make sure to backup it before running the script

Usage

Modules

The linWinPwn script contains 4 modules that can be used either separately or simultaneously.

Default (fastest): ad_enum,kerberos with OPSEC safe checks using -O

User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum

All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump

Module ad_enum: Active Directory Enumeration

Module kerberos: Kerberos Based Attacks

Module scan_shares: Network Shares Scan

Module vuln_checks: Vulnerability Checks

Module mssql_enum: MSSQL Enumeration

Module pwd_dump: Password Dump

Demos

HackTheBox Forest

TryHackme AttacktiveDirectory

Use cases

For each of the cases described, the linWinPwn script performs different checks as shown below.

Case 1: Unauthenticated

Module ad_enum rid bruteforce user enumeration ldapdomaindump anonymous enumeration Check if ldap-signing is enforced, check for LDAP Relay Module kerberos kerbrute user spray ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist) Module scan_shares SMB shares anonymous enumeration on identified servers Module vuln_checks Enumeration for WebDav and Spooler services on identified servers Check for zerologon, petitpotam, nopac weaknesses

Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)

DNS extraction using adidnsdump Module ad_enum BloodHound data collection ldapdomaindump enumeration Delegation information extraction GPP Passwords extraction Extract ADCS information using certipy Check if ldap-signing is enforced, check for LDAP Relay Extraction of MachineAccountQuota of user, Password Policy and users' descriptions containing "pass" LAPS and gMSA dump Module kerberos kerbrute user=pass enumeration ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist) Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist) Module scan_shares SMB shares enumeration on all domain servers Module vuln_checks Enumeration for WebDav and Spooler services on all domain servers Check for zerologon, petitpotam, nopac weaknesses Module mssql_enum Check mssql privilege escalation paths

Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)

All of the "Standard User" checks Module pwd_dump secretsdump on all domain servers or on provided list of servers with -S lsassy on on all domain servers or on provided list of servers with -S

To Do

Improve kerberos authentication support

Credits

S3cur3Th1sSh1t - WinPwn SecureAuth - impacket byt3bl33d3r, mpgn, Porchetta Industries - crackmapexec Fox-IT - bloodhound-python dirkjanm - ldapdomaindump, adidnsdump Hackndo - lsassy TarlogicSecurity - kerbrute zer1t0 - certi.py ly4k - Certipy micahvandeusen - gMSADumper n00py - LAPSDumper zyn3rgy - LdapRelayScan ShawnDEvans - smbmap ropnop - windapsearch

Legal Disclamer

Usage of linWinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.