linWinPwn – Automate Active Directory Enumeration and Exploitation

Admin
lilwinpwn

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Exploitation steps. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump.

Setup

Git clone the repository and run the setup script

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x setup.sh; chmod +x linWinPwn.sh
sudo ./setup.sh

Usage

Modules

The linWinPwn script contains 4 modules that can be used either separately or simultaneously.

Default (fastest): ad_enum,kerberos with OPSEC safe checks using -O

./linWinPwn.sh -O -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP> -o <output_dir>

User modules: ad_enum,kerberos,scan_servers

./linWinPwn.sh -M user -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP> -o <output_dir>

All modules: ad_enum,kerberos,scan_servers,pwd_dump

./linWinPwn.sh -M all -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP> -o <output_dir>

Module ad_enum: Active Directory Enumeration

./linWinPwn.sh -M ad_enum -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module kerberos: Kerberos Based Attacks

./linWinPwn.sh -M kerberos -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module scan_servers: SMB Shares and RPC Enumeration

./linWinPwn.sh -M scan_servers -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]>  -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module pwd_dump: Password Dump

./linWinPwn.sh -M pwd_dump -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]>  -t <Domain_Controller_IP_or_Target_Domain> -S <domain_servers_list> -o <output_dir>

Demos

  • HackTheBox Forest
asciicast
  • TryHackme AttacktiveDirectory
asciicast

Use cases

For each of the cases described, the linWinPwn script performs different checks as shown below.

Case 1: Unauthenticated

  • Module ad_enum
    • rid bruteforce
    • user enumeration
    • ldapdomaindump anonymous enumeration
    • Enumeration for WebDav and Spooler services on DC
    • Check for zerologon, petitpotam, nopac weaknesses
    • Check if ldap-signing is enforced, check for LDAP Relay
  • Module kerberos
    • kerbrute user spray
    • ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_servers
    • SMB shares anonymous enumeration on identified servers
    • Enumeration for WebDav and Spooler services on identified servers
./linWinPwn.sh -M user -t <Domain_Controller_IP_or_Target_Domain>

Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)

  • DNS extraction using adidnsdump
  • Module ad_enum
    • BloodHound data collection
    • ldapdomaindump enumeration
    • Delegation information extraction
    • GPP Passwords extraction
    • Enumeration for WebDav and Spooler services on DCs
    • Check for zerologon, petitpotam, nopac weaknesses
    • Extract ADCS information using certipy
    • Check if ldap-signing is enforced, check for LDAP Relay
    • Check mssql privilege escalation paths
    • Extraction of MachineAccountQuota of user, Password Policy and users’ descriptions containing “pass”
    • LAPS and gMSA dump
  • Module kerberos
    • kerbrute user=pass enumeration
    • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_servers
    • SMB shares enumeration on all domain servers
    • Enumeration for WebDav and Spooler services on all domain servers
./linWinPwn.sh -M user -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain>

Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)

  • All of the “Standard User” checks
  • Module pwd_dump
    • secretsdump on all domain servers or on provided list of servers with -S
    • lsassy on on all domain servers or on provided list of servers with -S
./linWinPwn.sh -M all -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ti

Download: https://github.com/lefayjey/linWinPwn

Please follow and like us:
error
fb-share-icon
Tweet
fb-share-icon

Leave a Reply

Your email address will not be published. Required fields are marked *