Linchakin

linWinPwn - A Bash Script That Automates A Number Of Active Directory Enumeration And Vulnerability Checks

 April 18, 2022     No comments   

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script leverages and is dependent of a number of tools including: impacket, bloodhound, crackmapexec, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump.

Setup

Git clone the repository and make the script executable

git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh

Install Linux and Python packages

sudo apt update
sudo apt install python3 python3-dev python3-pip python3-venv nmap smbmap john libsasl2-dev libldap2-dev ntpdate -y
sudo pip install -r requirements.txt
wget -q "https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py" -O ./Scripts/gMSADumper.py
wget -q "https://raw.githubusercontent.com/zyn3rgy/LdapRelayScan/main/LdapRelayScan.py" -O ./Scripts/LdapRelayScan.py
wget -q "https://raw.githubusercontent.com/ropnop/windapsearch/master/windapsearch.py" -O ./Scripts/windapsearch.py

On non-Kali machines, uncomment the lines under #Non-Kali variables and run the following commands

sudo pip install impacket crackmapexec
mkdir -p wordlists && wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz -O ./wordlists/rockyou.txt.tar.gz && gunzip ./wordlists/rockyou.txt.tar.gz && tar xf ./wordlists/rockyou.txt.tar -C ./wordlists/ && chmod 644 ./wordlists/rockyou.txt && rm ./wordlists/rockyou.txt.tar && wget https://raw .githubusercontent.com/danielmiessler/SecLists/master/Usernames/cirt-default-usernames.txt -O ./wordlists/cirt-default-usernames.txt

If you're having DNS issues, run the update_dns script WARNING: The script will update /etc/resolv.conf, make sure to backup it before running the script

chmod +x update_dns.sh
sudo ./update_dns.sh <DC_IP>

Usage

Modules

The linWinPwn script contains 4 modules that can be used either separately or simultaneously.

Default (fastest): ad_enum,kerberos with OPSEC safe checks using -O

./linWinPwn.sh -O -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP> -o <output_dir>

User modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum

./linWinPwn.sh -M user -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP> -o <output_dir>

All modules: ad_enum,kerberos,scan_shares,vuln_checks,mssql_enum,pwd_dump

./linWinPwn.sh -M all -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP> -o <output_dir>

Module ad_enum: Active Directory Enumeration

./linWinPwn.sh -M ad_enum -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module kerberos: Kerberos Based Attacks

./linWinPwn.sh -M kerberos -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module scan_shares: Network Shares Scan

./linWinPwn.sh -M scan_shares -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]>  -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module vuln_checks: Vulnerability Checks

./linWinPwn.sh -M vuln_checks -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]>  -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module mssql_enum: MSSQL Enumeration

./linWinPwn.sh -M mssql_enum -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]>  -t <Domain_Controller_IP_or_Target_Domain> -o <output_dir>

Module pwd_dump: Password Dump

./linWinPwn.sh -M pwd_dump -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]>  -t <Domain_Controller_IP_or_Target_Domain> -S <domain_servers_list> -o <output_dir>

Demos

  • HackTheBox Forest

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks (1)

  • TryHackme AttacktiveDirectory

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks (2)

Use cases

For each of the cases described, the linWinPwn script performs different checks as shown below.

Case 1: Unauthenticated

  • Module ad_enum
    • rid bruteforce
    • user enumeration
    • ldapdomaindump anonymous enumeration
    • Check if ldap-signing is enforced, check for LDAP Relay
  • Module kerberos
    • kerbrute user spray
    • ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_shares
    • SMB shares anonymous enumeration on identified servers
  • Module vuln_checks
    • Enumeration for WebDav and Spooler services on identified servers
    • Check for zerologon, petitpotam, nopac weaknesses
./linWinPwn.sh -M user -t <Domain_Controller_IP_or_Target_Domain>

Case 2: Standard Account (using password, NTLM hash or Kerberos ticket)

  • DNS extraction using adidnsdump
  • Module ad_enum
    • BloodHound data collection
    • ldapdomaindump enumeration
    • Delegation information extraction
    • GPP Passwords extraction
    • Extract ADCS information using certipy
    • Check if ldap-signing is enforced, check for LDAP Relay
    • Extraction of MachineAccountQuota of user, Password Policy and users' descriptions containing "pass"
    • LAPS and gMSA dump
  • Module kerberos
    • kerbrute user=pass enumeration
    • ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
    • Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
  • Module scan_shares
    • SMB shares enumeration on all domain servers
  • Module vuln_checks
    • Enumeration for WebDav and Spooler services on all domain servers
    • Check for zerologon, petitpotam, nopac weaknesses
  • Module mssql_enum
./linWinPwn.sh -M user -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain>

Case 3: Administrator Account (using password, NTLM hash or Kerberos ticket)

  • All of the "Standard User" checks
  • Module pwd_dump
    • secretsdump on all domain servers or on provided list of servers with -S
    • lsassy on on all domain servers or on provided list of servers with -S
./linWinPwn.sh -M all -d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -t <Domain_Controller_IP_or_Target_Domain> -S <domain_servers_list>

To Do

Improve kerberos authentication support

Credits

Legal Disclamer

Usage of linWinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

Adblock test (Why?)


You may be interested in:
>> Is a Chromebook worth replacing a Windows laptop?
>> Find out in detail the outstanding features of Google Pixel 4a
>> Top 7 best earbuds you should not miss

Related Posts:
>> Recognizing 12 Basic Body Shapes To Choose Better Clothes
>>Ranking the 10 most used smart technology devices
>> Top 5+ Best E-readers: Compact & Convenient Pen
  • Share This:  
  •  Facebook
  •  Twitter
  •  Google+
  •  Stumble
  •  Digg
Email ThisBlogThis!Share to XShare to Facebook

Related Posts:

  • Ex-Twitter Employee Found Guilty of Sharing User’s Private Information to Saudi Arabia A former Twitter employee was found guilty of acting as an agent of a foreign government and illegally sharing Twitter user information. Reports say,… Read More
  • Cisco Was Hacked by Yanluowang Ransomware Operators to Stole Internal Data Recent reports indicate that in late May Cisco’s corporate network was infected with ransomware from the Yanluowang group.  Under the threat of … Read More
  • The #Web3 Writing Contest 2022: Round 5 Results Announced! “How to Build a Profitable NFT Marketplace with React, Solidity, and CometChat” by @daltonic has won 2 prizes this month - 1st position and most-rea… Read More
  • (ISC)² and F5 Examine OWASP’S “Top 10” Report on New Web Application Security RisksIn late 2021, the Open Web Application Security Project® (OWASP®) Foundation released a revised list of the 10 most critical security risks to web app… Read More
  • The Cybersecurity Writing Contest 2022: Round 2 Results Announced! You may be interested in: >> Is a Chromebook worth replacing a Windows laptop? >> Find out in detail the outstanding features of Google P… Read More
Newer Post Older Post Home

0 Comments:

Post a Comment


Copyright © 2025 Linchakin | Powered by Blogger
Design by Hardeep Asrani | Blogger Theme by NewBloggerThemes.com | Distributed By Gooyaabi Templates