WinPwn: Automation for internal Windows Pentest / AD-Security
In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I also often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects.
Any suggestions, feedback, Pull requests and comments are welcome!
MS15-077 – (XP/Vista/Win7/Win8/2000/2003/2008/2012) x86 only!
MS16-032 – (2008/7/8/10/2012)!
MS16-135 – (WS2k16 only)!
CVE-2018-8120 – May 2018, Windows 7 SP1/2008 SP2,2008 R2 SP1!
CVE-2019-0841 – April 2019!
CVE-2019-1069 – Polarbear Hardlink, Credentials needed – June 2019!
CVE-2019-1129/1130 – Race Condition, multiples cores needed – July 2019!
CVE-2019-1215 – September 2019 – x64 only!
CVE-2020-0638 – February 2020 – x64 only!
CVE-2020-0796 – SMBGhost
CVE-2020-0787 – March 2020 – all windows versions
UAC Magic, Based on James Forshaw’s three part post on UAC
UAC Bypass cmstp technique, by Oddvar Moe
DiskCleanup UAC Bypass, by James Forshaw
DccwBypassUAC technique, by Ernesto Fernandez and Thomas Vanhoutte
Pop System Shell using CreateProcess
Pop System Shell using NamedPipe Impersonation
Pop System Shell using Token Manipulation
Bind System Shell using UsoClient DLL load or CreateProcess
Shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit)
Domainshares -> Snaffler or Passhunt search over all domain systems
Groupsearch -> Get-DomainGPOUserLocalGroupMapping – find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)
Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking
PowerSQL -> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection Attacks
Sharphound -> Bloodhound 3.0 Report
Adidnsmenu -> Create Active Directory-Integrated DNS Nodes or remove them
MS17-10 -> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerability
Sharpcradle -> Load C# Files from a remote Webserver to RAM
DomainPassSpray -> DomainPasswordSpray Attacks, one password for all domain users
Bluekeep -> Bluekeep Scanner for domain systems
Without parameters, most of the functions can only be used from an interactive shell. So i decided to add the parameters -noninteractive and -consoleoutput to make the script usable from an asynchronous C2-Framework like Empire, Covenant, Cobalt Strike or others. They can be used as follows:
-noninteractive -> No questions for functions so that they run with predefined or user defined parameters