Monday 1 April 2019

WinPwn- Automation For Internal Windows Penetration Testing

WinPwn- Automation For Internal Windows Penetration Testing

In many past internal penetration tests, often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration.

The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.

Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.

Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!

Just Import the Modules with "Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring('')

Functions available after Import:

  • WinPwn -> Guides the user through all functions/Modules with simple questions.
  • Inveigh -> Executes Inveigh in a new Console window (, SMB-Relay attacks with Session management afterwards
  • sessionGopher -> Executes Sessiongopher and Asking for parameters (
  • Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (
  • localreconmodules -> Collects system Informations, Executes passhunt (, Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (,,
  • JAWS -> Just another Windows Privilege Escalation script gets executed
  • domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (,,
  • Privescmodules -> Executes different privesc scripts in memory (Sherlock, PowerUp, GPP-Files, WCMDump)
  • lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (
  • latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here.
  • empirelauncher -> Launch powershell empire oneliner on remote Systems (
  • shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)
  • groupsearch -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)
  • Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking
  • isadmin -> Checks for local admin access on the local system
  • Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB
  • adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (
  • The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (


  • Get the scripts from my own creds repository ( to be independent from changes in the original repositories.
  • Proxy Options via PAC-File are not correctly found in the moment
  • Obfuscate all Scripts for AV-Evasion


WinPwn is only using for educational purpose only

Download WinPwn


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer