lefayjey/linWinPwn
GitHub: lefayjey/linWinPwn
linWinPwn 是一个 Bash 脚本框架,整合了数十款 Active Directory 渗透测试工具,实现从枚举、漏洞检测到凭据获取的全流程自动化。
Stars: 2157 | Forks: 301
# linWinPwn - 使用 Linux 进行 Active Directory 渗透测试的瑞士军刀
## 描述
linWinPwn 是一个 bash 脚本,封装了多种 Active Directory 工具,用于枚举(LDAP、RPC、ADCS、MSSQL、Kerberos、SCCM)、漏洞检查(noPac、ZeroLogon、MS17-010、MS14-068)、对象修改(密码更改、添加用户到组、RBCD、Shadow Credentials)和密码转储(secretsdump、lsassy、nanodump、DonPAPI)。该脚本简化了大量工具的使用:impacket、bloodhound、netexec、enum4linux-ng、ldapdomaindump、lsassy、smbmap、kerbrute、certipy、silenthound、bloodyAD、DonPAPI 以及许多其他工具。
## 安装说明
使用 Git 克隆仓库并使用 `install.sh` 脚本安装依赖项
```
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn
chmod +x install.sh
./install.sh
```
或者,使用 Docker Hub 上的预构建 Docker 镜像
```
docker pull lefayjey/linwinpwn:latest
# 将 linWinPwn_docker 添加到 PATH
echo -e "docker run --rm --init -it --net=host -v \$(pwd):/opt/lwp-output lefayjey/linwinpwn:latest \$@" | sudo tee "/usr/local/sbin/linWinPwn_docker"
sudo chmod 755 /usr/local/sbin/linWinPwn_docker
# 运行 linWinPwn_docker(输出到主机当前目录)
linWinPwn_docker -t
linWinPwn_docker -t -d -u -p --auto
```
或者从源码构建
```
docker build -t linwinpwn .
docker run --rm --init -it --net=host -v $(pwd):/opt/lwp-output linwinpwn -t
```
## 使用方法
### 模式
linWinPwn 脚本可以在交互模式(默认)或自动模式(仅枚举)下执行。
**1. 交互模式(默认)** - 打开交互菜单以单独运行检查
```
linWinPwn -t [-d -u -p -H -K -A -C -o ]
```
**2. 自动模式** - 使用 `--auto` 参数,运行枚举工具(不进行漏洞利用、修改或密码转储)
使用自动模式时,会根据认证方式执行不同的检查。
- 未认证(未提供凭据)
- 使用 netexec、enum4linux-ng、ldapdomaindump、ldeep 进行匿名枚举
- 使用 netexec 进行 RID 暴力破解
- kerbrute 用户喷射
- 对收集的计算机列表进行 Pre2k 认证检查
- 使用收集的用户列表进行 ASREPRoast(并使用 john-the-ripper 和 rockyou 字典破解哈希)
- 盲注 Kerberoast
- CVE-2022-33679 漏洞利用
- 使用 krbjack 检查 AS-REQ 滥用的 DNS 不安全更新
- 在识别出的服务器上进行 SMB 共享匿名枚举
- 在识别出的服务器上枚举 WebDav、dfscoerce、shadowcoerce 和 Spooler 服务
- 检查 ms17-010、zerologon、petitpotam、nopac、smb-signing、ntlmv1、runasppl 漏洞
```
linWinPwn -t --auto [-o ]
```
- 已认证(使用密码、NTLM 哈希、Kerberos 票据、AES 密钥或 pfx 证书)
- 使用 netexec 提取 DNS
- BloodHound 数据收集
- 使用 netexec、enum4linux-ng、ldapdomaindump、bloodyAD、sccmhunter、rdwatool、sccmhunter、GPOParser 进行枚举
- 生成用于密码破解的字典
- netexec 查找用户名=密码的账户
- 对域计算机进行 Pre2k 认证检查
- 使用 certipy 和 certi.py 提取 ADCS 信息
- kerbrute 查找用户名=密码的账户
- ASREPRoasting(并使用 john-the-ripper 和 rockyou 字典破解哈希)
- Kerberoasting(并使用 john-the-ripper 和 rockyou 字典破解哈希)
- 目标 Kerberoasting(并使用 john-the-ripper 和 rockyou 字典破解哈希)
- 使用 smbmap、FindUncommonShares 和 cme 的 spider_plus 对所有域服务器进行 SMB 共享枚举
- 对所有域服务器枚举 WebDav、dfscoerce、shadowcoerce 和 Spooler 服务(使用 cme、Coercer 和 RPC Dump)
- 检查 ms17-010、ms14-068、zerologon、petitpotam、nopac、smb-signing、ntlmv1、runasppl、certifried 漏洞、ldapnightmare、badsuccessor
- 检查 mssql 权限提升路径
- 检查 mssql 中继可能性
```
linWinPwn -t -d -u [-p -H -K -A -C ] [-o ] --auto
```
### 参数
**自动配置** - 在运行模块之前,与目标 DC 进行 NTP 同步并将条目添加到 /etc/hosts
```
linWinPwn -t --auto-config
```
**LDAPS** - 使用 LDAPS 代替 LDAP(端口 636)
```
linWinPwn -t --ldaps
```
**强制 Kerberos 认证** - 强制使用 Kerberos 认证代替 NTLM(在可能的情况下)
```
linWinPwn -t --force-kerb
```
**详细模式** - 启用所有详细和调试输出
```
linWinPwn -t --verbose
```
**接口** - 选择攻击者的网络接口
```
linWinPwn -t -I tun0
linWinPwn -t --interface eth0
```
**目标** - 选择要扫描的目标(DC、All、IP=IP_or_hostname、File=./path_to_file)
```
linWinPwn -t --targets All
linWinPwn -t --targets DC
linWinPwn -t -T IP=192.168.0.1
linWinPwn -t -T File=./list_servers.txt
```
**自定义字典** - 选择自定义用户和密码字典
```
linWinPwn -t -U /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
linWinPwn -t -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt
```
### 隧道
当你只能在有限的时间内访问 Active Directory 环境时,linWinPwn 会特别有用,你希望在枚举过程和证据收集方面更加高效。
此外,linWinPwn 可以替代在 Windows 上使用枚举工具,旨在减少产生的痕迹(例如,PowerShell 命令、Windows 事件、磁盘上创建的文件),并绕过某些杀毒软件或 EDR。这可以通过从 Windows 主机(例如,VDI 机器、工作站或笔记本电脑)创建到远程 Linux 机器(例如,渗透测试笔记本电脑或 VPS)的 SSH 隧道来执行远程动态端口转发,并使用 proxychains 运行 linWinPwn 来实现。
在 Windows 主机上,使用 PowerShell 运行:
```
ssh.exe kali@ -R 1080 -NCqf
```
在 Linux 机器上,首先更新 `/etc/proxychains4.conf` 以包含 `socks5 127.0.0.1 1080`,然后运行:
```
linWinPwn_proxychains -t -d -u [-p -H -K -A -C ] [-o ] [--auto]
```
### 可选 MCP 服务器(Web UI / API)
本项目包含 `lwp_mcp_server.py`,这是一个基于 Python 的服务器,提供交互式 Web UI(通过任何兼容 MCP 的客户端)和 API 来浏览和执行 linWinPwn 命令。
#### 安装
服务器需要 Python3 和官方 MCP SDK。
```
# 安装所需的 Python 库
cd /opt/lwp-scripts
python3 -m venv mcp-env
source ./mcp-env/bin/activate
pip3 install mcp.server
```
#### 运行服务器
你必须确保 linWinPwn.sh 可用。服务器默认会在同一目录下查找它。
```
#Run the server
/opt/lwp-scripts/mcp-env/bin/python3 lwp_mcp_server.py
```
服务器可以通过环境变量进行配置:
- LWP_PATH:linWinPwn.sh 脚本的路径(默认:./linWinPwn.sh)。
- LWP_OUTPUT:存储所有命令日志的路径(默认:./lwp_output)。
- MCP_HOST:服务器的主机地址(默认:127.0.0.1)。
- MCP_PORT:服务器的端口(默认:8000)。
使用自定义路径的示例:
```
export LWP_PATH="/opt/linWinPwn/linWinPwn.sh"
export LWP_OUTPUT="/tmp"
export MCP_HOST="0.0.0.0"
export MCP_PORT="8000"
/opt/lwp-scripts/mcp-env/bin/python3 lwp_mcp_server.py
```
#### 使用方法
服务器运行后,你可以使用任何 MCP 客户端连接到它,例如官方 Web 界面,将其指向服务器地址(例如,http://127.0.0.1:8000/mcp)。
该界面允许你:
- 列出和搜索所有可用的 run_command 条目。
- 查看默认脚本变量。
- 远程执行命令,提供自定义环境变量。
- 实时查看命令输出、日志和工件。
#### 客户端配置示例:
以下是将 linwinpwn-http MCP 服务器集成到使用共享 MCP 服务器配置格式的客户端(例如 Gemini/Google AI 客户端或某些专用桌面工具使用的设置)的配置示例。
此代码段应直接添加到客户端的设置文件中(例如,在 .gemini/settings.json 或 .vscode/mcp.json 这样的文件中)。
该配置指示客户端通过 Streamable HTTP 连接到你正在运行的服务器。
配置代码段
```
{
"mcpServers": {
"linwinpwn": {
"httpUrl": "http://127.0.0.1:8000/mcp",
"timeout": 600000,
"trust": false
}
}
}
{
"servers": {
"linwinpwn": {
"type": "http",
"url": "http://127.0.0.1:8000/mcp"
}
}
}
```
### 当前支持的认证方式
| 工具 | 空会话 | 密码 | NTLM 哈希 | Kerberos 票据| AES 密钥 | 证书 |
|-------------------------|--------------|----------|------------|----------------|-------------|-------------|
| `netexec` | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| `Impacket` | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `bloodhound-python` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `ldapdomaindump` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `enum4linux-ng` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `bloodyAD` | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ |
| `SilentHound` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `ldeep` | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| `windapsearch` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `LDAPWordlistHarvester` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `LDAPConsole` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `pyLDAPmonitor` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `sccmhunter` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `ldapper` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `Adalanche` | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `GPOwned` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `ACED` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `breads` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `godap` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `adcheck` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `certi.py` | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| `Certipy` | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| `certsync` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `pre2k` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `orpheus` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `smbmap` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `FindUncommonShares` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `smbclient-ng` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `manspider` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `coercer` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `privexchange` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `RunFinger.py` | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `mssqlrelay` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `targetedKerberoast` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `pygpoabuse` | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `DonPAPI` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `hekatomb` | ❌ |✅ | ✅ | ❌ | ❌ | ❌ |
| `ExtractBitlockerKeys` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `evilwinrm` | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| `mssqlpwner` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `SoaPy` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `SCCMSecrets` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `Soaphound` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `gpoParser` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `spearspray` | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `GroupPolicyBackdoor` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `NetworkHound` | ❌ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `ShareHound` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `DACLSearch` | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `ScriptScout` | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `relayking` | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `ADWS Domain Dump` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `PyADRecon` | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ |
| `PyADRecon-ADWS` | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ |
| `ADPulse` | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
#### LDAP Channel Binding 支持
ldap3: netexec, ldapdomaindump (NTLM), Certipy, pre2k, bloodhound, ldeep, GroupPolicyBackdoor, relayking
msldap: bloodyAD
#### LDAP 自定义端口支持
netexec, ldapdomaindump, ldeep, windapsearch, godap, pre2k, ldapnomnom
### 交互模式菜单
主菜单
```
1) Run DNS Enumeration using netexec
2) Active Directory Enumeration Menu
3) ADCS Enumeration Menu
4) SCCM Enumeration Menu
5) GPO Enumeration Menu
6) Brute Force Attacks Menu
7) Kerberos Attacks Menu
8) SMB shares Enumeration Menu
9) Vulnerability Checks Menu
10) MSSQL Enumeration Menu
11) Password Dump Menu
12) AD Objects or Attributes Modification Menu
13) Command Execution Menu
14) Network Scan Menu
A) Authentication Menu
C) Configuration Menu
exit) Exit
```
AD 枚举菜单
```
1) BloodHound Enumeration using all collection methods (Noisy!)
2) BloodHound Enumeration using DCOnly
1ce) BloodHoundCE Enumeration using all collection methods (Noisy!)
2ce) BloodHoundCE Enumeration using DCOnly
3) ldapdomaindump LDAP Enumeration
4) enum4linux-ng LDAP-MS-RPC Enumeration
5) MS-RPC Users Enumeration using netexec
6) Password policy Enumeration using netexec
7) LDAP Users Enumeration using netexec
8) LDAP Enumeration using netexec (passnotreq, userdesc, maq, subnets, passpol)
9) Delegation Enumeration using findDelegation and netexec
10) bloodyAD All Enumeration
11) bloodyAD write rights Enumeration
12) bloodyAD write rights Enumeration (details)
13) bloodyAD query DNS server
14) bloodyAD enumerate object
15) SilentHound LDAP Enumeration
16) ldeep LDAP Enumeration
17) windapsearch LDAP Enumeration
18) LDAP Wordlist Harvester
19) LDAP Enumeration using LDAPPER
20) Adalanche Enumeration
21) Enumeration of RDWA servers
22) Open p0dalirius' LDAP Console
23) Open p0dalirius' LDAP Monitor
24) Open garrettfoster13's ACED console
25) Open LDAPPER custom options
26) Run godap console
27) Run ADCheck enumerations
28) Run soapy enumerations
29) Soaphound Enumeration using all collection methods (Noisy!)
30) Soaphound Enumeration using ADWSOnly
31) Run DACLSearch dump and cli
32) ADWS Domain Dump Enumeration
33) PyADRecon LDAP Enumeration
34) PyADRecon ADWS Enumeration
35) Run ADPulse Checks
```
ADCS 菜单
```
1) ADCS Enumeration using netexec
2) certi.py ADCS Enumeration
3) Certipy ADCS Enumeration
4) Certifried check
5) Certipy LDAP shell via Schannel (using Certificate Authentication)
6) Certipy extract CA and forge Golden Certificate (requires admin rights on PKI server)
7) Dump LSASS using masky
8) Dump NTDS using certsync
```
SCCM 菜单
```
1) SCCM Enumeration using netexec
2) SCCM Enumeration using sccmhunter
3) SCCM NAA credentials dump using sccmhunter
4) SCCM Policies/NAA credentials dump using SCCMSecrets
```
GPO 菜单
```
1) GPP Enumeration using netexec
2) GPO Enumeration using GPOwned
3) GPOParser Enumeration
4) GroupPolicyBackdoor Enumeration
```
暴力破解菜单
```
1) RID Brute Force (Null session) using netexec
2) User Enumeration using kerbrute (Null session)
3) User=Pass check using kerbrute (Noisy!)
4) User=Pass check using netexec (Noisy!)
5) Identify Pre-Created Computer Accounts using netexec (Noisy!)
6) Pre2k computers authentication check (Noisy!)
7) User Enumeration using ldapnomnom (Null session)
8) Password spraying using kerbrute (Noisy!)
9) Password spraying using netexec - ldap (Noisy!)
10) Timeroast attack against NTP
11) MSSQL RID Brute Force (Null session) using netexec
12) Open SpearSpray console
```
Kerberos 攻击菜单
```
1) AS REP Roasting Attack using GetNPUsers
2) Kerberoast Attack using GetUserSPNs
3) Cracking AS REP Roast hashes using john the ripper
4) Cracking Kerberoast hashes using john the ripper
5) NoPac check using netexec (only on DC)
6) MS14-068 check (only on DC)
7) CVE-2022-33679 exploit / AS-REP with RC4 session key (Null session)
8) AP-REQ hijack with DNS unsecure updates abuse using krbjack
9) Run custom Kerberoast attack using Orpheus
10) Request TGS for current user (requires: authenticated)
11) Generate Golden Ticket (requires: hash of krbtgt or DCSync rights)
12) Generate Silver Ticket (requires: hash of SPN service account or DCSync rights)
13) Request ticket for another user using S4U2self (OPSEC alternative to Silver Ticket) (requires: authenticated session of SPN service account, for example 'svc')
14) Generate Diamond Ticket (requires: hash of krbtgt or DCSync rights)
15) Generate Sapphire Ticket (requires: hash of krbtgt or DCSync rights)
16) Privilege escalation from Child Domain to Parent Domain using raiseChild (requires: DA rights on child domain)
17) Request impersonated ticket using Constrained Delegation rights (requires: authenticated session of account allowed for delegation, for example 'gmsa')
18) Request impersonated ticket using Resource-Based Constrained Delegation rights (requires: authenticated session of SPN account allowed for RBCD)
19) Request TGS impersonated ticket using dMSA to exploit BadSuccessor (requires: authenticated session of account with BadSuccessor privileges)
```
SMB 共享菜单
```
1) SMB shares Scan using smbmap
2) SMB shares Enumeration using netexec
3) SMB shares Spidering using netexec
4) SMB shares Scan using FindUncommonShares
5) List all servers and run SMB shares Scan using FindUncommonShares
6) SMB shares Scan using manspider
7) SMB shares Scan using ShareHound
8) SMB shares Scan using ShareHound (on all subnets)"
9) Open smbclient.py console on target
10) Open p0dalirius's smbclientng console on target
11) Search for LogonScript misconfigurations using ScriptScout
12) Mount SMB share (requires sudo)
```
漏洞检查菜单
```
1) zerologon check using netexec (only on DC)
2) MS17-010 check using netexec
3) Print Spooler and Printnightmare checks using netexec
4) WebDAV check using netexec
5) coerce check using netexec
6) Run coerce attack using netexec
7) SMB signing check using netexec
8) ntlmv1, smbghost and remove-mic checks using netexec
9) RPC Dump and check for interesting protocols
10) Coercer RPC scan
11) PushSubscription abuse using PrivExchange
12) RunFinger scan
13) Run LDAPNightmare check
14) Run sessions enumeration using netexec (reg-sessions)
15) Check for unusual sessions
16) Check for BadSuccessor vuln using netexec and impacket
17) RelayKing coerce scan
```
MSSQL 枚举菜单
```
1) MSSQL Enumeration using netexec
2) MSSQL Relay check
3) Open mssqlclient.py console on target
4) Open mssqlpwner in interactive mode
5) Enumeration Domain objects using RID bruteforce
```
密码转储菜单
```
1) LAPS Dump using netexec
2) gMSA Dump using netexec
3) DCSync using secretsdump (only on DC)
4) Dump SAM and LSA using secretsdump
5) Dump SAM and SYSTEM using reg
6) Dump NTDS using netexec
7) Dump SAM and LSA secrets using netexec
8) Dump LSA secrets using netexec
9) Dump SAM and LSA secrets using netexec without touching disk (regdump)
10) Dump LSASS using lsassy
11) Dump LSASS using handlekatz
12) Dump LSASS using procdump
13) Dump LSASS using nanodump
14) Dump dpapi secrets using netexec
15) Dump secrets using DonPAPI
16) Dump secrets using DonPAPI (Disable Remote Ops operations)
17) Dump secrets using hekatomb (only on DC)
18) Search for juicy information using netexec
19) Dump Veeam credentials (only from Veeam server)
20) Dump Msol password (only from Azure AD-Connect server)
21) Extract Bitlocker Keys
22) Dump SAM and LSA secrets using winrm with netexec
```
修改菜单
```
1) Change user or computer password (Requires: ForceChangePassword)
2) Add user to group (Requires: AddMember on group)
3) Remove user from group (Requires: AddMember on group)
4) Add new computer (Requires: MAQ > 0)
4ou) Add new computer to a custom OU location (Requires: MAQ > 0 and GenericWrite on OU)
5) Add new DNS entry (Requires: Modification of DNS)
6) Remove DNS entry (Requires: Modification of DNS)
7) Enable account (Requires: GenericWrite)
8) Disable account (Requires: GenericWrite)
9) Change Owner of target (Requires: WriteOwner permission)
10) Add GenericAll rights on target (Requires: Owner of object)
11) Delete user or computer (Requires: GenericWrite)
12) Restore deleted user or computer (Requires: GenericWrite on OU of deleted object)
13) Targeted Kerberoast Attack (Noisy!) (Requires: WriteSPN)
14) Perform RBCD attack (Requires: AllowedToAct on computer)
15) Perform RBCD attack on SPN-less user (Requires: AllowedToAct on computer & MAQ=0)
16) Perform ShadowCredentials attack (Requires: AddKeyCredentialLink)
17) Remove added ShadowCredentials (Requires: AddKeyCredentialLink)
18) Abuse GPO to execute command (Requires: GenericWrite on GPO)
19) Add Unconstrained Delegation rights - uac: TRUSTED_FOR_DELEGATION (Requires: SeEnableDelegationPrivilege rights)
20) Add CIFS and HTTP SPNs entries to computer with Unconstrained Deleg rights - ServicePrincipalName & msDS-AdditionalDnsHostName (Requires: Owner of computer)
21) Add userPrincipalName to perform Kerberos impersonation of another user (Targeting Linux machines) (Requires: GenericWrite on user)
22) Modify userPrincipalName to perform Certificate impersonation (ESC10) (Requires: GenericWrite on user)
23) Add Constrained Delegation rights - uac: TRUSTED_TO_AUTH_FOR_DELEGATION (Requires: SeEnableDelegationPrivilege rights)
24) Add HOST and LDAP SPN entries of DC to computer with Constrained Deleg rights - msDS-AllowedToDelegateTo (Requires: Owner of computer)
25) Add dMSA to exploit BadSuccessor on Server 2025 (Requires: GenericWrite on OU)
26) Remove dMSA to clean after exploiting BadSuccessor (Requires: GenericWrite on OU)
```
命令执行菜单
```
1) Open CMD console using smbexec on target
2) Open CMD console using wmiexec on target
3) Open CMD console using psexec on target
4) Open PowerShell console using evil-winrm on target
```
网络扫描菜单
```
1) Identify hosts with accessible SMB port using netexec
2) Identify hosts with accessible RDP port using netexec
3) Identify hosts with accessible WinRM port using netexec
4) Identify hosts with accessible SSH port using netexec
5) Identify hosts with accessible FTP port using netexec
6) Identify hosts with accessible VNC port using netexec
7) Identify hosts with accessible MSSQL port using netexec
8) Basic scan of domain machines using NetworkHound
9) Full scan of domain and Shadow IT machines using NetworkHound
```
认证菜单
```
1) Generate NTLM hash of current user - Pass the hash
2) Crack NTLM hash of current user
3) Generate AES Key using aesKrbKeyGen
4) Generate TGT for current user (requires: password, NTLM hash or AES key) - Pass the key/Overpass the hash
5) Request certificate (requires: authentication)
6) Extract NTLM hash from Certificate using PKINIT (requires: pfx certificate)
```
配置菜单
```
1) Check installation of tools and dependencies
2) Synchronize time with Domain Controller (requires root)
3) Add Domain Controller's IP and Domain to /etc/hosts (requires root)
4) Update resolv.conf to define Domain Controller as DNS server (requires root)
5) Update krb5.conf to define realm and KDC for Kerberos (requires root)
6) Download default username and password wordlists (non-kali machines)
7) Change users wordlist file
8) Change passwords wordlist file
9) Change attacker's IP
10) Switch between LDAP (port 389) and LDAPS (port 636)
11) Show session information
```
## 演示
- HackTheBox Forest
交互模式:
[](https://asciinema.org/a/499893)
自动模式:
[](https://asciinema.org/a/464904)
- TryHackme AttacktiveDirectory
[](https://asciinema.org/a/464901)
## 待办事项
- 添加更多枚举和漏洞利用工具...
## 致谢
- 灵感来源:[S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t) - WinPwn
- 工具:
- [fortra](https://github.com/fortra) - impacket
- [NeffIsBack, Marshall-Hallenbeck, zblurx, mpgn, byt3bl33d3r and all contributors](https://github.com/Pennyw0rth/NetExec) - crackmapexec/netexec
- [Fox-IT](https://github.com/fox-it) - bloodhound-python
- [dirkjanm](https://github.com/dirkjanm/) - ldapdomaindump, privexchange
- [zer1t0](https://github.com/zer1t0) - certi.py
- [ly4k](https://github.com/ly4k) - Certipy
- [ShawnDEvans](https://github.com/ShawnDEvans) - smbmap
- [ropnop](https://github.com/ropnop) - windapsearch, kerbrute
- [login-securite](https://github.com/login-securite) - DonPAPI
- [Processus-Thief](https://github.com/Processus-Thief) - HEKATOMB
- [layer8secure](https://github.com/layer8secure) - SilentHound
- [ShutdownRepo](https://github.com/ShutdownRepo) - TargetedKerberoast
- [franc-pentest](https://github.com/franc-pentest) - ldeep
- [garrettfoster13](https://github.com/garrettfoster13/) - pre2k, aced, sccmhunter
- [zblurx](https://github.com/zblurx/) - certsync
- [p0dalirius](https://github.com/p0dalirius) - Coercer, FindUncommonShares, ExtractBitlockerKeys, LDAPWordlistHarvester, ldapconsole, pyLDAPmonitor, RDWAtool, smbclient-ng, FindUnusualSessions, ShareHound
- [blacklanternsecurity](https://github.com/blacklanternsecurity/) - MANSPIDER
- [CravateRouge](https://github.com/CravateRouge) - bloodyAD
- [shellster](https://github.com/shellster) - LDAPPER
- [TrustedSec](https://github.com/trustedsec) - orpheus
- [lkarlslund](https://github.com/lkarlslund) - Adalanche
- [X-C3LL](https://github.com/X-C3LL) - GPOwned
- [Hackndo](https://github.com/Hackndo) - pyGPOAbuse
- [CompassSecurity](https://github.com/CompassSecurity) - mssqlrelay
- [lgandx](https://github.com/lgandx) - Responder
- [CobblePot59](https://github.com/CobblePot59) - ADcheck
- [lkarlslund](https://github.com/lkarlslund) - ldapnomnom
- [Macmod](https://github.com/Macmod) - godap
- [ScorpionesLabs](https://github.com/ScorpionesLabs) - MSSqlPwner
- [barcrange](https://github.com/barcrange) - CVE-2024-49113-Checker
- [logangoins](https://github.com/logangoins/) - SoaPy
- [synacktiv](https://github.com/synacktiv/) - SCCMSecrets, gpoParser, GroupPolicyBackdoor
- [j4s0nmo0n](https://github.com/j4s0nmo0n/) - Soaphound
- [sikumy](https://github.com/sikumy/) - spearspray
- [MorDavid](https://github.com/MorDavid/) - NetworkHound
- [cogiceo](https://github.com/cogiceo/) - DACLSearch
- [MarcoZufferli](https://github.com/MarcoZufferli) - ScriptScout
- [depthsecurity](https://github.com/depthsecurity) - relayking
- [mverschu](https://github.com/mverschu) - ADWS Domain Dump
- [l4rm4nd](https://github.com/l4rm4nd) - PyADRecon, PyADRecon-ADWS
- [dievus](https://github.com/dievus) - ADPulse
- 参考资料:
- https://orange-cyberdefense.github.io/ocd-mindmaps/
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://book.hacktricks.xyz/
- https://adsecurity.org/
- https://casvancooten.com/
- https://www.thehacker.recipes/
- https://www.ired.team/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://hideandsec.sh/
## 开发者指南
### 工具集成器
`lwp_tool_integrator.py` 自动化新工具的集成。它一步即可修补 `linWinPwn.sh`、`install.sh` 和 `README.md`:
- 添加工具变量定义和包装函数
- 使用适当的标志修补 `authenticate()`
- 将工具添加到交互式菜单
- 更新 `install.sh` 以进行自动安装
- 向 `README.md` 添加引用和认证表格行
用法:
```
python3 lwp_tool_integrator.py
```
有关配置示例,请参阅 `lwp_tool_template.json`。
## 法律免责声明
未经事先双方同意而使用 linWinPwn 攻击目标是非法的。最终用户有责任遵守所有适用的地方、州和联邦法律。开发者不承担任何责任,也不对因本程序造成的任何误用或损害负责。仅用于教育目的。
标签:Active Directory, ADCS, AD安全, BloodHound, Certipy, Checkov, Docker, HTTP, Impacket, Kerberos攻击, LDAP, NetExec, PE 加载器, Plaso, Prisma Cloud, StruQ, Swiss-Army Knife, Web报告查看器, 域渗透, 安全防御评估, 密码转储, 对称加密, 应用安全, 提权, 数据展示, 枚举工具, 模拟器, 横向移动, 电子数据取证, 红队, 编程规范, 自动化审计, 请求拦截, 逆向工具, 防御绕过