LinWinPwn
linWinPwn is a bash script that streamlines the use of a number of Active Directory tools
Install / Use
/learn @lefayjey/LinWinPwnREADME
linWinPwn - Swiss-Army knife for Active Directory Pentesting using Linux
Description
linWinPwn is a bash script that wraps a number of Active Directory tools for enumeration (LDAP, RPC, ADCS, MSSQL, Kerberos, SCCM), vulnerability checks (noPac, ZeroLogon, MS17-010, MS14-068), object modifications (password change, add user to group, RBCD, Shadow Credentials) and password dumping (secretsdump, lsassy, nanodump, DonPAPI). The script streamlines the use of a large number of tools: impacket, bloodhound, netexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, certipy, silenthound, bloodyAD, DonPAPI and many others.
Setup
Git clone the repository and install requirements using the install.sh script
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn
chmod +x install.sh
./install.sh
Alternatively, use the pre-built Docker image from Docker Hub
docker pull lefayjey/linwinpwn:latest
# Add linWinPwn_docker to PATH
echo -e "docker run --rm --init -it --net=host -v \$(pwd):/opt/lwp-output lefayjey/linwinpwn:latest \$@" | sudo tee "/usr/local/sbin/linWinPwn_docker"
sudo chmod 755 /usr/local/sbin/linWinPwn_docker
# Run linWinPwn_docker (output to host's current directory)
linWinPwn_docker -t <DC_IP>
linWinPwn_docker -t <DC_IP> -d <domain> -u <user> -p <password> --auto
Or build from source
docker build -t linwinpwn .
docker run --rm --init -it --net=host -v $(pwd):/opt/lwp-output linwinpwn -t <DC_IP>
Usage
Mode
The linWinPwn script can be executed in interactive mode (default), or in automated mode (enumeration only).
1. Interactive Mode (Default) - Open interactive menu to run checks separately
linWinPwn -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]> -o <output_dir>]
2. Automated Mode - Using the --auto parameter, run enumeration tools (no exploitation, modifications or password dumping)
When using the automated mode, different checks are performed based on the authentication method.
- Unauthenticated (no credentials provided)
- Anonymous enumeration using netexec, enum4linux-ng, ldapdomaindump, ldeep
- RID bruteforce using netexec
- kerbrute user spray
- Pre2k authentication check on collected list of computers
- ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Blind Kerberoast
- CVE-2022-33679 exploit
- Check for DNS unsecure updates for AS-REQ abuse using krbjack
- SMB shares anonymous enumeration on identified servers
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on identified servers
- Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses
linWinPwn -t <Domain_Controller_IP> --auto [-o <output_dir>]
- Authenticated (using password, NTLM hash, Kerberos ticket, AES key or pfx Certificate)
- DNS extraction using netexec
- BloodHound data collection
- Enumeration using netexec, enum4linux-ng, ldapdomaindump, bloodyAD, sccmhunter, rdwatool, sccmhunter, GPOParser
- Generate wordlist for password cracking
- netexec find accounts with user=pass
- Pre2k authentication check on domain computers
- Extract ADCS information using certipy and certi.py
- kerbrute find accounts with user=pass
- ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Targeted Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- SMB shares enumeration on all domain servers using smbmap, FindUncommonShares and cme's spider_plus
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers (using cme, Coercer and RPC Dump)
- Check for ms17-010, ms14-068, zerologon, petitpotam, nopac, smb-signing, ntlmv1, runasppl, certifried weaknesses, ldapnightmare, badsuccessor
- Check mssql privilege escalation paths
- Check mssql relay possibilities
linWinPwn -t <Domain_Controller_IP> -d <AD_domain> -u <AD_user> [-p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]>] [-o <output_dir>] --auto
Parameters
Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules
linWinPwn -t <Domain_Controller_IP> --auto-config
LDAPS - Use LDAPS instead of LDAP (port 636)
linWinPwn -t <Domain_Controller_IP> --ldaps
Force Kerberos Auth - Force using Kerberos authentication instead of NTLM (when possible)
linWinPwn -t <Domain_Controller_IP> --force-kerb
Verbose - Enable all verbose and debug outputs
linWinPwn -t <Domain_Controller_IP> --verbose
Interface - Choose attacker's network interface
linWinPwn -t <Domain_Controller_IP> -I tun0
linWinPwn -t <Domain_Controller_IP> --interface eth0
Targets - Choose targets to be scanned (DC, All, IP=IP_or_hostname, File=./path_to_file)
linWinPwn -t <Domain_Controller_IP> --targets All
linWinPwn -t <Domain_Controller_IP> --targets DC
linWinPwn -t <Domain_Controller_IP> -T IP=192.168.0.1
linWinPwn -t <Domain_Controller_IP> -T File=./list_servers.txt
Custom wordlists - Choose custom user and password wordlists
linWinPwn -t <Domain_Controller_IP> -U /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
linWinPwn -t <Domain_Controller_IP> -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt
Tunneling
linWinPwn can be particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to be more efficient in the enumeration process and in the collection of evidence. In addition, linWinPwn can replace the use of enumeration tools on Windows in the aim of reducing the number of created artifacts (e.g., PowerShell commands, Windows Events, created files on disk), and bypassing certain Anti-Virus or EDRs. This can be achieved by performing remote dynamic port forwarding through the creation of an SSH tunnel from the Windows host (e.g., VDI machine or workstation or laptop) to a remote Linux machine (e.g., Pentest laptop or VPS), and running linWinPwn with proxychains.
On the Windows host, run using PowerShell:
ssh.exe kali@<linux_machine> -R 1080 -NCqf
On the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:
linWinPwn_proxychains -t <Domain_Controller_IP> -d <AD_domain> -u <AD_user> [-p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -A <AES_key> -C <cert[./cert.pfx]>] [-o <output_dir>] [--auto]
Optional MCP Server (Web UI / API)
This project includes lwp_mcp_server.py, a Python-based server that provides an interactive web UI (via any MCP-compatible client) and an API to browse and execute linWinPwn commands.
Installation
The server requires Python3 and the official MCP SDK.
# Install the required Python library
cd /opt/lwp-scripts
python3 -m venv mcp-env
source ./mcp-env/bin/activate
pip3 install mcp.server
Running the Server
You must have linWinPwn.sh available. The server will look for it in the same directory by default.
#Run the server
/opt/lwp-scripts/mcp-env/bin/python3 lwp_mcp_server.py
The server can be configured with environment variables:
- LWP_PATH: Path to your linWinPwn.sh script (Default: ./linWinPwn.sh).
- LWP_OUTPUT: Path to store all command logs (Default: ./lwp_output).
- MCP_HOST: Host address for the server (Default: 127.0.0.1).
- MCP_PORT: Port for the server (Default: 8000).
Example with custom paths:
export LWP_PATH="/opt/linWinPwn/linWinPwn.sh"
export LWP_OUTPUT="/tmp"
export MCP_HOST="0.0.0.0"
export MCP_PORT="8000"
/opt/lwp-scripts/mcp-env/bin/python3 lwp_mcp_server.py
Usage
Once the server is running, you can connect to it using any MCP client, such as the official web interface, by pointing it to the server's address (e.g., http://127.0.0.1:8000/mcp).
This interface allows you to:
- List and search all available run_command entries.
- View default script variables.
- Execute commands remotely, providing custom environment variables.
- View command output, logs, and artifacts in real-time.
Client Configuration Example:
The following is an example configuration for integrating the linwinpwn-http MCP server into a client that uses the shared MCP Server configuration format (such as the settings used by the Gemini/Google AI client or certain specialized desktop tools).
This snippet should be added directly in your client's settings file (e.g., in a file like .gemini/settings.json or .vscode/mcp.json).
The configuration instructs the client to connect to your running server via Streamable HTTP.
Configuration Snippet
{
"mcpServers": {
"linwinpwn": {
"httpUrl": "http://127.0.0.1:8000/mcp",
"timeout": 600000,
"trust": false
}
}
}
{
"servers": {
"linwinpwn": {
"type": "http",
"url": "http://127.0.0.1:8000/mcp"
}
}
}
Current supported authentications
| Tool | Null Session | Password | NTLM Hash | Kerberos Ticket| AES Key | Certificate |
|-------------------------|--------------|----------|------------|----------------|-------------|-------------|
| netexec | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Impacket | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| bloodhound-python | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| ldapdomaindump | ✅ | ✅ | ✅ | ❌ | ❌ |
