explaingit

s3cur3th1ssh1t/winpwn

Analysis updated 2026-07-03

3,664PowerShellAudience · ops devopsComplexity · 4/5Setup · moderate

TLDR

A PowerShell toolkit that automates common Windows and Active Directory penetration testing tasks, reconnaissance, privilege escalation, and credential dumping, in a single menu-driven script with automatic proxy detection.

Mindmap

mindmap
  root((repo))
    What it does
      Pentest automation
      Menu-driven interface
      Proxy auto-detection
    Capabilities
      Domain reconnaissance
      Privilege escalation
      Credential dumping
      UAC bypasses
    C2 Integration
      Cobalt Strike
      Covenant
      Non-interactive mode
    Tech Stack
      PowerShell
      Mimikatz
      BloodHound
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run automated local and Active Directory reconnaissance on a Windows network during an authorized penetration test.

USE CASE 2

Dump credentials from memory using Mimikatz without dropping a file to disk on the target host.

USE CASE 3

Check a Windows domain for privilege escalation paths and known CVEs across OS versions from XP through Server 2019.

USE CASE 4

Run the toolkit non-interactively through a Cobalt Strike or Covenant command-and-control framework.

What is it built with?

PowerShellMimikatzBloodHoundCobalt Strike

How does it compare?

s3cur3th1ssh1t/winpwn0xsyr0/oscpmantvydasb/redteaming-tactics-and-techniques
Stars3,6643,7284,590
LanguagePowerShellPowerShellPowerShell
Setup difficultymoderateeasyhard
Complexity4/51/54/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires bypassing Windows Defender AMSI on most modern Windows systems before the script can be imported, the README covers this.

In plain English

WinPwn is a PowerShell script that automates common tasks used during internal penetration tests of Windows environments and Active Directory networks. The author built it after repeatedly running the same individual security scripts one after another during engagements, and wanting a single tool that handled proxy detection automatically, since many corporate networks require a proxy to reach the internet. The script wraps a large number of well-known offensive security tools and techniques into menu-driven functions. The main categories are: local reconnaissance (collecting installed software, network configuration, group memberships, and searching for passwords stored in the registry or file system), domain reconnaissance (mapping out an Active Directory environment, finding misconfigurations, generating BloodHound reports, checking for known vulnerabilities across domain systems), privilege escalation (checking for weak permissions, kernel exploits for specific CVEs across Windows versions from XP through Server 2019), credential dumping (running Mimikatz in memory to extract passwords and hashes, dumping browser credentials, extracting saved Wi-Fi passwords), and User Account Control bypasses. The tool can run interactively with menus for selecting options, or with -noninteractive and -consoleoutput flags so that it works from a command-and-control framework like Cobalt Strike or Covenant without requiring user interaction. An offline version bundles the most important scripts and executables for environments with no internet access. It is imported by running a single PowerShell command. The README notes that Windows Defender's AMSI (a script scanning system) may block the import and provides guidance on using published bypass techniques to work around that. The tool is intended for use by professional penetration testers and security researchers against systems they are authorized to test.

Copy-paste prompts

Prompt 1
I'm doing an authorized pentest on a Windows Active Directory environment. Show me how to import WinPwn and run the domain reconnaissance module step by step.
Prompt 2
How do I use WinPwn's -noninteractive and -consoleoutput flags to run it through a Cobalt Strike beacon without user interaction?
Prompt 3
Walk me through WinPwn's privilege escalation checks for a Windows 10 host, what does it look for and in what order?
Prompt 4
What is AMSI and how do I bypass it on an authorized test system to load WinPwn in a restricted PowerShell session?
Prompt 5
Which WinPwn modules would I use to enumerate weak ACLs and misconfigured services on a domain-joined Windows host?

Frequently asked questions

What is winpwn?

A PowerShell toolkit that automates common Windows and Active Directory penetration testing tasks, reconnaissance, privilege escalation, and credential dumping, in a single menu-driven script with automatic proxy detection.

What language is winpwn written in?

Mainly PowerShell. The stack also includes PowerShell, Mimikatz, BloodHound.

How hard is winpwn to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is winpwn for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub s3cur3th1ssh1t on gitmyhub

Verify against the repo before relying on details.