Skip to content

Instantly share code, notes, and snippets.

@moscowchill

moscowchill/linwinpwn_cheats.md

Created September 8, 2025 08:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save moscowchill/00991e6e9870443835e30aea087dde51 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save moscowchill/00991e6e9870443835e30aea087dde51 to your computer and use it in GitHub Desktop.
Download ZIP
Linwinpwn cheatsheet for use with arsenal and linwinpwn.sh
Raw
linwinpwn_cheats.md

linWinPwn

#platform/linux #target/remote #cat/AD #tag/enum

linWinPwn - Anonymous enumeration (null session)

./linWinPwn.sh -t <dc_ip>

linWinPwn - Automatic enumeration with credentials

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --auto

linWinPwn - NTLM hash authentication

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -H <lm_hash:nt_hash> --auto

linWinPwn - Kerberos ticket authentication

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -K <path_to_krb5cc_ticket> --auto

linWinPwn - AES Key authentication (Kerberos)

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -A <aes_key> --auto

linWinPwn - Certificate authentication (PFX)

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -C <path_to_cert.pfx> --cert-pass <cert_password> --auto

linWinPwn - Auto config with NTP sync and hosts entry

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --auto --auto-config

linWinPwn - LDAPS enumeration (port 636)

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --ldaps --auto

linWinPwn - Force Kerberos authentication

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --force-kerb --auto

linWinPwn - Target all domain servers

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> -T All --auto

linWinPwn - Target specific server

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> -T IP=<target_ip> --auto

linWinPwn - Target servers from file

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> -T File=<targets_file> --auto

linWinPwn - Custom interface specification

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> -I <interface> --auto

linWinPwn - Custom wordlists for brute force

./linWinPwn.sh -t <dc_ip> -d <domain> -U <user_wordlist> -P <password_wordlist> --auto

linWinPwn - Verbose output for debugging

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --verbose --auto

linWinPwn - Custom output directory

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> -o <output_dir> --auto

linWinPwn - Through proxychains (SSH tunnel from Windows)

proxychains ./linWinPwn_proxychains -t <dc_ip> -d <domain> -u <username> -p <password> --auto

linWinPwn - LDAP with custom port

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --ldap-port <port> --auto

linWinPwn - LDAP with channel binding/signing

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --ldap-bind-sign --auto

linWinPwn - Custom DNS server

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --dns-ip <dns_server> --auto

linWinPwn - Use TCP for DNS queries

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --dns-tcp --auto

linWinPwn - Use IP addresses instead of hostnames

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --use-ip --auto

linWinPwn - Specify DC domain manually

./linWinPwn.sh -t <dc_ip> -d <domain> -u <username> -p <password> --dc-domain <dc_domain> --auto
```# linWinPwn

#platform/linux #target/remote #cat/AD #tag/enum

## linWinPwn - Anonymous enumeration (null session)

./linWinPwn.sh -t <dc_ip>


## linWinPwn - Automatic enumeration with credentials

./linWinPwn.sh -t <dc_ip> -d -u -p --auto


## linWinPwn - NTLM hash authentication

./linWinPwn.sh -t <dc_ip> -d -u -H <lm_hash:nt_hash> --auto


## linWinPwn - Kerberos ticket authentication

./linWinPwn.sh -t <dc_ip> -d -u -K <path_to_krb5cc_ticket> --auto


## linWinPwn - AES Key authentication (Kerberos)

./linWinPwn.sh -t <dc_ip> -d -u -A <aes_key> --auto


## linWinPwn - Certificate authentication (PFX)

./linWinPwn.sh -t <dc_ip> -d -u -C <path_to_cert.pfx> --cert-pass <cert_password> --auto


## linWinPwn - Auto config with NTP sync and hosts entry

./linWinPwn.sh -t <dc_ip> -d -u -p --auto --auto-config


## linWinPwn - LDAPS enumeration (port 636)

./linWinPwn.sh -t <dc_ip> -d -u -p --ldaps --auto


## linWinPwn - Force Kerberos authentication

./linWinPwn.sh -t <dc_ip> -d -u -p --force-kerb --auto


## linWinPwn - Target all domain servers

./linWinPwn.sh -t <dc_ip> -d -u -p -T All --auto


## linWinPwn - Target specific server

./linWinPwn.sh -t <dc_ip> -d -u -p -T IP=<target_ip> --auto


## linWinPwn - Target servers from file

./linWinPwn.sh -t <dc_ip> -d -u -p -T File=<targets_file> --auto


## linWinPwn - Custom interface specification

./linWinPwn.sh -t <dc_ip> -d -u -p -I --auto


## linWinPwn - Custom wordlists for brute force

./linWinPwn.sh -t <dc_ip> -d -U <user_wordlist> -P <password_wordlist> --auto


## linWinPwn - Verbose output for debugging

./linWinPwn.sh -t <dc_ip> -d -u -p --verbose --auto


## linWinPwn - Custom output directory

./linWinPwn.sh -t <dc_ip> -d -u -p -o <output_dir> --auto


## linWinPwn - Through proxychains (SSH tunnel from Windows)

proxychains ./linWinPwn_proxychains -t <dc_ip> -d -u -p --auto


## linWinPwn - LDAP with custom port

./linWinPwn.sh -t <dc_ip> -d -u -p --ldap-port --auto


## linWinPwn - LDAP with channel binding/signing

./linWinPwn.sh -t <dc_ip> -d -u -p --ldap-bind-sign --auto


## linWinPwn - Custom DNS server

./linWinPwn.sh -t <dc_ip> -d -u -p --dns-ip <dns_server> --auto


## linWinPwn - Use TCP for DNS queries

./linWinPwn.sh -t <dc_ip> -d -u -p --dns-tcp --auto


## linWinPwn - Use IP addresses instead of hostnames

./linWinPwn.sh -t <dc_ip> -d -u -p --use-ip --auto


## linWinPwn - Specify DC domain manually

./linWinPwn.sh -t <dc_ip> -d -u -p --dc-domain <dc_domain> --auto

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment