Domain User Spraying and Brute Forcing Domain Default Passwords, Avoiding Lockout

Looks interesting:

A while ago, Dave Hoelzer did a nice video on how to use Windows PowerShell to hack domain user accounts. Basically, Dave leveraged PowerShell commands which any domain user can execute on a domain and receive either a positive and negative response based on the legitimacy of the username and password combination. This got me thinking. Since I’m not typically handed, or able to spawn, a PowerShell right from the get go, what else could I use to accomplish the same goal? The answer is attempting to connect to the IPC$ share of a domain controller. Using the following command, you can spray a huge list of domain users with a small number of passwords (to avoid lockout) and try to catch someone using something simple.

@FOR /F %n in (names.txt) DO @FOR /F %p in (passwords.txt) DO @net use \DC01 /user:mydomain%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \DC01IPC$ > NUL

WARNING: Make sure the number of passwords in your file is less then that of the account lockout policy.

And the other obligatory warning – make sure you have approval from Corporate before trying this.

via PaulDotCom: Archives.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.