Brute Forcing Accounts that have logged onto an AD joined computer

This is for educational purposes only. Only test on equipment your own. This also requires admin rights to work.

Maybe this has been done before. However, I haven’t seen it or don’t remember seeing it, so I thought I’d share what I’m researching. Essentially this technique allows me brute force any password on my AD joined computer providing a couple conditions are met. First, I must be an administrator on the machine. Also, there must already be a process running as the username I want to brute force on the machine.

From some previous research I was doing I learned that when using UAC, you can login even when the account is locked out and connected to the network and you can use that to guess passwords. However, that is manual and painful. I thought I would see what was going on. I ran Wireshark while the account was disabled. When I enter a bad password, it calls out to check authentication. When I entered the correct password, I didn’t see any authentication traffic. That was interesting and I figured it was looking at its local hash if the account is locked out.

When I turned off my domain controller I could brute force locally all I wanted without the “The account is disabled and may not be logged into”

NOTE: The account that is being brute forced must have a process running on the machine for this to work!! In this case, i’m running notepad for the two accounts I’m brute forcing.

Next, I thought how this could be useful on a remote machine. I echoed my logon server and decided to try to point my login server and my domain to local host (YOU NEED ADMIN RIGHTS TO DO THIS). The file to edit is C:\WINDOWS\System32\drivers\etc\hosts

I’m just updating my logon server to point to 127.0.0.1 and that seems to do the trick

After I did that, I started brute forcing the passwords for my local accounts without any issues manually.

Also, this can all be automated (after you modify your hosts file).

Don’t laugh at my batch file, I don’t write it much but this worked for me (I had some issues with powershell locking after a couple of attempts, I didn’t have time to investigate). I’m using a password file in the local directory to loop through. Also, this is just a proof of concept for one hard coded user. I would write the whole process but I’m really supposed to be studying 😊

Here is the code:

@echo off
for /F "tokens=*" %%A in (10-million-password-list-top-10000.txt) do ( 
 call net use \\127.0.0.1 %%A /user:Helpdesk@rebeladmin.net  && (
   @echo on
   echo Found Password %%A  >> WIN.txt
   @echo off
 ) 
)

I confirmed this works from a remote machine as well. If performing this technique remotely I imagine I’d have to perform a UAC bypass to modify the HOSTS file.

If you enjoyed this feel free to follow me on twitter at @_markmo_ (yes, with the underscores, I didn’t come up with a good handle)