Open in app

Sign in

Write

Sign in

Mark Mo
3 min readApr 12, 2019

Brute Forcing Admin Passwords with UAC

This is for educational purposes only. If you don’t own it, don’t pwn it.

While doing some research, I found a way to brute force AD user passwords who are administrators on a machine using UAC. This only works for Administrators on the machine you are testing on and only with UAC. I’m never sure if someone has already identified this issue as I’m still pretty new to security.

First, find the admins on the machine. The only interesting ones are going to be domain members who likely have access on other machines/systems as well. Obviously you would want to use LAPS and limit the admins on a machine but this is a demo and I live dangerously in my LAB. 😊

For this demo I’m going to try to guess the password of the “REBELADMIN\HelpDesk” account. I’ll intentionally enter a bad password 3 times and the account will get locked out. You can see this is a domain account I’m guessing the password for.

If I try this again, I’ll see a message that says, “The referenced account is locked and may not be logged into” LIES !!! 😊

We see the referenced account is currently locked out. From a command line, if I type the real password, I still get the locked-out message and an attacker doing this, would not know if they entered the correct password. From the command line this is properly protected. By the way, that is the real password.

I can see the account is locked out.

I’ll run the command from the GUI.

I’ll Enter the real password.

You can guess as many times as you want. However, when you enter a real password, it lets you through. This allows an attacker to brute force the admin users password. It launched the command as my rebeladmin\helpdesk administrator.

One thing I find interesting is even if you enter hundreds of password attempts, the bad password count and last bad password attempt don’t change. That seems wrong to me.

The utility of this is limited because I must manually type in the password attempts. Also, it is noisy, and it locks out the user I am are trying to guess a password for. Still, it allows me to guess other users passwords and is another option. I submitted this as a bug to Microsoft and they said it was not a security weakness. I still think it should be fixed. I want to spend some time on this to see if I can automate the process but my research time is limited to weekends. It seems weird that UAC (a security control) allows me to keep guessing a user’s password that is stopped by other authentication methods.

Feel free to follow me on twitter @_markmo_ (yes, with the underscores). I share what I learn.

Security
Bypass
Infosec
Information Security
Microsoft
Mark Mo

Written by Mark Mo

644 Followers

@fashionproof.bsky.social on bluesky @_markmo_ on twitter

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams