A while ago, Dave Hoelzer did a nice video on how to use Windows PowerShell to hack domain user accounts. Basically, Dave leveraged PowerShell commands which any domain user can execute on a domain and receive either a positive and negative response based on the legitimacy of the username and password combination. This got me thinking. Since I’m not typically handed, or able to spawn, a PowerShell right from the get go, what else could I use to accomplish the same goal? The answer is attempting to connect to the IPC$ share of a domain controller. Using the following command, you can spray a huge list of domain users with a small number of passwords (to avoid lockout) and try to catch someone using something simple.
@FOR /F %n in (names.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\DC01 /user:mydomain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DC01\IPC$ > NUL
WARNING: Make sure the number of passwords in your file is less then that of the account lockout policy. Below is a small list that Carnal0wnage and Mubix reference in their recent DerbyCon talk. This list, along with the technique used above, gets you in just about anywhere.

HINT: For a list of all the users in a domain, conduct SID enumeration against null sessions with NBTEnum or Cain. While not always enabled, I rarely find null sessions disabled. If it is disabled, use typical info gathering techniques from open sources.
Here’s another use for this technique. Brute forcing the domain default password by targeting Active, never logged in accounts. You get this information for each user when you enumerate the domain with Cain / NBTEnum as mentioned above. Essentially what you have is a long list of users, all with the same default password, since they have never logged in with their accounts. Normally, I wouldn’t think this a viable vector of attack, but I recently encountered a situation where a domain had over 1000 Active, never logged in accounts, all with the same default password. No joke. What you would do is attempt several passwords (lockout – 1) from a list against each user. In the situation I encountered, the lockout was 3 and there were ~1000 Active user accounts that had never logged in. That’s 1000 * (3 – 1) = 2000 attempts I could have made at guessing the default user password without fear of locking out any accounts! Really wish I would have done that now…
If you’re looking for a single command which does this, look for it in a future episode of the Command Line Kung Fu blog.

About the author

Leave a Reply