AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Winfo cifs11/21/2023 ![]() Often these scripts will get left up there and forgotten forever. You can either touch every machine manually, or script it, with credentials that have the rights to make the changes you want. When you try to remove administrative privileges from all your employee computers as a best practice, you'll run into situations where you want to install printer, software or make changes to their systems that require admin access. Why do admins do this? As a former admin, I know exactly why. ![]() They were even nice enough to make this account a Domain Admin. In my case, I looked through all their logon scripts that are stored in this location and found a few that sounded "interesting." Opening them up revealed hard coded domain credentials in the scripts. Since you have a valid domain account, you'll automatically have access to the NETLOGON share. But what the hell can we do with these accounts if they're just basic low level user accounts that may/may not have access to anything?įirst place I look is the NETLOGON share on the domain controller. Running the module in my situation against 2000 user accounts yielded 12 valid sets of credentials. I picked "password" because their password policy above was so bad, it just seemed like it had to work ) If you wanted to squeeze one more password in, just create a text file with 2 passwords in it and set the PASS_FILE option and remove your SMBPass option instead. The module I configured below will try the the following combinations: username as the password, blank password and the word "password." That's a total of three tries for each user in our enumerated list which is less than the 5 that will lock out the account. When you're configuring the module try to pick a single password that you think will have the best chance of working. The way I like to do this is to use the smb_login module against a domain controller, or some other file server with port 445 open. In addition to that juicy information, if you're lucky enough to get a list of user accounts from winfo, you can begin to tailor a brute force attack based on your discovered insider information. There are so many issues with that password policy, it's mind blowing. However, even if we do lock an account out, it likely wont raise any red flags since it will auto-reset in 10 minutes!
0 Comments
Read More
Leave a Reply. |