Saturday, May 28, 2016

Metasploit: Find Usernames Used As Passwords

In an internal pen test, there are cases where you have pulled a list of domain usernames but are still looking to get the password for one of these accounts. One possible technique for accomplishing this would be to use Metasploit to identify any passwords which are the same as the username. Below are steps to use the Metasploit console (msfconsole) to perform this particular type of password attack. And here's a pretty picture of a test box performing such an attack on itself, just as an example:

Example attack


1. Put your list of usernames into a text file with one username per line, and place the file in the Metasploit directory.

2. Open the Metasploit console and run: use auxiliary/scanner/smb/smb_login

3. Pick one domain workstation to test against and set it in MSF (Metasploit): set RHOSTS <ip-address>

4. Tell MSF the domain name: set SMBDomain <domain>

5. Tell MSF the name of the file containing the usernames: set USER_FILE <filename>

6. Tell MSF to use the username as the password: set USER_AS_PASS true

7. For some reason MSF doesn't like to run USER_AS_PASS unless you explicitly specify another password or password list, as well. If you don't do this, it will run the exploit but not actually test the username as the password. Just pick a random weak password to also test for perhaps, like this: set SMBPass password123

8. If you know the password policy will allow three login failures without causing a lockout, consider also testing for blank passwords: set BLANK_PASSWORDS true

9. Then run the exploit with: run

One of the things I like about this method, is that it's not as loud as a full brute force. As long as you keep below the lockout policy, you may be able to stay under the radar completely, while still testing every single domain user. When the test is complete, you can see what kind of creds you got with this command: creds

To export the creds as a file, you can use: creds -o <filename.txt>

To get help with the creds command, use: creds -h

To list all possible options for the attack, use: show options

After getting a domain user's creds, the next step will often be to authenticate with these creds to various computers and run mimikatz. If you run mimikatz on enough workstations, you're bound to eventually find one that will yield domain admin creds, resulting in red team happiness.