xfreed0m / rdpassspray Goto Github PK

Python3 tool to perform password spraying using RDP

License: GNU General Public License v3.0

Python 100.00%

pentesting pentest-tool passwordspraying password-spray rdp stealth

rdpassspray's Introduction

RDPassSpray

RDPassSpary is a python tool to perform password spray attack in a Microsoft domain environment. ALWAYS VERIFY THE LOCKOUT POLICY TO PREVENT LOCKING USERS.

How to use it

First, install the needed dependencies:

pip3 install -r requirements.txt

Second, make sure you have xfreerdp:

apt-get install python-apt
apt-get install xfreerdp

Last, run the tool with the needed flags:

python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]

Options to consider

-p\-P
- single password/hash or file with passwords/hashes (one each line)
-t\-T
- single target or file with targets (one each line)
-u\-U
- single username or file with usernames (one each line)
--pth
- specify this if the supplied passwords are to be treated as hashes for Pass-The-Hash
-n
- list of hostname to use when authenticating (more details below)
-o
- output file name (csv)
-s
- throttling time (in seconds) between attempts
-r
- random throttling time between attempts (based on user input for min and max values)

Advantages for this technique

Failed authentication attempts will produce event ID 4625 ("An account failed to log on") BUT:

the event won't have the source ip of the attacking machine:
The event will record the hostname provided to the tool:

Tested OS

Currently was test on Kali Rolling against Windows Server 2012 Domain Controller I didn't had a full logged environment for deeper testing, if you have one, please let me know how it looks on other systems.

Sample

Credit

This tools is based on the POC made by @dafthack - https://github.com/dafthack/RDPSpray

Issues, bugs and other code-issues

Yeah, I know, this code isn't the best. I'm fine with it as I'm not a developer and this is part of my learning process. If there is an option to do some of it better, please, let me know.

Not how many, but where.

rdpassspray's People

Contributors

Stargazers

Watchers

Forkers

codegrande star-bob raystyle awesome-security idkwim gnebbia gdraperi aklmtst attackgithub dust321 shantanu561993 tuangeek c002 sandromelobrazil planetminguez 3453-315h davidalphafox johndoex1 vysecurity dannymas a-min3 qsdj h1d3r mxylr quikilr dipsec a7t0fwa7 cephurs hacker-steroids lolici123 fragsh3ll yutiansut m00zh33 modulexcite peterfarouk01 stjordanis imulmul anton19780301 haojunchuan mmillerxyz w1ck3dth1ngs mlynchcogent xxxxxyyyy smartree thebarristersway zhaoshiling1017 red-infosec lochv y11en nostuffatall mmg1 jr69ss d3thman polling-repo-continua marciopocebon leomatias hollow667 mrmc-mc ecksy zha0 rajivraj slooppe cpt-jack-a-castle nosorry hartl3y94 mohinparamasivam hasanmilli277 medsys08 smitea936-gmail-com noeljohansen kustomservices aymanshraia hmedes443 nda01 nda02 nda1213 nda04 hama86s pedrosbel medfire21 5l1v3r1 rezhamuhamad abdousammodi ilamohamed7 marcxtn samtingdocom2 lcoako14 harto2021 netflixiloveit korbegy ussaas crazyrider1 satriyacrew fqrifi waheed8 hgahhja56465 botaknewbie00 kokihassan med2358 abdellahbouhamed

rdpassspray's Issues

Failed to establish connection, check target RDP availability.

Something is not working ok.
Running on Kali 5:

# python3 RDPassSpray.py -u admin -p admin -t 127.0.0.1 -d domain 
[19-08-2019 16:57] - Total number of users to test: 1
[19-08-2019 16:57] - Total number of password to test: 1
[19-08-2019 16:57] - Total number of attempts: 1
[19-08-2019 16:57] - [*] Started running at: 19-08-2019 16:57:55
[19-08-2019 16:57] - [-] Failed to establish connection, check target RDP availability.
[19-08-2019 16:57] - [*] Resetting to the original hostname

# xfreerdp /v:127.0.0.1 +auth-only /d:domain /u:admin /p:admin /cert-ignore
[16:57:13:794] [1880:1881] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[16:57:13:794] [1880:1881] [INFO][com.freerdp.client.x11] - Authentication only. Don't connect to X.
[16:57:14:104] [1880:1881] [WARN][com.freerdp.core.nego] - Error: SSL_NOT_ALLOWED_BY_SERVER
[16:57:14:405] [1880:1881] [WARN][com.freerdp.core.nego] - Error: SSL_NOT_ALLOWED_BY_SERVER
[16:57:16:796] [1880:1881] [ERROR][com.freerdp.core] - Authentication only, exit status 0
[16:57:16:796] [1880:1881] [ERROR][com.freerdp.client.x11] - Authentication only, exit status 0

failed to open display: :0

I'm surprised that I'm the first one to post this:
I call with sudo RDPassSpray.py ... or sudo su; ./RDPassSpray.py...
This part

                        subprocess.call(
                            "hostnamectl set-hostname '%s'" % hostnames_stripped[
                                attempts_hostname_counter],
                            shell=True)

leads for me to:

[ERROR][com.freerdp.client.x11] - failed to open display: :0\n[09:05:38:106] [93227:93227] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.\n' b''

I can comment it out and it works or change it to sudo hostnamectl... both works.

It's probably b.c. I dont have a list of hostnames to choose from? It looks like it iterates over the chars of my default hostname. e.g. kali -> k, a, l, i

reduce report file?

Good afternoon.
When I spray, a large report file is formed (I have more than 500k users). Is it possible to write only a successful input to an SCV file?

Add check for RDP service is running

I had my Windows 7 with RDP turn off then I ran your script, it still showed this for all dictionary entries
[+] Seems like the creds are valid, but no RDP permissions:
You should add a check for whether RDP port is opened before continue to bruteforce

Doesnt ouput target

Hey mate, real quick when I run the tool in my lab it says "Cred successful (maybe even Admin access!): USER :: PASS " but it doesnt tell me what machines it is. I added a basic

+ '@' + target to each code print statement to make it easier for myself when using it.

I just think its a really good tool and something simple like the above would be a real QoL improvement

Installing xfreerdp

I am having issues installing xfreerdp on my kali vm are there any dependencies for or repos needed for it?

Script breaks if user's password has a <space>

An error occurs when using the script to password spray user accounts that have (spaces) in their passwords. I checked the script but couldn't identify why this happened. I noticed the strip() function is called only for a password_list.txt, not for single password. However the python script breaks with submitting the following:

python RDPassSpray.py -u 'validuser' -p 'Valid pass with a space' -t -d

nothing at me

                                                                                                         
┌──(root㉿k)-[/home/kali/Desktop/RDPassSpray]
└─# python3 RDPassSpray.py -u administrator -p /home/kali/Desktop/least_500 -d PremoHost -t 192.168.16.15
[25-05-2023 02:11] - Total number of users to test: 1
[25-05-2023 02:11] - Total number of password to test: 1
[25-05-2023 02:11] - Total number of attempts: 1
[25-05-2023 02:11] - [*] Started running at: 25-05-2023 02:11:42
[25-05-2023 02:11] - [*] Overall compromised accounts: 0
[25-05-2023 02:11] - [*] Finished running at: 25-05-2023 02:11:45

┌──(root㉿k)-[/home/kali/Desktop/RDPassSpray]

```
┌──(root㉿k)-[/home/kali/Desktop/RDPassSpray]
└─# python3 RDPassSpray.py -u administrator -p /usr/share/wordlists/rockyou.txt  -d PremoHost -t 192.168.16.15
[25-05-2023 02:10] - Total number of users to test: 1
[25-05-2023 02:10] - Total number of password to test: 1
[25-05-2023 02:10] - Total number of attempts: 1
[25-05-2023 02:10] - [*] Started running at: 25-05-2023 02:10:39
[25-05-2023 02:10] - [*] Overall compromised accounts: 0
[25-05-2023 02:10] - [*] Finished running at: 25-05-2023 02:10:43
                                                                                                         
┌──(root㉿k)-[/home/kali/Desktop/RDPassSpray]
└─# cd ..   
```