Bruteforce Windows Logon (PoC)

Weakness Description

Microsoft Windows suffer from a serious lack of protection in their authentication mechanism which could led in privilege escalation.

Indeed, in default installation of Windows (all version), the account lockdown policy is disabled plus authentication API's doesn't limit number of attempts per seconds which could led to a medium to fast brute-force attacks.

Using our PoC and depending of the number of cores available in the target system you could test from few thousands to dozen of thousands of password per second.

Considering that those kind of authentication API's could be used by any Windows account, even a Guest user could use the PoC to recover / crack the password of any local user and escalate his privilege.

Mitigation

It is not sure that Microsoft will patch this problem. The best solution would be to implement account lockdown policy in all Microsoft Windows installations with a fine tuned threshold by default plus limiting the number of authentication API's call per seconds.

Disabled Guest Account

If it is not absolutely necessary, disable the Guest account. By default, Guest account is not activated.

Implement Lockdown Policy

By default Lockdown Policy is not activated. If you have access to "Local Security Policy" application you can enable account lockdown easily.

Import notice: Account lockdown policy wont affect Administrator user account. The only known mitigation for Administrator account if enabled is to use a complex password.

Enable Account Lockdown Policy

Open "Local Security Policy" manager using secpol.msc command.

Then browse to Security Settings > Account Policies > Account Lockout Policy

Finally double click on Account lockout threshold item and set the Account will lock out after spin edit with desired value from (1 to 999).

In Windows Home edition you might not found the secpol.msc management console. You can access to security settings through gpedit.msc and Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Policy > Account Lockout Policy.

Use complex password

This is the most important thing to take in consideration and the best way to mitiage this problem.

Using a complex password will prevent brute-forcing attacks to succeed. Follow guidelines about how to create a tough password.

PoC Source Code (32bit and 64bit)

The full Proof Of Concept code is available on Github : https://github.com/DarkCoderSc/win-brute-logon

git clone https://github.com/DarkCoderSc/win-brute-logon.git

It was build with Delphi 10.3 Rio. (No additional libraries or dependencies are required)

Usage

-u : Target username (Required).
-w : Wordlist file (Required).
-d : Specify domain name (Default : %USERDOMAIN% environment variable).
-v : Enable verbosity.

Example: WinBruteLogon.exe -u "Jean-Pierre LESUEUR" -w "c:\tmp\test.txt" -v

Result

Scenario N°1

Lets imagine an Hacker having an existing reverse shell to a remote Windows machine as a low privileged user (Guest account in our example, but it could be another user).

Fortunately for him account policy lockdown is not enabled and target user HackMe might have been lazy and chose a password present in a wordlist.

From his Netcat session and using WinBruteLogon, the Hacker could easily find the password of target account HackMe and escalate his privileges using another tool (in our case, RunAsAttached.exe). Still from his Netcat session he would be now logged as user HackMe and continue his path with his desired objectives.

You can find both application on our Github page:

WinBruteLogon : https://github.com/DarkCoderSc/win-brute-logon
RunAsAttached : https://github.com/DarkCoderSc/run-as-attached-local

Scenario in Video

Scenario N°2

In this scenario account policy lockdown is enabled and configured to lock account after 10 failed attempt. We are likely protected against brute-force attack using WinBruteLogon.exe.

But what if Administrator account is used and enabled?

Administrator account isn't concerned by the account lockdown policy, if an Hacker enter as a low privileged user and if Administrator account password is weak or present in a dictionary, the Hacker could still brute-force the account and escalate his privilege.

Using a complex password is THE mitigation for such attack. In this specific case account lockdown policy would be useless.

Scenario in Video

Conclusion in three points

Ensure to use complex password for all your user and ensure that account lockdown policy is enabled.
Be careful while testing this attack, it will surely be very noisy.
Be sure to have all required authorization.

Written the Nov. 23, 2020, 10:22 a.m. by Jean-Pierre LESUEUR

Updated: 1 month, 3 weeks ago.