Bruteforce Windows Logon (PoC)

Weakness Description

Microsoft Windows suffer from a serious lack of protection in their authentication mechanism which could led in privilege escalation.

Indeed, in default installation of Windows (all version), the account lockdown policy is disabled plus authentication API's doesn't limit number of attempts per seconds which could led to a medium to fast brute-force attacks.

Using our PoC and depending of the number of cores available in the target system you could test from few thousands to dozen of thousands of password per second.

Considering that those kind of authentication API's could be used by any Windows account, even a Guest user could use the PoC to recover / crack the password of any local user and escalate his privilege.


It is not sure that Microsoft will patch this problem. The best solution would be to implement account lockdown policy in all Microsoft Windows installations with a fine tuned threshold by default plus limiting the number of authentication API's call per seconds.

Disabled Guest Account

If it is not absolutely necessary, disable the Guest account. By default, Guest account is not activated.

Implement Lockdown Policy

By default Lockdown Policy is not activated. If you have access to "Local Security Policy" application you can enable account lockdown easily.

Enable Account Lockdown Policy

Open "Local Security Policy" manager using secpol.msc command.

Then browse to Security Settings > Account Policies > Account Lockout Policy

Finally double click on Account lockout threshold item and set the Account will lock out after spin edit with desired value from (1 to 999).

Use complex password

This is the most important thing to take in consideration and the best way to mitiage this problem.

Using a complex password will prevent brute-forcing attacks to succeed. Follow guidelines about how to create a tough password.

PoC Source Code (32bit and 64bit)

The full Proof Of Concept code is available on Github :

git clone

It was build with Delphi 10.3 Rio. (No additional libraries or dependencies are required)


Example: WinBruteLogon.exe -u "Jean-Pierre LESUEUR" -w "c:\tmp\test.txt" -v


Scenario N°1

Lets imagine an Hacker having an existing reverse shell to a remote Windows machine as a low privileged user (Guest account in our example, but it could be another user).

Fortunately for him account policy lockdown is not enabled and target user HackMe might have been lazy and chose a password present in a wordlist.

From his Netcat session and using WinBruteLogon, the Hacker could easily find the password of target account HackMe and escalate his privileges using another tool (in our case, RunAsAttached.exe). Still from his Netcat session he would be now logged as user HackMe and continue his path with his desired objectives.

You can find both application on our Github page:

Scenario in Video

Scenario N°2

In this scenario account policy lockdown is enabled and configured to lock account after 10 failed attempt. We are likely protected against brute-force attack using WinBruteLogon.exe.

But what if Administrator account is used and enabled?

Administrator account isn't concerned by the account lockdown policy, if an Hacker enter as a low privileged user and if Administrator account password is weak or present in a dictionary, the Hacker could still brute-force the account and escalate his privilege.

Scenario in Video

Conclusion in three points

Written the Nov. 23, 2020, 10:22 a.m. by Jean-Pierre LESUEUR

Updated: 1 month, 3 weeks ago.