When password guessing is successful, it is usually because people like to use easy to remember words and phrases. A diligent penetration tester or attacker will look for subtle clues throughout the enumeration process to key in onprobably words or phrases the account holder might have used for a password. What do you know about this individual, what are his hobbies? If the account holder is not known to you, focus on accounts that
- Haven't had password changes for a long time
- Weakly protected service accounts
- Poorly shared accounts
- Indicate the user has never logged in
- Have information in the comment field that might be used to compromise password security
If you can identify such an account, the net use command can be issued from the command line to attempt the connection:
Net use * \\target_IP\share * /u:name
You'll be prompted for a password to complete the authentication.
C:\>net use * \\192.188.13.10\c$ * /u:jack Type the password for \\172.20.10.79\c$: The command completed successfully
It's not always that easy, so you might have to try multiple times or even consider looping the process. Performing automated password guessing can be performed by constructing a simple loop using the NT/2000/XP shell. It is based on the standard NET USE syntax. The steps are as follows:
- Create a simple username and password file.
- Pipe this file into a FOR command as follows:
C:\> FOR /F "token=1, 2*" %i in (credentials.txt) do net use \\target\IPC$ %i /u: %j
Note
Make sure that you identify if there is a password lockout policy. Otherwise, you might inadvertently cause a denial of service (DoS) if you lock out all the users.
If the manual password guessing process does not work for you, there are always tools. Several tools are explored next.
Automated Password Guessing
NetBIOS Auditing Tool (NAT) is a command-line automated password guessing tool. Just build a valid list of users from the tools discussed during enumeration. Save the usernames to a text file. Now create a second list with potential passwords. Feed both of these into NAT, as follows:
nat [-o filename] [-u userlist] [-p passlist]
NAT will attempt to use each name to authenticate with each password. If it is successful, it will halt the program at that point. Then you will want to remove that name and start again to find any additional matches. You can grab a copy of NAT at ftp://ftp.technotronic.com/microsoft/nat10bin.zip.
Legion automates the password guessing in NetBIOS sessions. Legion is a GUI tool that will scan multiple Class C IP address ranges for Windows shares and also offers a manual dictionary attack tool. It can be downloaded from www.elhacker.net/hacking.htm.
Tip
If you are not sure of the lockout policy, target the guest account first; you are notified when you reach the lockout threshold.