ActiveBreach

Tool Release: CredHunter

Sometimes when conducting internal assessments or even simulated attacks, you may want the ability to quickly identify weak credentials in your environment. We often faced this problem which led to the creation of a simple PowerShell script we named CredHunter. We decided to release this script to assist others who might have the same problem.

The script leverages methods borrowed from both the excellent PowerView and Nishang projects who deserve most of the credits. You should be aware that this script is not opsec safe and will trigger logon events on your target system/domain. We’ve outlined some of the tasks you can use CredHunter to perform below:

1) Find all domain users with password=username:
[code=”bash”]PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
VERBOSE: Checking Guest : Guest
VERBOSE: Checking krbtgt : krbtgt
VERBOSE: Checking jamie : jamie
VERBOSE: Checking tywin : tywin
VERBOSE: Checking tyrion : tyrion
VERBOSE: Checking cersei : cersei
VERBOSE: Checking kevan : kevan
PS C:\Users\jamie\Desktop>
[/code]

2) Find all domain accounts with weak passwords using a wildcard:

[code=”bash”]PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose -UserName “*admin*”
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
PS C:\Users\jamie\Desktop>
[/code]

3) Find weak passwords on accounts with the LDAP AdminCount=1 flag set:
[code=”bash”]PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose -AdminCount
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
VERBOSE: Checking for adminCount=1
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
VERBOSE: Checking krbtgt : krbtgt
PS C:\Users\jamie\Desktop>[/code]

4) Supply a custom set of passwords on the command line:
[code=”bash”]PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose -CustomPasswords password,letmein,secret
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
VERBOSE: Checking Administrator : password
VERBOSE: Checking Administrator : letmein
VERBOSE: Checking Administrator : secret
VERBOSE: Checking Guest : Guest
VERBOSE: Checking Guest : password
VERBOSE: Checking Guest : letmein
VERBOSE: Checking Guest : secret
VERBOSE: Checking krbtgt : krbtgt
VERBOSE: Checking krbtgt : password
VERBOSE: Checking krbtgt : letmein
VERBOSE: Checking krbtgt : secret
VERBOSE: Checking jamie : jamie
VERBOSE: Checking jamie : password
VERBOSE: Checking jamie : letmein
VERBOSE: Checking jamie : secret
VERBOSE: Checking tywin : tywin
VERBOSE: Checking tywin : password
Match found! tywin : password
VERBOSE: Checking tywin : letmein
VERBOSE: Checking tywin : secret
VERBOSE: Checking tyrion : tyrion
VERBOSE: Checking tyrion : password
VERBOSE: Checking tyrion : letmein
VERBOSE: Checking tyrion : secret
VERBOSE: Checking cersei : cersei
VERBOSE: Checking cersei : password
VERBOSE: Checking cersei : letmein
VERBOSE: Checking cersei : secret
VERBOSE: Checking kevan : kevan
VERBOSE: Checking kevan : password
VERBOSE: Checking kevan : letmein
VERBOSE: Checking kevan : secret
PS C:\Users\jamie\Desktop>[/code]

If you want to leverage this script from a non-interactive command line implant such as CobaltStrike’s beacon, you can use the –DontPrompt flag.

You can download CredHunter from the MDSec github.

Avatar
written by

Dominic Chell

Ready to engage
with MDSec?

Copyright 2020 MDSec