Test a known list of possible Windows Remote Desktop credentials?

Question

I've forgotten my password to my home server.

It's a new Windows 2012R2 VM, I didn't change the maximum password age requirements in Group Policy DC (even tho I know I should have) until it was too late, and now I've forgotten what I changed it to.

However, I know lots of credentials I could try.

Is there a tool or script out there that can run through a list of possible credentials one at a time sent to the VM to be authenticated? Almost like a brute force, but with a much smaller list, like 20-30 login pairs total (possibly capable of interpreting wildcards like ? or *) on Kali linux or PowerShell, or even something else if it exists?

Very much appreciated!

@DarkLighting I highly doubt SE adopted a technology that let you smell questions? — Ulkoma, Nov 10 '15 at 17:57
@schroeder Actually, I can attempt to login remotely, but there error I get might be related to NLA authentication, not credentials. I'll have to double check when I get home, I'm sure my VPN is messed up. I can get access to "local" login prompt thru vSphere Client console but that does not allow me to share clipboard between client and remote like Windows Remote Desktop does, so I can't copy and paste. Scripts that send commands thru host keyboard would work tho. — IT Bear, Nov 10 '15 at 18:12
If you're talking about an Admin account, I'd go for a script that tests accessibility to `\\SEVERNAME\C$` with each set of credentials. Wouldn't take long to whip that up in PowerShell. Might do one later. That said, beware you may run up against Account Lockout policies that reject your logins even if you're using the right password just because you've failed too many times too quickly. Depending on how far down the list you need to go, and the Account Lockout policy in effect, your brute force check could take hours. — Iszi, Nov 10 '15 at 18:18
@Iszi is the administrator C$ share set up on Server 2012R2 by default? Thank you, this is exactly what I'm looking for! Also, any idea what a good wait time between login attempts to prevent that timeout would be to start with? I'll start whipping up some Powershell and post a script if I get good results. Thank you! — IT Bear, Nov 10 '15 at 18:22
@Iszi if [this is true at all,](http://myblog4fun.com/archive/2013/03/22/cannot-connect-to-default-administrative-share-c-on-windows-2008-r2.aspx) that might not work for me. I never set up that administrative share different from it's defaults, plus I always saw it as a security risk. I might be able to get a remote Powershell prompt up tho, I remember setting that up. — IT Bear, Nov 10 '15 at 18:38
Boot it to an appropriate Linux Live CD and reset the Administrator password. — TessellatingHeckler, Nov 10 '15 at 18:39
@TessellatingHeckler Is there any particular image you would recommend? I've had mixed success with those, but only tried [this one](http://pogostick.net/~pnh/ntpasswd/) — IT Bear, Nov 10 '15 at 18:52
That's the one I was thinking of, and I have used it before - although not recently. It's more reliable to blank the password than to try and set a new password. I assume that's using `chntpw` behind the scenes - and there were [problems with some versions](http://askubuntu.com/questions/162267/problem-with-using-chntpw-in-ubuntu-to-reset-windows-7-password) (see answers / comments there) - maybe you had one of those versions? — TessellatingHeckler, Nov 10 '15 at 19:01
If what you're saying is true, then you can manually do what you want pretty easily. Why bother with a tool? — TTT, Nov 10 '15 at 20:20
@TTT To have another scripting project where I can develop my skills more, discover if there's any cool tools out there I didn't know about yet that can do this already... but mostly because when I'm doing it manually, I forget what variations I've tried already ("passwordA!", "Password!", or "passwordOldpassword"?) and start to repeat them, and my brain starts to drool. Plus it's embarrassing to forget your own password, unless I "hack" back into my own system to regain a little street cred. — IT Bear, Nov 10 '15 at 20:51
@ITBear Perhaps that should be the definition of a true hacker: Someone that's good enough that they don't have to remember any passwords. — TTT, Nov 10 '15 at 21:46
Try authenticating credentials to AD via the method noted [here](http://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell). — user2320464, Nov 05 '16 at 15:39

IT Bear · Accepted Answer · 2015-11-11T03:43:55.610

Okay, I tried this earlier with some live systems that had PS Remoting enabled and just banged out a script that seems to manage itself o.k.:

#Pentest-RemotePSCredsList.ps1

$pusername = 'DOMAIN\Username' #possible username (FQDN)
$ppasswords = 'GoodPass','BadPass0','BadPass1','BadPass2' #list of possible passwords array variable
$hostname = 'hostname' #name of target machine, or IP addr

ForEach($p in $ppasswords) 
{
  echo Attempting password: $p
  $secpasswd = ConvertTo-SecureString "$p" -AsPlainText -Force
  $mycreds = New-Object System.Management.Automation.PSCredential ($pusername, $secpasswd)
  Enter-PSSession $hostname -Credential $mycreds
  pause
} # end foreach

I was surprised, even if a good command completes first without any errors and after if the others spit out a Access denied error at you, once the whole script is finished you still end up connected in a remote cmdline session. So as long as one of those passwords in your list is good, it should work.

After troubleshooting getting a Access Denied error and not anything else, I fleshed out the password list with about 15 of what I thought were most likely and got one to work right away! :D

Now this is weird because the real answer that solved my problem has nothing to do with the title of my question. It was thanks to everyone else that I just got it. Should I just delete this one entirely?

Test a known list of possible Windows Remote Desktop credentials?

1 Answers1