THIS TOOL IS NOW DEPRECATED, PLEASE CHECK OUT CREDNINJA FOR THESE FEATURES AND MORE: https://github.com/Raikia/CredNinja

CredSwissArmy

This script is designed to identify if credentials are valid, invalid, or local admin valid credentials within a domain network and will also check for local admin. It works by attempting to mount C$ on each server using different credentials.

The Perl script also accepts NTLM hashes and uses pass-the-hash to confirm them.

WARNING: Careful running a domain account against multiple servers. If the Active Directory environment is setup to lockout accounts, you can easily accidentally lock a domain account by having too many invalid login attempts. Always test a domain account with one server to see if it is a valid password before attempting across multiple servers to check for local admin

Requirements:

• For "CredSwissArmy.pl":

  • Kali
  • Perl
  • smbclient (should be default in kali)
  • pth-smbclient (should be default in kali)

• For "Invoke-CredSwissArmy.pl":

  • Windows
  • Powershell 2.0+

Basic Usage:

• For "CredSwissArmy.pl":

  • ./CredSwissArmy.pl -a <account or file> -s <server or file> -o <output_file>
  • ./CredSwissArmy.pl -a <account or file> -s <server or file> -o <output_file> --ntlm

• For "Invoke-CredSwissArmy.ps1":

  • Invoke-CredSwissArmy -Hosts '10.10.10.10','10.20.30.40' -Credentials 'testdomain\raikia:hunter2','test\user:pass'
  • Invoke-CredSwissArmy -Hosts '10.10.10.10','10.20.30.40' -Credentials 'testdomain\raikia:hunter2','test\user:pass' | Tee C:\temp\output.txt

Examples:

• For "CredSwissArmy.pl":

  • ./CredSwissArmy.pl -a 'testdomain\raikia:hunter2' -s 10.10.10.10 -o results.txt
  • ./CredSwissArmy.pl -a accounts.txt -s 10.10.10.10. -o results.txt
  • ./CredSwissArmy.pl -a 'testdomain\raikia:hunter2' -s servers.txt -o results.txt
  • ./CredSwissArmy.pl -a accounts.txt -s servers.txt -o results.txt
  • ./CredSwissArmy.pl -a 'testdomain\raikia:6608e4bc7b2b7a5f77ce3573570775af' -s 10.10.10.10 -o results.txt --ntlm
  • ./CredSwissArmy.pl -a accounts.txt -s servers.txt -o results.txt --ntlm

• For "Invoke-CredSwissArmy.ps1":

  • Invoke-CredSwissArmy -Hosts '10.10.10.10','10.20.30.40' -Credentials 'testdomain\raikia:hunter2','test\user:pass'
  • Invoke-CredSwissArmy -Hosts '10.10.10.10','10.20.30.40' -Credentials 'testdomain\raikia:hunter2','test\user:pass' | Tee C:\temp\output.txt

Example output file (only for "CredSwissArmy.pl"):

   10.10.10.10,testdomain\admin,password,LOCAL ADMIN! Valid
   10.10.10.10,testdomain\randomuser,password,Valid
   10.10.10.10,testdomain\randomuser2,password,Invalid Creds

Help to show all available options:

• ./CredSwissArmy.pl -h
• Invoke-CredSwissArmy -?

ARGUMENTS for "CredSwissArmy.pl"

• -a, --accounts <word/file>
  > A word or file of user credentials to test. Usernames are accepted in the form of 'DOMAIN\USERNAME:PASSWORD' ('DOMAIN' is optional) (Username:Password delimiter is configurable)

• -s, --servers <word/file>
  > A word or file of servers to test against. Each credential will be tested against each of these servers by mounting attempting to mount "C$"

Other Options for "CredSwissArmy.pl"

• -v, --valid
  > Only print valid credentials (those with valid usernames/passwords). Will print both local admins and those with valid users.

• -i. --invalid
  > Only print invalid credentials (those with invalid username/password pairs).

• -o, --output <file>
  > Print results to a file

• --delimiter
  > Change the delimiter of the output file. Default is ","

• -d, --debug > Print out debugging messages

• -p, --passdelimiter
  > Change the delimiter between the account username and password. Default is ":"

• --formatoutput <string> > Change the output format to the screen in PRINTF format (default: "%-35s %-35s %-35s %-35s\n")

You can supply either a single account/server via commandline, or
give a filename with multiple values separated by a new line

• --ntlm > Treat the passwords as NTLM hashes and attempt to pass-the-hash with them

Contact Information

Feel free to contact me with any changes or feature requests!

• https://twitter.com/raikiasec
• [email protected]