{
	"id": "bdab302d-48d8-42c2-b151-cd68a12181fd",
	"created_at": "2026-04-06T00:17:46.570006Z",
	"updated_at": "2026-04-10T03:24:29.226334Z",
	"deleted_at": null,
	"sha1_hash": "50806342751db8a224d0758a69290d24b5744ff4",
	"title": "SMB Login Bruteforce: Intelligent PowerShell Hacking Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50589,
	"plain_text": "SMB Login Bruteforce: Intelligent PowerShell Hacking Tool\r\nBy Jason Lang\r\nPublished: 2026-02-23 · Archived: 2026-04-05 20:07:25 UTC\r\nIntro\r\nOne of my favorite post-ex metasploit modules is smb_login. It’s great for running a quick test using credentials\r\nyou’ve discovered. One of the problems with it is that there is nothing that prevents you from locking out\r\naccounts. Plus, you have to create user list which means dumping users | cut | sed | awk, blah blah blah. (Update:\r\nThanks to @ztgrace for bringing me up to speed on the MaxGuessesPerUser advanced property of smb_login.)\r\nI wanted something that did all this work for me that would just take a password list and be smart enough to\r\nhandle all the logistics, plus I wanted it in PowerShell for obvious reasons (PowerShell \u003e Ruby. \u003ctrollygrin\u003e).\r\nSeriously though, I’m not a Ruby dev, and every time I try, I reach gem dependency rage-level 11 in about 15\r\nminutes. So…\r\nAdmin Rights Required: NO\r\nPowerShell Version Required: 2+\r\nThe autobrute script has a few features built in making it handy for the pentester who needs creds \u0026 is short on\r\ntime.\r\nParameters\r\nThe script receives the following parameters:\r\nUserList\r\nA simple text file that exists on target containing users to brute (one per line). If no list is passed, query the domain\r\nfor a list of users whose badPwdCount attribute is two less than the domain account lockout threshold. Wrap paths\r\nin double quotes.\r\nPasswordList (Required)\r\nA comma separated list of passwords to try. Even if the Lockout Threshold is 3 attempts, pass in 10 passwords or\r\nso. The script will grab safe users to brute every password run. Wrap list in double quotes.\r\nLockoutThreshold (Required)\r\nThe lockout threshold of the domain. Run “net accounts” on the target, grab the Lockout Threshold value and use\r\nthat.\r\nDelay\r\nhttps://www.shellntel.com/blog/2016/7/7/smart-smb-brute-forcing\r\nPage 1 of 3\n\nThe number of milliseconds to wait between each attempt. Handy if your connection is slow, otherwise you could\r\nget odd errors. Default 100.\r\nShowVerbose\r\nBy default, only successes are shown. Specifying this switch will show all skipped and failed attempts. Lots of\r\ninformation will hit the screen. You’ve been warned.\r\nStopOnSuccess\r\nWhat you’d expect. After the first successful authentication, exit the script.\r\nWorkflow\r\nThe general order of the script is as follows. Assume no UserLIst was passed and the LockoutThreshold was set to\r\n5.\r\n1. Perform prereq checks. Be sure you can locate the PDC, etc\r\n2. For each password in the password list, perform the following:\r\n3. Retrieve a list of enabled users from the domain (PDC specifically) whose badPwdCount attribute is\r\n\u003c=3. The reason for this is is that we want all users who could not be locked out during this attempt.\r\nIt is possible that a user could fat finger a password during the brute, locking their account.\r\nUnlikely, but possible.\r\n4. For each user retrieved:\r\n1. Check their badPwdCount attribute against all DCs and use the highest value. The reason\r\nthis is done is the badPwdCount attribute is not replicated (source). If the highest value is\r\ngreater than one less than the lockout threshold, do not test the account.\r\n2. If the account is safe to test, test the password against the PDC. If successful add the user to\r\na valid users list (and never test this user again). Throw the result to the screen.\r\nRisks: Regardless of the safety checks built in to the script, it is possible that lockouts could still occur.\r\nReplication problems between DCs, a DC that is being rebooted during processing, users who are trying as fast as\r\nthey can with bad passwords, all could cause lockouts. Always best to test before you run against your target!\r\nIt’s been tested in my lab against thousands of users, but that’s it. We are not liable for your slow env or the\r\naccounts you lock! 🙂\r\nQuick Screenshot:\r\nRunning as a low priv account.\r\nhttps://www.shellntel.com/blog/2016/7/7/smart-smb-brute-forcing\r\nPage 2 of 3\n\nNote: If you get LDAP server unavailable errors, you might be bruting too fast. Try setting the Delay param to 500\r\nor so.\r\nDefense\r\nAs with any brute force attack, your logs (specifically the PDC Security Event log) will be filled with failures.\r\nThis script will actually load up the logs of all DCs as each user is checked against each DC for their\r\nbadPwdCount attribute. We always recommend to our customers that they be setting thresholds on alerts so that if\r\nX events fire in X seconds, you are alerted. The security event log will contain the source IP of the authentication\r\nattempt. That’s your compromised machine.\r\nReally sneaky pentesters could set the Delay to 1000+ and just let it run overnight. \u003c/evilgrin\u003e\r\nComments are welcome, but please use github for any questions/bugs. Our scripts repo is here.\r\n@curi0usJack\r\nPS – An Empire pull request has been submitted. Keep a look out for\r\nsituational_awareness/network/smbautobrute. 🙂\r\nSource: https://www.shellntel.com/blog/2016/7/7/smart-smb-brute-forcing\r\nhttps://www.shellntel.com/blog/2016/7/7/smart-smb-brute-forcing\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.shellntel.com/blog/2016/7/7/smart-smb-brute-forcing"
	],
	"report_names": [
		"smart-smb-brute-forcing"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434666,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50806342751db8a224d0758a69290d24b5744ff4.pdf",
		"text": "https://archive.orkl.eu/50806342751db8a224d0758a69290d24b5744ff4.txt",
		"img": "https://archive.orkl.eu/50806342751db8a224d0758a69290d24b5744ff4.jpg"
	}
}