The Poor Man’s Honeypot; howto flag password spraying in a homelab

  • One uppercase
  • One lowercase
  • One number
  • One special character
New-ADUser -DisplayName “Test Dummy” -SamAccountName “test.dummy” -UserPrincipalName “test.dummy@test.local” -Path ‘ou=user accounts,dc=test,dc=local’ -AccountPassword(Read-Host -AsSecureString “Input Password”) -Enabled $true
$ErrorActionPreference = “SilentlyContinue”do
{
if(Get-EventLog -LogName Security -InstanceId 4624 -Message “*test.dummy*” -Newest 1 | Where-Object {$_.TimeGenerated -ge (Get-Date).AddHours(-.5)}){
#Lock the account & email the event to an admin
$Offender = (Get-EventLog -LogName Security -InstanceId 4624 -Message “*test.dummy*” -Newest 1 | Select-Object TimeWritten,@{Name=”OffenderIP”;Expression={ $_.ReplacementStrings[18]}},EventID,MachineName).OffenderIPSet-ADUser -Identity “test.dummy” -Enabled $false -Description “Potential Password Spraying detected! Logged by DC $env:computername. The offender’s IP is $Offender”$EmailBody = Get-EventLog -LogName Security -InstanceId 4624 -Message “*test.dummy*” -Newest 1 | Select-Object -Property *Send-MailMessage -From ‘PowerShell@test.local’ -To ‘mishky@test.local’ -Subject ‘Potential Password Spraying detected!’ -Body “$EmailBody”Write-Host “Hide your kids, hide your WiFi! Exiting …”
break
}
else{Write-Host “Nothing found yet” ; Start-Sleep -Seconds 120
}
}
while($true)
crackmapexec smb 192.168.0.104 -u /home/kali/Downloads/Wordlists/pwdspray.txt -p Summer2022 — continue-on-success
hydra -t 1 -V -f -L <user list> -P <pwd list> <IP address> smb
Some screenshots redacted IOT omit kid’s real names
<query> | Out-String -Stream | Select-String “<thing we’re looking for>” -Context <however many lines you need>
Get-EventLog -LogName Security -InstanceId 4624 -Message “*test.dummy*” -Newest 1 | Select-Object TimeWritten,@{Name=”OffenderIP”;Expression={ $_.ReplacementStrings[18]}},EventID,MachineName
#Find the ReplacementStrings number you are looking for via brute force :P$x = 0
$z = 30
do
{
$x = $x + 1
$x
Get-EventLog -LogName Security -InstanceId 4624 -Message “*test.dummy*” -Newest 1 | Select-Object TimeWritten,@{Name=”Network Information”;Expression={ $_.ReplacementStrings[$x]}},EventID,MachineName
}
while ($x -lt $z)
$LogonType = (Get-EventLog -LogName Security -InstanceId 4624 -Message “*test.dummy*” -Newest 1 | Select-Object TimeWritten,@{Name=”LogonType”;Expression={ $_.ReplacementStrings[8]}},EventID,MachineName).LogonType
Mishky hard at work debugging something I screwed up
  • Be required to use smart cards
  • Be put in the Protected Users group
  • Be set to not allow delegation
  • Utilize a mere user account for day to day stuff like email, asking CW6 Google how to do their job, etc

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.