TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
TSGringer is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.
Note that the tool requires the Microsoft Simulated Terminal Server Client tool, "roboclient," which may be found here:
ftp://ftp.microsoft.com/ResKit/win2000/roboclient.zip
There are still a couple of bugs we are working out- for instance, we've got a problem with using "l337" conversion with more than 2 threads open. There have also been requests to support standard brute-force-via-character-iteration attacks, and we will get to this when we can. In the meantime, enjoy the tool, and let me know how it works for you.
For those interested in the Blackhat presentation Ryan Russell and I made in Vegas, you can find that here:
ttp://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mullen.pdf
Go nuts!
Reply With Quote