Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

#1 Failed Logon Attempts

Create few user accounts

  • Run this PS script on the windows
$users = @(
    @{Name="IronMan"; Password="Stark@123"},
    @{Name="CaptainAmerica"; Password="Shield@123"},
    @{Name="Thor"; Password="Mjolnir@123"},
    @{Name="Hulk"; Password="Smash@123"},
    @{Name="BlackWidow"; Password="Spy@123"}
)

foreach ($user in $users) {
    $name = $user.Name
    $password = $user.Password
    
    # Create user with net user command, password & no password change at next login
    net user $name $password /add /expires:never /passwordchg:no /fullname:"$name"

    Write-Host "Created user: $name"
}

Pasted_image_20250609170436.png

Simulate Failed Logins

  • We are using SMB here, it is enabled by default.
  • I ran this script from my host machine, you can do it from attacker machine as well.
  • Check with windows firewall for any network issues, I currently disabled it.
TARGET="10.10.10.103"
WRONG_PASS="WrongPassword123"
USERS=("BlackWidow" "CaptainAmerica" "Hulk" "IronMan" "Thor")

for user in "${USERS[@]}"; do
    echo -e "\n[*] Trying $user..."
    smbclient -L "//$TARGET/C$" -U "$user%$WRONG_PASS" -m SMB3 -d 1 2>&1
    sleep 1
done

[*] Trying BlackWidow...
Can't load /etc/samba/smb.conf - run testparm to debug it
session setup failed: NT_STATUS_LOGON_FAILURE

[*] Trying CaptainAmerica...
Can't load /etc/samba/smb.conf - run testparm to debug it
session setup failed: NT_STATUS_LOGON_FAILURE

[*] Trying Hulk...
Can't load /etc/samba/smb.conf - run testparm to debug it
session setup failed: NT_STATUS_LOGON_FAILURE

[*] Trying IronMan...
Can't load /etc/samba/smb.conf - run testparm to debug it
session setup failed: NT_STATUS_LOGON_FAILURE

[*] Trying Thor...
Can't load /etc/samba/smb.conf - run testparm to debug it
session setup failed: NT_STATUS_LOGON_FAILURE

Verify failed logins logs using PowerShell


# Generated by ChatGPT :) - After few tries ofc

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | ForEach-Object {
    $evt = $_
    $username = $evt.Properties[5].Value

    # Search all properties for an IPv4 address pattern
    $ip = ($evt.Properties | ForEach-Object { $_.Value }) `
          | Where-Object { $_ -match '\b(?:\d{1,3}\.){3}\d{1,3}\b' } `
          | Select-Object -First 1

    if (-not $ip) { $ip = "N/A" }

    $time = $evt.TimeCreated

    [PSCustomObject]@{
        TimeCreated = $time
        Username = $username
        SourceIP = $ip
    }
} | Sort-Object TimeCreated -Descending | Format-Table -AutoSize

TimeCreated         Username       SourceIP
-----------         --------       --------
6/9/2025 5:10:20 PM Thor           10.10.3.2
6/9/2025 5:10:19 PM IronMan        10.10.3.2
6/9/2025 5:10:18 PM Hulk           10.10.3.2
6/9/2025 5:10:17 PM CaptainAmerica 10.10.3.2
6/9/2025 5:10:15 PM BlackWidow     10.10.3.2
6/9/2025 5:09:57 PM Thor           10.10.3.2
6/9/2025 5:09:56 PM IronMan        10.10.3.2
6/9/2025 5:09:55 PM Hulk           10.10.3.2
6/9/2025 5:09:53 PM CaptainAmerica 10.10.3.2
6/9/2025 5:06:09 PM Thor           10.10.3.2
6/9/2025 5:01:12 PM marry          127.0.0.1
6/9/2025 5:01:04 PM marry          127.0.0.1
6/9/2025 1:29:41 PM marry          127.0.0.1

Kibana Visualization

  • event.code: "4625" - Failed logons.

Pasted_image_20250609180227.png