Skip to content

Instantly share code, notes, and snippets.

@cetaSYN

cetaSYN/password_spray.py

Last active February 4, 2020 17:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cetaSYN/06ec294017c0013960aa5baf3b95fe13 to your computer and use it in GitHub Desktop.
Save cetaSYN/06ec294017c0013960aa5baf3b95fe13 to your computer and use it in GitHub Desktop.
Download ZIP
SANS Holiday Hack 2019 Objective 3 - Password Spray
Raw
password_spray.py
# SANS Holiday Hack 2019 Objective 3 - Password Spray
# Dependency: python-evtx
import Evtx.Evtx as evtx
import Evtx.Views as e_views
import re
target_fields = ['EventID','TimeCreated','Computer','LogonType','TargetUserName','IpAddress']
output = []
with evtx.Evtx('Security.evtx') as log:
for record in log.records():
output.append(record.xml())
for row in output:
if re.search('.*>(4624|4625|4648)</.*', row):
lines = row.split('\n')
for line in lines:
if any(fields in line for fields in target_fields):
print(line)
print('\n')
@cetaSYN
Copy link
Author

cetaSYN commented Jan 7, 2020

Simply filters the log to relevant info, not the solution.
Produces a LOT of results.

Here's what we're looking for:

<EventID Qualifiers="">4648</EventID>
<TimeCreated SystemTime="2019-11-19 12:21:45.754591"></TimeCreated>
<Computer>DC1.elfu.org</Computer>
<Data Name="TargetUserName">supatree</Data>
<Data Name="IpAddress">127.0.0.1</Data>


<EventID Qualifiers="">4624</EventID>
<TimeCreated SystemTime="2019-11-19 12:21:45.755442"></TimeCreated>
<Computer>DC1.elfu.org</Computer>
<Data Name="TargetUserName">supatree</Data>
<Data Name="LogonType">3</Data>
<Data Name="IpAddress">127.0.0.1</Data>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment