Microsoft Windows suffer from a serious lack of protection in their authentication mechanism which could led in privilege escalation.
Indeed, in default installation of Windows (all version), the account lockdown policy is disabled plus authentication API’s doesn’t limit number of attempts per seconds which could led to a medium to fast brute-force attacks.
Using our PoC and depending of the number of cores available in the target system you could test from few thousands to dozen of thousands of password per second.
Considering that those kind of authentication API’s could be used by any Windows account, even a Guest user could use the PoC to recover / crack the password of any local user and escalate his privilege.
It is not sure that Microsoft will patch this problem. The best solution would be to implement account lockdown policy in all Microsoft Windows installations with a fine tuned threshold by default plus limiting the number of authentication API’s call per seconds.
Disabled Guest Account
If it is not absolutely necessary, disable the Guest account. By default, Guest account is not activated.
Implement Lockdown Policy
By default Lockdown Policy is not activated. If you have access to “Local Security Policy” application you can enable account lockdown easily.
Import notice: Account lockdown policy wont affect Administrator user account. The only known mitigation for Administrator account if enabled is to use a complex password.
Enable Account Lockdown Policy
Open “Local Security Policy” manager using
Then browse to
Security Settings >
Account Policies >
Account Lockout Policy
Finally double click on
Account lockout threshold item and set the
Account will lock out after spin edit with desired value from (
In Windows Home edition you might not found the
secpol.mscmanagement console. You can access to security settings through
Local Computer Policy>
Account Lockout Policy.
Use complex password
This is the most important thing to take in consideration and the best way to mitiage this problem.
Using a complex password will prevent brute-forcing attacks to succeed. Follow guidelines about how to create a tough password.
PoC Source Code (32bit and 64bit)
The full Proof Of Concept code is available on Github : https://github.com/DarkCoderSc/win-brute-logon
git clone https://github.com/DarkCoderSc/win-brute-logon.git
It was build with Delphi 10.3 Rio. (No additional libraries or dependencies are required)
-u: Target username (Required).
-w: Wordlist file (Required).
-d: Specify domain name (Default : %USERDOMAIN% environment variable).
-v: Enable verbosity.
WinBruteLogon.exe -u "Jean-Pierre LESUEUR" -w "c:\tmp\test.txt" -v
Lets imagine an Hacker having an existing reverse shell to a remote Windows machine as a low privileged user (Guest account in our example, but it could be another user).
Fortunately for him account policy lockdown is not enabled and target user
HackMe might have been lazy and chose a password present in a wordlist.
From his Netcat session and using
WinBruteLogon, the Hacker could easily find the password of target account
HackMe and escalate his privileges using another tool (in our case,
RunAsAttached.exe). Still from his Netcat session he would be now logged as user
HackMe and continue his path with his desired objectives.
You can find both application on our Github page:
Scenario in Video
In this scenario account policy lockdown is enabled and configured to lock account after 10 failed attempt. We are likely protected against brute-force attack using
But what if Administrator account is used and enabled?
Administrator account isn’t concerned by the account lockdown policy, if an Hacker enter as a low privileged user and if Administrator account password is weak or present in a dictionary, the Hacker could still brute-force the account and escalate his privilege.
Using a complex password is THE mitigation for such attack. In this specific case account lockdown policy would be useless.
Scenario in Video
Conclusion in three points
Ensure to use complex password for all your user and ensure that account lockdown policy is enabled.
Be careful while testing this attack, it will surely be very noisy.
Be sure to have all required authorization.