62

Yeah, I can fire up a VM or remote into something and try the password...I know...but is there a tool or script that will simulate a login just enough to confirm or deny that the password is correct?

Scenario:

A server service account's password is "forgotten"...but we think we know what it is. I'd like to pass the credentials to something and have it kick back with "correct password" or "incorrect password".

I even thought about a drive mapping script with that user account and password being passed to see if it mapped the drive successfully or not but got lost in the logic of making it work correctly...something like:

-Script asks for username via msgbox -script asks for password via msgbox -script tries to map a drive to a common share that everyone has access to -script unmaps drive if successful -script returns popup msgbox stating "Correct Password" or else "Incorrect Password"

Any help is appreciated...you'd think this would be a rare occurrence not requiring a tool to support it but...well....

Abel
  • 1,047
TheCleaner
  • 32,822

9 Answers9

113
runas /u:yourdomain\a_test_user notepad.exe

The utility will prompt for the password, if the right password has been provided, notepad will launch, if not it will produce error 1326: the username or password is incorrect

Abel
  • 1,047
Roberto Dimas
  • 1,246
  • 7
    Awesome! This solution has two important advantages over the accepted answer: 1) available on Windows XP+ out of the box, don't have to download anything, 2) related to this: as it's from MS, it doesn't require me to trust my password to some third-party tool of unknown provenance. – akavel May 19 '15 at 10:16
  • 4
    Serverfault IT admins know this, but if you're a home user finding this answer off a web search (this is the best answer by the way–uses only stuff that comes with Windows): on a home computer, the yourdomain part above is your computer's name. Find that in Control Panel > System. One of the values is literally that, "Computer Name:". E.g. if you're computer's name is "smith-laptop" and your username is "joe", you'd do runas /u:smith-laptop\joe notepad.exe – Daryn Nov 13 '15 at 07:25
  • Still very usefull – Terry Dec 06 '16 at 09:45
  • 2
    @Daryn You can also run the whoami command, which will quickly show you your username and computer name in the computername\username format. This command is available in Windows 2000 and beyond. – Hydraxan14 Jan 30 '17 at 16:56
  • 5
    On a successful authentication, you may just get an error like 1385: Logon failure: the user has not been granted the requested logon type at this computer. – mwfearnley Apr 27 '18 at 11:46
  • 2
    If you get 5: Access is denied., make sure the seclogon service is started (https://stackoverflow.com/a/53389796/446106) – mwfearnley Jun 16 '20 at 08:55
  • this is awesome like I have a tool to auto set admin passwords and it's a pain to lock the machine and hope for the best because if it fails you need either a backup admin or whatever, and this lets you just test it even as the user that is currently logged in. – My1 Jul 21 '21 at 21:15
  • 1
    perfect solution - also works with local user :) .. runas /u:a_test_user notepad.exe – ebricca Feb 03 '22 at 09:40
12

Powershell script:

#usage: Test-UserCredential -username UserNameToTest -password (Read-Host)

Function Test-UserCredential { 
    Param($username, $password) 
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine, $env:computername 
    $opt = [System.DirectoryServices.AccountManagement.ContextOptions]::SimpleBind 
    $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ct 
    $Result = $pc.ValidateCredentials($username, $password).ToString() 
    $Result 
}

http://powershellcommunity.org/Forums/tabid/54/aft/8034/Default.aspx

Even Mien
  • 657
  • new-object directoryservices.directoryentry "",$username,$password - return value, credentials work, exception, they don't work. Taken from this answer where it's wrapped into a neat function: https://serverfault.com/q/596602/57144 – TessellatingHeckler May 11 '17 at 00:05
5

You can also use:

net use \\computername\sharename [password] /USER:]username]

If there's a share by that name on the remote computer. Or, use C$ if the account is an admin.

HopelessN00b
  • 53,954
Greg
  • 51
1

You can write an easy vbscript function which can verify this...something like:

Function GoodPassword(strAdminUsername, strAdminPassword, strNTDomain)
    Const ADS_SECURE_AUTHENTICATION = 1

On Error Resume Next
Set objIADS = GetObject("WinNT:").OpenDSObject("WinNT://" & _
                    strNTDomain, strAdminUserame, _
                    strAdminPassword, _
                    ADS_SECURE_AUTHENTICATION)
if err.number = 0 then
   GoodPassword = True
Else
   GoodPassword = False
End If
On Error GoTO 0



End Function

Sources:

http://www.4guysfromrolla.com/webtech/061202-1.shtml

http://hsdn.net/category_3.html

Glorfindel
  • 1,213
mrTomahawk
  • 1,119
  • Please note this will lock an account out after 'n' amount failed logins, 'n' being whatever policy you have set. This should always be true of any solution which you use. – mrTomahawk Oct 01 '09 at 15:31
  • Also, that check might ignore the credentials of local users, unless you tweak it, specifying the username twice like this OpenDSObject("WinNT://domain/userName,user","userName", "password", 1). Source. – Agostino Nov 24 '17 at 14:08
1

On Windows desktop you can use Active Directory Explorer by SysInternals / MS itself :

https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer

Tomasz Modelski
  • 111
  • I assume you're suggesting the initial "Connect to Active Directory" prompt as the password test case - that seems to do the job from my testing. Incorrect password results in a "username or password is incorrect" prompt fairly quickly, so this would be a decent GUI-based test to work through a mental list of possible passwords. – JimNim Jan 10 '18 at 18:37
0

You could use one of the many well known tools out there to test passwords. One I saw is L0phtcrack. Maybe there is even a way to do this offline with a dump of you authentication database. In "the other world", we use "john the ripper" for stuff like this.

PEra
  • 2,875
  • 1
    I'm not talking about cracking passwords or testing their strength. I'm talking about a tool that can tell me if the password I enter for a particular account is that account's password. – TheCleaner Sep 22 '09 at 18:07
  • @TheCleaner: Sure, you can create a word-list with all possible passwords for a specific account and use this list for a set of accounts. or a single one... Testing with SMB or something is a rather bad idea. It fills your logs, messes up sessions to the file server, generates load on DCs and file servers and so on. – PEra Sep 29 '09 at 19:16
0

Using code from above, check all domain accounts to see if they are using a certain password.

$usernames = Get-ADUser -Filter * | select -ExpandProperty SamAccountName

foreach ($username in $usernames) {
$password = "Password"
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine, $env:computername 
$opt = [System.DirectoryServices.AccountManagement.ContextOptions]::SimpleBind 
$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ct 
$Result = $pc.ValidateCredentials("domain\$username", $password).ToString() 
If ($Result -eq "True") {echo "$username" >> C:\result.txt}
}
Operdale
  • 1
0

Open PowerShell with admin privilege and input below commands:

change value of your_password and your_username

$PlainPassword="your_password"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText-Force
$UserName = "your_username"
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$SecurePassword
Start-Process whoami -Credential $Credentials

By using this, we create a credential with username and password, and pass this credential to Start-Process.Because whoami doesn't open a program in background so we don't care about how to close it.

If you are trying to test user passwords on PC-A from PC-B, you can do this with WinRM and Python.

Turn on WinRM on PC-A, and pip install pywinrm on PC-B. Pass the previous command to winrm.Session().run_ps(), check the result's status_code, 0 is correct while 1 is false.

Reference

Start-Process documentation: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?view=powershell-6

Create Credentials: http://duffney.io/AddCredentialsToPowerShellFunctions

How to turn on WinRM: https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management

WinRM Quick Config: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/set-wsmanquickconfig?view=powershell-6

Basic WinRM configuration from Ansible: https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html

milkice
  • 111
-1

Why not use a network service with authentication (telnet, POP, IMAP, SMTP, what you want) ? Other side, if you are on the machine you can try su - userToTest from a non priv account. If the password is OK, you will be allowed in the userToTest homedir if the shell allow the connection

Dom
  • 6,793