• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

TSGrinder – Brute Force Terminal Services Server

July 22, 2008

Views: 102,583

This is a tool that has been around quite some time too, it’s still very useful though and it’s a very niche tool specifically for brute forcing Windows Terminal Server.

TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.

TSGringer is a “dictionary” based attack tool, but it does have some interesting features like “l337” conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.

You can download TSGrinder 2.0.3 here:

tsgrinder-2.03.zip

Note that the tool requires the Microsoft Simulated Terminal Server Client tool, “roboclient,” which may be found here:

roboclient.zip

Or read more here.

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Hacking Tools, Password Cracking Tools, Windows Hacking Tagged With: brute-force, hacking-windows, Password Cracking



Reader Interactions

Comments

  1. Navin says

    July 22, 2008 at 2:50 pm

    Hmm……l337 conversion seems all fancy but it don’t work with multiple threads open :(.

    But HOG does have some nice programs like URLScan DTS pack and TSEnum.

    Thanx for the link!!

  2. razta says

    July 22, 2008 at 8:05 pm

    To protect against this kind of attack, you could disable the terminal server, or make sure you have a strong password policy in place. Pretty scary that the attack isent picked up by IDS because of the encryption, would the brute force logins be logged within windows some where?

  3. zupakomputer says

    July 22, 2008 at 8:48 pm

    n0vv u-77 4rv3 t0 734rn 70 5p377 7h1n95 0u7 71k3 7h15 1n5t346:

    a=ay, b=bee, c=sea/see/cee, d=dee, etc

  4. Morgan Storey says

    July 31, 2008 at 2:31 pm

    @ratza: Having used this before for the hell of it, and to show a client how bad having rdp open to the world is I can tell you that windows will not log it if it is the administrator account. If it is any other user it will. I think you can turn on verbose authentication logging as well.
    TSGrinder did get me into this clients server as well, it worked multi-threaded on my box, I think I had about 10 going at once, and it got the pretty simple password in about two hours, with nothing in the security log at all, and nothing on their firewall or IDS.
    This is why with windows you are better off disabling or renaming the admin account, and setting the admin accounts that you create to have account lockouts. Or simply don’t open rdp, or do both.
    I would like to see something like Denyhosts for RDP as then it would simply block the offending IP at the software level, slowing down majorly any brute force.

  5. splink says

    August 4, 2008 at 9:05 pm

    While tsgrinder is a neat windows only RDP bruter, for linux users i would suggest the rdesktop brute force patch (http://www.foofus.net/jmk/tools/rdp-brute-force-r805.diff). Although i’ve never used TSgrinder it sounds ridiculously slow..

  6. Morgan Storey says

    August 5, 2008 at 3:28 am

    @Splink: not having used the Rdesktop patch, I can say that from reading here: http://www.foofus.net/jmk/rdesktop.html that they sound very similar. There is a version of rdesktop for windows so maybe tsgrinder uses that as it seems quicker than the built in MSTSC.
    As I said I had 10 threads of tsgrinder going at once to a 2k3 box, it would take about 5-10 seconds per thread to check a password, that does make it pretty slow (about 1 password a second), but this is more the server slowing down authentications due to failures.
    You can work out that most admins are lazy, most passwords are non-complex, and most are 7 charecters or less, use a dictionary and you only have around a million words, that should only take 10-15 days. Thats pretty bad.
    Very good reasons to also have complex passwords, oh btw the one I found oh so long ago was in my dictionary it was very basic, no caps, no numbers, and a dictionary word, they have changed it so it is all good.

  7. MegaBlast says

    September 3, 2008 at 1:23 pm

    Navin/Zupakomputer/Morgan,

    i have been trying to get this working and your posts suggest you have it working. I (and many others on forums) have an error when trying to run tsgrinder which is:

    “Couldn’t get handle to client window”

    I have looked at the dll versions, target machines etc and i am having no joy. Did you have to do anything to get this working and on what platforms?

    Thanks in advance!

  8. Navin says

    September 4, 2008 at 3:40 pm

    Sure mate…we’re all here after all to help!! ;)
    Ya I did have a similar error quite a few times when I tried to run Tsgrinder from my home PC:

    “timed_Event_send_recv: Wait Failed: TIMEOUT
    Couldn’t get handle to client window”

    But it did work from the office PC

    I think the problem tht Ure facing is tht the server U’re trying to bruteforce has disabled remote access…..If its a high profile server then probably its unable to serve any more connection requests

    Try a diff server…I’d also suggest tht U read up on wht TSgrinder can do…. http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mullen.pdf

    Do report on how it works out,
    Cheers :)

    PS thnks fr the blog appreciation

  9. razta says

    October 23, 2008 at 11:34 pm

    Im getting the same error in Vista, worked fine on XP.

  10. navin says

    October 24, 2008 at 12:38 pm

    @ razta

    the same server tht U’d managed to connect to on XP din’t connect thru vista?? Or was it some diff. server??

    Read my last comment

  11. razta says

    October 26, 2008 at 11:56 am

    @navin

    “the same server tht U

  12. tal says

    November 22, 2008 at 9:20 pm

    hi
    im getting
    timed_Event_send_recv: Wait failed: TIMEOUT
    Couldn’t get handle to client window
    using xp

    did anyone got the solution ?

    please help//

  13. ethicalhack3r says

    November 25, 2008 at 2:09 pm

    @tal
    Looks like it has timed out. Have you tried it on another box? Are you sure that the box your testing has a terminal server running?

  14. Soja says

    January 27, 2009 at 4:34 pm

    timed_Event_send_recv: Wait failed: TIMEOUT
    Couldn

  15. CypherBit says

    January 30, 2009 at 7:40 pm

    I too am getting:

    timed_Event_send_recv: Wait failed: TIMEOUT
    Couldn

  16. Jack Mehogoff says

    February 5, 2009 at 6:01 am

    The newer Version of Windows Remote Desktop doesnt work with TSgrinder, the homos at MS made this possible, uninstall that garbage “update” and your problems will be solved, you cannot use TSgrinder on vista, because it comes with the homo client.

  17. Russ says

    March 19, 2009 at 3:37 pm

    One thing you guys can all do to prevent this kind of attack is place a legal notice on your machines. This was originally intended to prevent brute force attacks on Terminal Servers. The program doesn’t know to click ok to continue… I have enabled this and tested with tsgrinder and was unable to get past it…

    A. You need to use the registry editor

    1. Start the registry editor (regedit)
    2. Move to HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
    3. Double Click the “LegalNoticeCaption”, and enter the text to be in the title bar, click OK
    4. Double Click the “LegalNoticeText”, and enter the warning text and click OK
    5. Close the registry and logoff, when you logon you will see the warning

    Works every time!

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 248

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 334

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 528

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 513

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 704

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,926

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,292,350)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,074)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,616)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,676)
  • Password List Download Best Word List – Most Common Passwords (933,466)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,136)
  • Hack Tools/Exploits (673,289)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,145)

Search

Recent Posts

  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy