πŸ’¦Password Spraying

Internal Password Spraying Linux

Once we've made a wordlist we can begin to execute our attack. Rpcclient is a good option for performing this attack on Linux.

One important thing to remember is with rppclient a valid login may not be apparent as we need a response of Authority Name that indicates a successful login.

We should use grep to filter out any responses not containing Authority

Using Bash and rpcclient

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" IP | grep Authority; done

Using Kerbrute

We can use Kerbrute for the same attack as mentioned above

kerbrute passwordspray -d domain.local --dc IP valid_users.txt Welcome1

Using CrackMapExec

We can use CrackMapExec and pass any login failures to grep to filter them out.

 sudo crackmapexec smb IP -u valid_users.txt -p Password123 | grep +

If we get one hit we can validate them using CrackMapExec

sudo crackmapexec smb IP -u avazquez -p Password123

Local Administrator Password Reuse

Internal password spraying is not only possible with domain user accounts. If we obtain admin access and the NTLM password hash or clear text password, then we can attempt to use them across multiple hosts. Local admin password reuse is widespread.

Sometimes we may only find the NTLM hash for the local admin account from the local SAM database, in this case, we use the hash to spray across an entire subnet to hunt for local admin accounts with the same password.

Using the --local-auth flag will tell CrackMapExec to only attempt to log in just one time on each machine, which removes all risk of locking out an account.

$ sudo crackmapexec smb --local-auth IP/23 -u administrator -H HASH | grep +

Internal Password Spraying Windows

The tool DomainPasswordSpray will automatically generate a user list from Active Directory, query the domain password policy and exclude user accounts within one attempt of locking out. Similarly to Linux, we can also supply a user list if we are on a Windows host but not authenticated.

The tool gives us several options to use, since the host is domain-joined we can skip the -UserList flag and let the tool generate a list for us. We can supply the Password and -Outfile to provide a password and a file to write the output to.

Using DomainPasswordSpray.ps1

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

We can use Kerbrute to achieve this as shown in the Linux section

PreviousPassword Hunting and GatheringNextEnumerating Security Controls

Last updated

Was this helpful?