🗣️Spray Responsibly
Internal Password Spraying - from Linux
Rpcclient
is an excellent option for performing this attack from Linux after creating a wordlist, We can filter out invalid login attempts by grepping
for Authority
in the response
Using a Bash one-liner for the Attack
In a target environnment this would be the output:
Using Kerbrute for the Attack
Using CrackMapExec & Filtering Logon Failures
After getting the credentials, we can use Crackmapexec to validate the credentials:
Validating the Credentials with CrackMapExec
Local Administrator Password Reuse
Sometimes we may only retrieve the NTLM hash for the local administrator account from the local SAM database. In these instances, we can spray the NT hash across an entire subnet (or multiple subnets) to hunt for local administrator accounts with the same password set.
In the example below, we attempt to authenticate to all hosts in a /23 network using the built-in local administrator account NT hash retrieved from another machine.
Local Admin Spraying with CrackMapExec
We got valid credentials as local admin on 3
systems in the 172.16.5.0/23
subnet
Practical example
We start by making a list of valid users and putting it in a list:
And then we launch our CME command:
And just like that, we found a user account starting with the letter "s" that has the password Welcome1
Internal Password Spraying - from Windows
From a foothold on a domain-joined Windows host, the DomainPasswordSpray tool is highly effective. If we are authenticated to the domain, the tool will automatically generate a user list from Active Directory, query the domain password policy, and exclude user accounts within one attempt of locking out.
Using DomainPasswordSpray.ps1
we could also user kerbrute on a windows host
Practical example
For this question i start by connecting through RDP to the machine and finding the Password spraying tool
And after launching the ps1 file we get a hit:
Last updated