Password Spraying
Once you are in the network and have enumerated live hosts using nmap, tcpdump or whatever tool. We need to find a way to establish foothold in domain by gettng username and credentials (clear text or NTLM hash). It is important to get this access in the early stages of pentest so we can perform more enumeration and attacks.
Note: Itβs possible to do this using the SYSTEM account because it can impersonate the computer. A computer object is treated as a domain user account (with some differences, such as authenticating across forest trusts).
Users Enumeration
SMB NULL sessions allow an unauthenticated attacker to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy.
# using enum4linux
enum4linux -U $DC_IP | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
# using rpcclient
rpcclient -U "" -N $DC_IP
rpcclient $> enumdomusers
# using crackmapexec
crackmapexec smb $DC_IP --usersLDAP Anonymous Bind allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy.
# using ldapsearch, we need to provide proper filter for getting usernames
ldapsearch -H ldap://$DC_IP -x -b "DC=$DOMAIN,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
# using windapsearch, it is easier as we dont need filter
windapsearch.py --dc-ip $DC_IP -u "" -U
windapsearch.py --dc-ip $DC_IP -d $DOMAIN --custom "objectClass=*"Do some OSINT and try to get information related to people of the target company.
You can use
linkedin2usernameto create a possible worlist of users.
kerbrute is a stealthy option for domain account enumeration.
It uses kerberos protocol to check if the username is valid or not.
It takes advantage of kerberos pre-authentication, as the failures will not trigger logs or alerts. like Windows event ID 4625: An account failed to log on and event ID 4768: A Kerberos authentication ticket (TGT) was requested. This will only be triggered if Kerberos event logging is enabled via Group Policy.
If we are successful with this, we should mention it in report
Note: crackmapexec will provide you bad password count and time the latest bad attempt occured. This will help you in knowing which accounts are close to lockdown and you should avoid attacking them. This count is maintained separate on each DC in case of multiple DCs.
Getting Domain Password Policy
Be careful not to lock accounts while spraying.
Try to get domain password policy and prepare password list accordingly.
We can get password policy from
SMB NULL SessionorLDAP Anonymous Bind.SMB NULL Session from Linux:
SMB NULL Session from Windows:
LDAP Anonymous Bind from Linux:
LDAP Anonymous Bind from Windows:
If you have tried other methods and dont have foothold, you may ask the client to provide password policy.
ASREPRoasting
Password Spraying
Once we have enumerated usernames, password policy and prepared wordlists accordingly, we can start spraying passwords.
For Linux:
If you get some hits, you can validate them:
For Windows:
Always look for patterns in password, try password reuse etc.
Internal password spraying is possible from domain user account as well as local admin if you have creds, NTLM hash.
If you have hash of local admin on a machine, you can spray it on entire subnet to check if it is valid on other machines as well.
Other Targets
Microsoft 0365
Outlook Web Exchange
Exchange Web Access
Skype for Business
Lync Server
Microsoft Remote Desktop Services (RDS) Portals
Citrix portals using AD authentication
VDI implementations using AD authentication such as VMware Horizon
VPN portals (Citrix, SonicWall, OpenVPN, Fortinet, etc. that use AD authentication)
Custom web applications that use AD authentication
Last updated