# Password spraying

## Configuring

1. To create two new users with weak passwords execute the following commands on `DC02` after logging in with the `Administrator` user.

```
net user bankuser Bank2022! /add /domain
net user banktest Bank2022! /add /domain
```

<div align="left"><img src="/files/iRWl24tUNYhuN7SikjvU" alt=""></div>

## Attacking

### Tools

* [Kerbrute](https://github.com/ropnop/kerbrute)
* [Spray](https://github.com/Greenwolf/Spray)
* [Crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
* [Domainpasswordspray](https://github.com/dafthack/DomainPasswordSpray)
* [Rubeus](https://github.com/GhostPack/Rubeus)

### Executing the attack

Spraying passwords was already covered in the Initial Access Attacks section.

{% content-ref url="/pages/Q8xmp0DnTS5Z7XgSvWnd" %}
[Password Spraying](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration/password-spraying.md)
{% endcontent-ref %}

But since we have a set of valid credentials of the domain now, we could request a list of all usernames and passwordspray again. We will do just that in this section.

1. Use the discovered credentials `john` and password `Welcome2022!` with crackmapexec to authenticate over ldap and retrieve a list of all the users.

```
crackmapexec ldap 10.0.0.3 -u john -p Welcome2022! --users
```

![](/files/n3CvIlnwY8UwTM5Y7TUn)

2\. We discovered a couple extra users such as `admin_amsterdam`, `IT-support01`, `pukcab`, `IT-support01`, `bankuser` and `banktest`.

3\. We could spray passwords using the tool spray, just like before. But lets use another tool now, like Crackmapexec. We just need to give it a list of usernames and passwords and add the `--continue-on-success` parameter otherwise it stops as the first succesfull login.

```
crackmapexec smb 10.0.0.3 -u users.txt -p passwords.txt --continue-on-success
```

<div align="left"><img src="/files/w3YM1zlc0al9yfLwRWzY" alt=""></div>

We discovered two extra set of credentials. `Bankuser` and `banktest`.

## Defending

### Recommendations

* Implement a strong password policy:

{% content-ref url="/pages/WgMZMQE4cWeYS8XsSa9A" %}
[Strong Password Policy](/building-a-windows-ad-lab/defence/hardening/strong-password-policy.md)
{% endcontent-ref %}

### Detection

## References

{% embed url="<https://github.com/ropnop/kerbrute>" %}

{% embed url="<https://github.com/Greenwolf/Spray>" %}

{% embed url="<https://github.com/byt3bl33d3r/CrackMapExec>" %}

{% embed url="<https://github.com/dafthack/DomainPasswordSpray>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/password-spraying.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.