Password spraying
People don't always choose strong passwords, neither do IT people for temporary accounts. Spraying passwords against all user accounts is effective for moving laterally and escalating privileges.
Configuring
To create two new users with weak passwords execute the following commands on
DC02
after logging in with theAdministrator
user.
Attacking
Tools
Executing the attack
Spraying passwords was already covered in the Initial Access Attacks section.
Password SprayingBut since we have a set of valid credentials of the domain now, we could request a list of all usernames and passwordspray again. We will do just that in this section.
Use the discovered credentials
john
and passwordWelcome2022!
with crackmapexec to authenticate over ldap and retrieve a list of all the users.
2. We discovered a couple extra users such as admin_amsterdam
, IT-support01
, pukcab
, IT-support01
, bankuser
and banktest
.
3. We could spray passwords using the tool spray, just like before. But lets use another tool now, like Crackmapexec. We just need to give it a list of usernames and passwords and add the --continue-on-success
parameter otherwise it stops as the first succesfull login.
We discovered two extra set of credentials. Bankuser
and banktest
.
Defending
Recommendations
Implement a strong password policy:
Detection
References
Last updated