Password spraying

People don't always choose strong passwords, neither do IT people for temporary accounts. Spraying passwords against all user accounts is effective for moving laterally and escalating privileges.

Configuring

To create two new users with weak passwords execute the following commands on DC02 after logging in with the Administrator user.

net user bankuser Bank2022! /add /domain
net user banktest Bank2022! /add /domain

Attacking

Tools

Executing the attack

Spraying passwords was already covered in the Initial Access Attacks section.

Password Spraying

But since we have a set of valid credentials of the domain now, we could request a list of all usernames and passwordspray again. We will do just that in this section.

Use the discovered credentials john and password Welcome2022! with crackmapexec to authenticate over ldap and retrieve a list of all the users.

crackmapexec ldap 10.0.0.3 -u john -p Welcome2022! --users

2. We discovered a couple extra users such as admin_amsterdam, IT-support01, pukcab, IT-support01, bankuser and banktest.

3. We could spray passwords using the tool spray, just like before. But lets use another tool now, like Crackmapexec. We just need to give it a list of usernames and passwords and add the --continue-on-success parameter otherwise it stops as the first succesfull login.

crackmapexec smb 10.0.0.3 -u users.txt -p passwords.txt --continue-on-success

We discovered two extra set of credentials. Bankuser and banktest.

Defending

Recommendations

Implement a strong password policy:

Strong Password Policy

Detection

References

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

GitHub - Greenwolf/Spray: A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)GitHub

GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networksGitHub

GitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!GitHub

PreviousActive Directory Attacks NextAS-REP Roasting

Last updated 3 years ago

hashtagConfiguring

hashtagAttacking

hashtagTools

hashtagExecuting the attack

hashtagDefending

hashtagRecommendations

hashtagDetection

hashtagReferences