7.Password Spraying - Making a Target User List

• CrackMapExec (CME):

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

• Retrieves detailed password policy information.

Without Credentials (Linux)

• rpcclient:

rpcclient -U "" -N 172.16.5.5

• Commands within rpcclient:

  • querydominfo - Retrieves domain information.

  • getdompwinfo - Retrieves password policy.

• enum4linux:

enum4linux -P 172.16.5.5

• Enumerates password policy information.

• enum4linux-ng:

enum4linux-ng -P 172.16.5.5 -oA ilfreight
cat ilfreight.json

• Enhanced enumeration with JSON/YAML output.

• ldapsearch (LDAP Anonymous Bind):

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

• Extracts password policy attributes.

From Windows

• SMB NULL Session:

net use \\DC01\ipc$ "" /u:""

• Analyze error messages for policy insights.

• Authenticated Access (net.exe):

net accounts

• Displays password policy details.

• PowerView:

Import-Module .\PowerView.ps1
Get-DomainPolicy

• Retrieves detailed domain password policies.

• enum4linux:

enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

• rpcclient:

rpcclient -U "" -N 172.16.5.5

• Commands within rpcclient:

  • enumdomusers - Enumerates domain users.

• CrackMapExec:

crackmapexec smb 172.16.5.5 --users
crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

• ldapsearch:

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "

• windapsearch:

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

• Kerbrute:

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

Critical Password Policy Parameters

• Minimum password length

• Account lockout threshold

• Lockout duration

• Password complexity requirements

Password Spraying Considerations

• Understand the policy to avoid account lockouts.

• If the policy is unknown, proceed cautiously.

• Create a target user list for more accurate spraying.

---

User Enumeration Methods

SMB NULL Sessions

• Retrieves a complete list of domain users from the Domain Controller.

• Tools: enum4linux, rpcclient, CrackMapExec.

LDAP Anonymous Binds

• Queries LDAP anonymously to retrieve the domain user list.

• Tools: ldapsearch, windapsearch.

Kerbrute

• Validates users using wordlists (e.g., statistically-likely-usernames GitHub repo).

• Uses Kerberos Pre-Authentication, which is faster and potentially stealthier.

• Generates event ID 4768: A Kerberos authentication ticket (TGT) was requested.

Credentialed Enumeration

• Uses valid domain credentials to query Active Directory.

• Tools: CrackMapExec.

OSINT Gathering

• Searching for company email addresses.

• Using tools such as linkedin2username.

Key Considerations

Domain Password Policy

• Importance of knowing the password policy (minimum password length, complexity, lockout thresholds).

• Methods to obtain the password policy (SMB NULL sessions, LDAP anonymous binds, credentialed access).

• Precautions when the password policy is unknown.

Logging

• Maintaining detailed logs of password spraying activities (targeted accounts, Domain Controller, time, date, passwords attempted).

• Helps prevent duplicate efforts and provides information for troubleshooting.

SYSTEM Account Impersonation

• The SYSTEM account can impersonate the computer, allowing it to query Active Directory.

Important Notes

• Kerbrute username enumeration generates Kerberos event ID 4768.

• CrackMapExec's --users flag displays badpwdcount and baddpwdtime.

• When using multiple domain controllers, keep in mind that the badpwdcount is kept on each domain controller separately.

• If you have a PDC emulator FSMO role, that domain controller will hold the most accurate count.

• External information gathering (OSINT) is essential when internal enumeration is limited.

• Always exercise caution to avoid account lockouts during password spraying.