Password Spraying - Internal
Password Policy Enumeration
Unauthenticated Password Policy Enumeration
The password policy can be enumerated in many ways unauthenticated or not to the domain controller. For example, Enum4Linux is tool that can be used to enumerate the password policy. This tools works over many others tools such as rpclient
and smbclient
, as well as nbstat and net.
Factors to consider:
Maximum number of attempts before locking an account
Account unlock automatically (or not)
Password complexity (Password complexity set to 1 means password complexity is enabled)
Minimum password length
Enum4Linux-ng is an updated version of the traditional enum4linux and allows for .json
and .YAML
output. A null session can also be started from a Windows machine from a command line interface. It is also possible to enumerate the password policy by leveraging LDAP anonymous bind.
Authenticated Password Policy Enumeration
If we can authenticate to the domain controller, the password policy can be enumerated from a Windows machine as so:
Making a list of usernames
Different techniques can be used to build a list of valid or potential usernames. For example, in an internal engagement, we can leverage SMB Null session or LDAP Anonymous bind agains the domain controller to extract the full list of usernames of the domain.
We can also build a list of usernames based on previous OSINT or on a database containing statistically likely usernames. The tool linkedin2username can be used to build a list of format usernames based on our LinkedIn searchs.
Unauthenticated
These commands and tools can be used to enumerate domain users if we are on the network but with no domain users credentials.
If SMB Null Session is permitted
Kerbrute
Kerbrute can be used to identify valid users accounts in case we do not have any domain users, SMB Null session is disabled and we do not have any foothold on the internal network. However, the DC should be reachable for the attacker. This tools will identify valid domain usernames by sending a TGT request to the domain controller without Pre-Authentication for each specific usernames in our list. Kerbrute responding with PRINCIPAL UNKNOWN
means that the username does not exist. This method of user enumeration does not trigger any failed logon attempts.
Will trigger event ID 4768: A Kerberos authentication ticket (TGT) was requested
Authenticated
If we have credentials for a user domain accounts, listing all valid usernames is simple. We can use CrackMapExec to do so.
Conducting Password Spraying attack
From a Linux Attack Box
A password spray attack can be performed in many ways from a Linux computer. Since many tools can be used, CrackMapExec is especially a powerful one.
Local Administration Account
CrackMapExec can also be used to password spray against local administration account. It is recommended to check for any password reused. Local administrators may have the same password set for all host in a domain. It is also common that an administrative account shares the same password with a low privilege account.
Using CME, it is possible to perform password spraying, both using the NT Hash of a user or the clear text password. The --local-auth
flag is important to spray local account and not domain account.
From a Windows Attack Box
The tool DomainPasswordSpray by dafthack can be useful to perform a password spray attack from a Windows Attack box. This tools is a script written in Powershell.
What is quite handy is that this tool will automatically generate a usernames list if we are from a domain-joined host. From an unauthenticated domain perspective, we can specify to the tool a usernames list. The tool automatically limits the number of authentication attempts by windows to prevent lockout.
An alternative to this tool is Kerbrute, which can be run from both Windows and Linux.
Last updated