Password Spraying
CrackMapExec can be used to password spray domain accounts. The list of password should be limited to avoid locking accounts. Both passwords and usernames lists should be based on OSINT or information gathered from our preliminary recon phase.
Requirements
List of usernames
List of passwords
Useful Options
Continue-On-Success option
To avoid the password spraying to end when a first set of credentials is found add the flag --continue-on-success
The -p
flag supports a unique password, two password in a row, or a password list.
No-Brute-Force option
Check what users can login where with their respective credentials
--no-brute-force:
To match user1 with password1, user2 with password2, etc.
--no-brute-force
option does not work well when testing a range of IP
Testing Local Account
To test local account instead of authenticating against the domain --local-auth
Can not be used against a Domain Controller
Accounts Status
Possible account status.
SMB passwd
To change a user credential
WinRM (5985/5986) Password Spraying
WinRM is a protocol used for remote management. To have WinRM enabled users must meet certains conditions such as being Local admin or Member of the Remote Management Users group.
Password spraying using the WinRM protocol is not recommended. Validation of users credentials is conditional to wether the user is
LDAP Password Spraying
We might need to add the KDC FQDN in our host file to perform password spraying using the LDAP protocol. And add the --kdcHost
flag to the command.
MSSQL Password Spraying
MSSQL is a highly targeted service in internal penetration testing since it can hold sensitive information.
MSSQL supports various method of authentication such as:
Local Account
Active Directory users account
MSSQL custom account
Active Directory authentication
Specify the domain with the flag -d
Windows Local Account
To password spray the MSSQL service with the Local Account authentication mode, we can set the -d
flag to dot (.)
MSSQL Local Auth
MSSQL Local Authentication. To check if the user exists locally in the MSSQL service add the flag --local-auth
Troubleshoot
Possible issue with MSSQL protocol with [('SSL routines', '', 'internal error')]. See Github issue
Pass-the-Hash
CrackMapExec also supports NTLM hash. We can perform password spray using usernames and their corresponding hashes (-H
).
Pass-the-hash is supported for the following protocols:
SMB, WinRM, LDAP, MSSQL
If authentication failed. Try to remove the LM part.
Processing exported files
The CME --export
flag saves the output in a file following a specific format. We might want to format the content of the file to one element by row.
The sed command is used to replace the single quote by a double quote.
Then, we can extract every element from the list using the jq
utility.
Last updated