search
githubEdit

Spray

hashtag
Spray

The spray module provides different password spraying techniques. PsMapExec takes into account the default domain policy's account lockout threshold to prevent user account lockouts. However, it does not consider fine-grained password policies. It's advisable to assess whether such policies are in place within the environment to avoid potentially locking out a significant number of user accounts.

hashtag
Targets

When using the Spray method -Targets parameter can be provided. Specifying "all" we spray all enabled user accounts in the domain. Otherwise, any other value will be treated as a group name. When -Targets is omitted, PsMapExec will spray all enabled active directory accounts.

PsMapExec -Method Spray                           # Sprays all
PsMapExec -Method Spray -Targets all              # Sprays all
PsMapExec -Method Spray -Targets "C:\Users.txt"   # Sprays users from list (SamAccountNames)
PsMapExec -Method Spray -Targets "AdminCount=1"   # Sprays targets with AdminCount=1
PsMapExec -Method Spray -Targets "Group Name"     # Sprays members of group

hashtag
Hash

Hash authentication supports RC4/NT, NTLM and AES256 hashes

PsMapExec -Method Spray -SprayHash [RC4]
PsMapExec -Method Spray -SprayHash [AES256]
PsMapExec -Method Spray -SprayHash [NTLM]

hashtag
Password

hashtag
AccountAsPasswords

Sets the password to the username value. This switch will also attempt to authenticate as computer accounts to identify any that might be current or legacy Pre-Windows 2000 Compatible Computers.

hashtag
EmptyPassword

Authentication attempts are performed with empty password values.

hashtag
Pre2k

Sprays for Pre2k computer accounts.

hashtag
SuccessOnly

Displays only successful authentication attempts.

PreviousSession HunterNextVNC

Last updated