SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #Password Spraying

Password Spraying

Password spraying involves trying different combinations of acquired passwords and usernames in different network protocols. In this way, some reused credentials can be found. The best tool for this is NetExec (successor to CrackMapExec). Available protocols: smb, ssh, ldap, ftp, wmi, winrm, rdp, vnc, mssql.

NOTE: Username, password and target parameter can be provided in a form of:

  • single string (e.g. -u john.doe)
  • multiple space-separated strings (e.g. -u john.doe adam.smith)
  • path to the file with items (e.g. -u ~/usernames.txt)

Read more: NetExec official documentation.

# Try on targets using usernames and passwords via selected protocol
netexec $protocol $target -u $domain/$username -p $password --continue-on-success

CrackMapExec is legacy tooling but still very popular. It works mostly the same:

crackmapexec $protocol $target -u $user -p $password -d $domain --continue-on-success

Using smb protocol it's worth to check possibility of RCE via one of the following methods: wmiexec, atexec, smbexec. Using -X <cmd> parameter CrackMapExec on success automatically tries to execute the command using the above methods (all are based on access to SMB shares):

crackmapexec smb [...] -X $cmd

Hydra is a versatile tool to perform online password attacks. It's able to crack usernames and passwords to many different services: ftp, smtp, ssh, http.

# Brute-force default services
hydra $service://$ip
  -l $username | -L $user_file    # Username(s)
  -p $password | -P $pass_file    # Password(s)
  -s $port                        # Port
  -t $tasks_number                # Number of concurrent tasks
  -V                              # Show all attempts

Local Administrator's password reuse

The password for the local Administrator account is very often reused and is therefore the same on multiple machines within the domain. It's quite often to see one system image that is used for all machines. It is always a good idea to check if the Administrator user password is reused across the domain.

Children

Password Spraying