Password Spraying

Just like on External Penetration Tests, you can password spray internally. Same concepts apply, but we may be able to get more information.

Enumerating Domain Controller via Nmap:

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='client.domain.com'"

We need to find a/the Domain Controller/s for this, try one or all of the below:

nslookup
nmap
netexec
crackmapexec

First, let's try to enumerate users. Try using enum4linux against the domain controller. If it works, we can dump a list of all users.

enum4linux <DomainControllerIP>
crackmapexec smb <DomainControllerIP> -u '' -p '' --users
netexec smb <DomainControllerIP> -u '' -p '' --users

You will know pretty quickly if it is working if you see a huge list of users. If this doesn't work, we need to try to find usernames elsewhere in the environment. This will primarily be done through open-source intelligence, but if Responder is working, can you add hostnames from there? Additionally, is there a server on the Internal network that has username enumeration?

Once we have a list of users, we can do a password spray. Crackmapexec is the best tool for this. You'll want to do this against the domain controller since every domain user can authenticate to it. They may not be able to login, but they have the rights to authenticate. You can tell if it works based on a green [+] success indicator. Further, if a user is an Administrator, it will have a yellow (pwned!) on the right of the username:password.

crackmapexec smb <ip of domain controller> -d <domain> -u < username or file of usernames> -p password --continue-on-success
netexec smb <ip of domain controller> -d <domain> -u < username or file of usernames> -p password