theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  1. INTERNALS

Password Spraying

Just like on External Penetration Tests, you can password spray internally. Same concepts apply, but we may be able to get more information.

Enumerating Domain Controller via Nmap:

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='client.domain.com'"

We need to find a/the Domain Controller/s for this, try one or all of the below:

nslookup
nmap
netexec
crackmapexec

First, let's try to enumerate users. Try using enum4linux against the domain controller. If it works, we can dump a list of all users. 

enum4linux <DomainControllerIP>
crackmapexec smb <DomainControllerIP> -u '' -p '' --users
netexec smb <DomainControllerIP> -u '' -p '' --users

You will know pretty quickly if it is working if you see a huge list of users. If this doesn't work, we need to try to find usernames elsewhere in the environment. This will primarily be done through open-source intelligence, but if Responder is working, can you add hostnames from there? Additionally, is there a server on the Internal network that has username enumeration?

Once we have a list of users, we can do a password spray. Crackmapexec is the best tool for this. You'll want to do this against the domain controller since every domain user can authenticate to it. They may not be able to login, but they have the rights to authenticate. You can tell if it works based on a green [+] success indicator. Further, if a user is an Administrator, it will have a yellow (pwned!) on the right of the username:password. 

crackmapexec smb <ip of domain controller> -d <domain> -u < username or file of usernames> -p password --continue-on-success
netexec smb <ip of domain controller> -d <domain> -u < username or file of usernames> -p password
Previousmitm6NextCME/NXC Cheatsheet

Last updated 9 months ago