note
It is worth targeting high-value hosts such as SQL or Microsoft Exchange servers, as they are more likely to have a highly privileged user logged in or have their credentials persistent in memory.
Wordlist Generation
Add likely words to a file (domain name, seasons, employees, etc). Use hashcat with ruleset to generate the alterations
you should also prolly append an exclamation point to the words as well.Password Spraying
From Linux
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
note
The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout. Make sure this flag is set so we don't potentially lock out the built-in administrator for the domain
From Windows https://github.com/dafthack/DomainPasswordSpray If we are authenticated to the domain, the tool will automatically generate a user list from Active Directory, query the domain password policy, and exclude user accounts within one attempt of locking out.
Invoke-DomainPasswordSpray -UserList users.txt -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue
External Password Spraying
- Microsoft 0365
- Outlook Web Exchange
- Exchange Web Access
- Skype for Business
- Lync Server
- Microsoft Remote Desktop Services (RDS) Portals
- Citrix portals using AD authentication
- VDI implementations using AD authentication such as VMware Horizon
- VPN portals (Citrix, SonicWall, OpenVPN, Fortinet, etc. that use AD authentication)
- Custom web applications that use AD authentication
Workarounds
โPassword must be changed on next logonโ โPassword_must_changeโ You can try two things
Password in Description Field
Sensitive information such as account passwords are sometimes found in the user account Description or Notes fields and can be quickly enumerated using PowerView. For large domains, it is helpful to export this data to a CSV file to review offline.
Remote
Local