Password Spraying

Once you have found several valid usernames you can try the most common passwords (keep in mind the password policy of the environment) with each of the discovered users. By default the minimum password length is 7.

Lists of common usernames could also be useful:

Notice that you could lockout some accounts if you try several wrong passwords (by default more than 10).

Get password policy

If you have some user credentials or a shell as a domain user you can get the password policy with:

crackmapexec <IP> -u 'user' -p 'password' --pass-pol
enum4linx -u 'username' -p 'password' -P <IP>
(Get-DomainPolicy)."SystemAccess" #From powerview

Exploitation

Using crackmapexec:

Using (python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK

Kerbrute also tells if a username is valid.

With the scanner/smb/smb_login module of Metasploit:

or spray (read next section).

Lockout check

The best way is not to try with more than 5/7 passwords per account.

Outlook Web Access

There are multiples tools for password spraying outlook.

To use any of these tools, you need a user list and a password / a small list of passwords to spray.

References :

www.blackhillsinfosec.com/?p=5296

PreviousPass the Ticket NextForce NTLM Privileged Authentication

Last updated 3 years ago