📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • Password Spraying Overview
  • Password Spraying Considerations
  • Enumerating & Retrieving Password Policies
  • Enumerating the Password Policy - from Linux - Credentialed
  • Enumerating the Password Policy - from Linux - SMB NULL Sessions
  • Enumerating Null Session - from Windows
  • Enumerating the Password Policy - from Linux - LDAP Anonymous Bind
  • Enumerating the Password Policy - from Windows
  • Password Spraying - Making a Target User List
  • Detailed User Enumeration
  • SMB NULL Session to Pull User List
  • Gathering Users with LDAP Anonymous
  • Enumerating Users with Kerbrute
  • Credentialed Enumeration to Build our User List
  1. Active Directory Enumeration & Attacks

Sighting In, Hunting For A User

Password Spraying Overview

Password spraying can result in gaining access to systems and potentially gaining a foothold on a target network. The attack involves attempting to log into an exposed service using one common password and a longer list of usernames or email addresses.

Password Spraying Considerations

While password spraying is useful for a penetration tester or red teamer, careless use may cause considerable harm, such as locking out hundreds of production accounts.

One example is brute-forcing attempts to identify the password for an account using a long list of passwords. In contrast, password spraying is a more measured attack, utilizing very common passwords across multiple industries. The below table visualizes a password spray.

Attack

Username

Password

1

bob.smith@inlanefreight.local

Welcome1

1

john.doe@inlanefreight.local

Welcome1

1

jane.doe@inlanefreight.local

Welcome1

DELAY

2

bob.smith@inlanefreight.local

Passw0rd

2

john.doe@inlanefreight.local

Passw0rd

2

jane.doe@inlanefreight.local

Passw0rd

DELAY

3

bob.smith@inlanefreight.local

Winter2022

3

john.doe@inlanefreight.local

Winter2022

3

jane.doe@inlanefreight.local

Winter2022

It’s common to find a password policy that allows five bad attempts before locking out the account, with a 30-minute auto-unlock threshold.

If you don’t know the password policy, a good rule of thumb is to wait a few hours between attempts, which should be long enough for the account lockout threshold to reset.

It is best to obtain the password policy before attempting the attack during an internal assessment, but this is not always possible.

We can err on the side of caution and either choose to do just one targeted password spraying attempt using a weak/common password as a "hail mary" if all other options for a foothold or furthering access have been exhausted.

Depending on the type of assessment, we can always ask the client to clarify the password policy. If we already have a foothold or were provided a user account as part of testing, we can enumerate the password policy in various ways.

Enumerating & Retrieving Password Policies

Enumerating the Password Policy - from Linux - Credentialed

crackmapexec smb <IP> -u <username> -p <password> --pass-pol

Enumerating the Password Policy - from Linux - SMB NULL Sessions

Without credentials, we may be able to obtain the password policy via an SMB NULL session or LDAP anonymous bind.

Once connected, we can issue an RPC command such as querydominfo to obtain information about the domain and confirm NULL session access.

rpcclient -U "" -N <IP>

rpcclient $> querydominfo
enum4linux -P <IP>
enum4linux-ng -P <IP> -oA <outputFileName>

Enumerating Null Session - from Windows

It is less common to do this type of null session attack from Windows, but we could use the command net use \\host\ipc$ "" /u:"" to establish a null session from a windows machine and confirm if we can perform more of this type of attack.

net use \\DC01\ipc$ "" /u:""

Let's see some common errors when trying to authenticate:

Error: Account is Disabled

net use \\DC01\ipc$ "" /u:guest
System error 1331 has occurred.

This user can't sign in because this account is currently disabled.

Error: Password is Incorrect

net use \\DC01\ipc$ "password" /u:guest
System error 1326 has occurred.

The user name or password is incorrect.

Error: Account is locked out (Password Policy)

net use \\DC01\ipc$ "password" /u:guest
System error 1909 has occurred.

The referenced account is currently locked out and may not be logged on to.

Enumerating the Password Policy - from Linux - LDAP Anonymous Bind

ldapsearch -h <IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating the Password Policy - from Windows

If we can authenticate to the domain from a Windows host, we can use built-in Windows binaries such as net.exe to retrieve the password policy.

We can also use various tools such as PowerView, CrackMapExec ported to Windows, SharpMapExec, SharpView, etc.

Using built-in commands is helpful if we land on a Windows system and cannot transfer tools to it, or we are positioned on a Windows system by the client, but have no way of getting tools onto it. One example using the built-in net.exe binary is:

net accounts

PowerView is also quite handy for this:

import-module .\PowerView.ps1
Get-DomainPolicy

The choice of tools depends on the goal of the assessment, stealth considerations, any anti-virus or EDR in place, and other potential restrictions on the target host.

Password Spraying - Making a Target User List

Detailed User Enumeration

To mount a successful password spraying attack, we first need a list of valid domain users to attempt to authenticate with. There are several ways that we can gather a target list of valid users:

  • By leveraging an SMB NULL session to retrieve a complete list of domain users from the domain controller

  • Utilizing an LDAP anonymous bind to query LDAP anonymously and pull down the domain user list

  • Using a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using Responder or even a successful password spray using a smaller wordlist

Regardless of the method we choose, and if we have the password policy or not, we must always keep a log of our activities, including, but not limited to:

  • The accounts targeted

  • Domain Controller used in the attack

  • Time of the spray

  • Date of the spray

  • Password(s) attempted

This will help us ensure that we do not duplicate efforts. If an account lockout occurs or our client notices suspicious logon attempts, we can supply them with our notes to crosscheck against their logging systems and ensure nothing nefarious was going on in the network.

SMB NULL Session to Pull User List

If you are on an internal machine but don’t have valid domain credentials, you can look for SMB NULL sessions or LDAP anonymous binds on Domain Controllers. Either of these will allow you to obtain an accurate list of all users within Active Directory and the password policy. If you already have credentials for a domain user or SYSTEM access on a Windows host, then you can easily query Active Directory for this information.

It’s possible to do this using the SYSTEM account because it can impersonate the computer. A computer object is treated as a domain user account (with some differences, such as authenticating across forest trusts). If you don’t have a valid domain account, and SMB NULL sessions and LDAP anonymous binds are not possible, you can create a user list using external resources such as email harvesting and LinkedIn. This user list will not be as complete, but it may be enough to provide you with access to Active Directory.

Regardless of the tool, we'll have to do a bit of filtering to clean up the output and obtain a list of only usernames, one on each line. We can do this with enum4linux with the -U flag.

enum4linux -U <IP>  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

We can use the enumdomusers command after connecting anonymously using rpcclient.

rpcclient -U "" -N <IP>

rpcclient $> enumdomusers 

Finally, we can use CrackMapExec with the --users flag. This is a useful tool that will also show the badpwdcount (invalid login attempts), so we can remove any accounts from our list that are close to the lockout threshold.

It also shows the baddpwdtime, which is the date and time of the last bad password attempt, so we can see how close an account is to having its badpwdcount reset.

crackmapexec smb <IP> --users

Gathering Users with LDAP Anonymous

ldapsearch -h <IP> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

Tools such as windapsearch make this easier. Here we can specify anonymous access by providing a blank username with the -u flag and the -U flag to tell the tool to retrieve just users.

./windapsearch.py --dc-ip <IP> -u "" -U

Enumerating Users with Kerbrute

As mentioned in the Initial Enumeration of The Domain section, if we have no access at all from our position in the internal network, we can use Kerbrute to enumerate valid AD accounts and for password spraying.

The tool sends TGT requests to the domain controller without Kerberos Pre-Authentication to perform username enumeration. If the KDC responds with the error PRINCIPAL UNKNOWN, the username is invalid.

This method of username enumeration does not cause logon failures and will not lock out accounts.

However, once we have a list of valid users and switch gears to use this tool for password spraying, failed Kerberos Pre-Authentication attempts will count towards an account's failed login accounts and can lead to account lockout, so we still must be careful regardless of the method chosen.

kerbrute userenum -d <domain> --dc <DCIP> /opt/jsmith.txt 

Defenders can tune their SIEM tools to look for an influx of this event ID, which may indicate an attack. If we are successful with this method during a penetration test, this can be an excellent recommendation to add to our report.

Credentialed Enumeration to Build our User List

With valid credentials, we can use any of the tools stated previously to build a user list. A quick and easy way is using CrackMapExec.

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

PreviousSniffing out a FootholdNextSpray Responsibly

Last updated 5 months ago

With valid domain credentials, the password policy can also be obtained remotely using tools such as (or the successor: ) or rpcclient.

An SMB NULL session can be enumerated easily. For enumeration, we can use tools such as enum4linux, CrackMapExec (or the successor: ), rpcclient, etc.

We can use to check a Domain Controller for SMB NULL session access.

Let's try this using . enum4linux is a tool built around the nmblookup, net, rpcclient and smbclient to use for enumeration of windows hosts and domains

The tool is a rewrite of enum4linux in Python, but has additional features such as the ability to export data as YAML or JSON files which can later be used to process the data further or feed it to other tools. It also supports colored output, among other features

allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy.

With an LDAP anonymous bind, we can use LDAP-specific enumeration tools such as windapsearch.py, ldapsearch, ad-ldapdomaindump.py, etc., to pull the password policy. With , it can be a bit cumbersome but doable. One example command to get the password policy is as follows:

Using a tool such as Kerbrute to validate users utilizing a word list from a source such as the GitHub repo, or gathered by using a tool such as to create a list of potentially valid users

Some tools that can leverage SMB NULL sessions and LDAP anonymous binds include , , and (or the successor: ), among others.

We can use various tools to gather users when we find an LDAP anonymous bind. Some examples include and . If we choose to use ldapsearch we will need to specify a valid LDAP search filter.

This tool uses , which is a much faster and potentially stealthier way to perform password spraying. This method does not generate Windows event ID , or a logon failure which is often monitored for.

Let's try out this method using the wordlist of 48,705 possible common usernames in the format flast. The GitHub repo is an excellent resource for this type of attack and contains a variety of different username lists that we can use to enumerate valid usernames using Kerbrute.

Using Kerbrute for username enumeration will generate event ID . This will only be triggered if is enabled via Group Policy.

If we are unable to create a valid username list using any of the methods highlighted above, we could turn back to external information gathering and search for company email addresses or use a tool such as to mash up possible usernames from a company's LinkedIn page.

CrackMapExec
NetExec
NetExec
rpcclient
enum4linux
Samba suite of tools
enum4linux-ng
LDAP anonymous binds
ldapsearch
statistically-likely-usernames
linkedin2username
enum4linux
rpcclient
CrackMapExec
NetExec
windapsearch
ldapsearch
Kerberos Pre-Authentication
4625: An account failed to log on
jsmith.txt
statistically-likely-usernames
4768: A Kerberos authentication ticket (TGT) was requested
Kerberos event logging
linkedin2username