Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Simplifying Password Spraying

As a penetration tester, attaining Windows domain credentials are akin to gaining the keys to the kingdom. Most of the time you can take a set of credentials and use them to escalate across a network, searching for higher levels of access, attaining administrative permissions on more machines and eventually getting that sweet, sweet domain admin.

While there are other methods to go about attaining a set of Windows credentials, such as Responder, today I want to talk about one of my personal favorites: Password Spraying, also known as a reverse brute force attack. I also want to share with you a tool I've been working on to simplify and help automate the attack.

To give a little background, traditional brute force attacks of one username with multiple passwords don't work very well against Windows services. This is because they employ lockout functionality after a set number of login attempts. A Password Spray circumvents the lockout functionality by trying only a few of the most common passwords against multiple user accounts, trying to identify that one person who is using 'Password1' or 'Summer2017'.

A large list of usernames can be gathered using a variety of different methods, such as directly from target machines with SMB Null Sessions or with net user commands if access to a domain linked machine has already been attained. They can also be generated with reasonable accuracy using Open Source Intelligence using tools such as LinkedInt, Prowl or Raven which take in known email formats (firstnamelastname or firstinital.lastname etc) and scrape company's employee lists on LinkedIn.

To help with this type of attack, I've put together a little tool that I've appropriately called 'spray'. Spray can be used against 3 types of Windows domain authentication services: SMB for internal testing and OWA and Lync for external testing. Spray is written in bash which gives it the advantage of running on Mac and Linux as opposed to some of the PowerShell based alternatives out there.

The main feature of Spray is that you can provide it with a timeout period and a number of attempts to help avoid account lockouts. This slow and timed approach allows you to provide a password list that spray will slowly work through over the course of an engagement. Meaning you can leave it running in the background, just checking it occasionally for successful credentials. If I don't know the password policy for the domain I like to try 1 password every 35 minutes, as the standard password policy for a domain is 3 passwords every 30 minutes before a lockout. However if you have enumerated the policy you can become more aggressive.

To spray a SMB service you will need to provide a Windows machine with port 445 open, a list of usernames, a list of passwords, a number of attempts per lockout period, the amount of time to wait between attempts and, finally, the domain. To spray the target on the domain SPIDERLABS, attempting 1 password every 35 minutes, you would use the following command:

$ –smb usernames.txt passwords.txt 1 35 SPIDERLABS

To spray an Outlook Web Access service the first thing you must do is capture the POST request for a login attempt to the service with the email '', where is the target's domain and where the password is 'spraypassword'. This can be done with a tool such as Burp Free or OWASP ZAP. The full request with headers should be saved to a .txt file, this is because for some OWA services cookies that are set with JavaScript need to be included in a logon attempt. To spray an OWA service with 1 password every 35 minutes, you would use the following command:

$ -owa usernames.txt passwords.txt 1 35 post-request.txt

To spray a Lync Service a list of emails instead of usernames must be provided, along with the target of either a link that redirects to the autodiscover service or a direct link to the oauth part of the autodiscover service. To spray a Lync service with 1 password every 35 minutes, you would use one of the following commands:

$ -lync emails.txt passwords.txt 1 35

$ -lync emails.txt passwords.txt 1 35

Some other features of spray are the 150-200 word password lists that come in the World's top 10 most common languages and contains the most commonly used domain passwords that have been personalized for each country. One small example would be the replacing of 'God' and 'Jesus' in the English list with 'Allah' and 'Muhammed' in the Arabic one. You can also update these lists to contain the most recent years using the tool, which will help them stay current as they use 2016/2017 heavily. You can also augment the list to add a specific password to try at the start of the list. I usually add the target companies' name.

To update the password list to the current year (beyond 2016/2017):

$ -passupdate passwords.txt

To update and add a new word such as a companies name:

$ -passupdate passwords.txt Spiderlabs

Finally you can use lists of the most popular names in a given country to generate usernames or emails in a desired format. For example using the following command you could generate 1 million usernames to use with your password spray in the first initial and last name format. Full stops, first names, last initials and domains can also be added to create email addresses. -genusers english-first-1000.txt english-last-1000.txt "<fi><ln>" -genusers english-first-1000.txt english-last-1000.txt "<fn>.<ln>"

Additional features, services or lists may be added in the future, so always make sure you check for the latest version. I hope you find Spray a useful addition to your toolkit.

I also want to give a big thank you to the Black Hills Information Security and MDSec teams whose previous research, tools and blogs inspired me to create Spray.

Spray can be downloaded from the SpiderLabs Github here

Disclaimer: I take no responsibility for any accounts you lockout with this technique or tool.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More