As a penetration tester, attaining Windows domain credentials are akin to gaining the keys to the kingdom. Most of the time you can take a set of credentials and use them to escalate across a network, searching for higher levels of access, attaining administrative permissions on more machines and eventually getting that sweet, sweet domain admin.
While there are other methods to go about attaining a set of Windows credentials, such as Responder, today I want to talk about one of my personal favorites: Password Spraying, also known as a reverse brute force attack. I also want to share with you a tool I've been working on to simplify and help automate the attack.
To give a little background, traditional brute force attacks of one username with multiple passwords don't work very well against Windows services. This is because they employ lockout functionality after a set number of login attempts. A Password Spray circumvents the lockout functionality by trying only a few of the most common passwords against multiple user accounts, trying to identify that one person who is using 'Password1' or 'Summer2017'.
A large list of usernames can be gathered using a variety of different methods, such as directly from target machines with SMB Null Sessions or with net user commands if access to a domain linked machine has already been attained. They can also be generated with reasonable accuracy using Open Source Intelligence using tools such as LinkedInt, Prowl or Raven which take in known email formats (firstnamelastname or firstinital.lastname etc) and scrape company's employee lists on LinkedIn.
To help with this type of attack, I've put together a little tool that I've appropriately called 'spray'. Spray can be used against 3 types of Windows domain authentication services: SMB for internal testing and OWA and Lync for external testing. Spray is written in bash which gives it the advantage of running on Mac and Linux as opposed to some of the PowerShell based alternatives out there.
The main feature of Spray is that you can provide it with a timeout period and a number of attempts to help avoid account lockouts. This slow and timed approach allows you to provide a password list that spray will slowly work through over the course of an engagement. Meaning you can leave it running in the background, just checking it occasionally for successful credentials. If I don't know the password policy for the domain I like to try 1 password every 35 minutes, as the standard password policy for a domain is 3 passwords every 30 minutes before a lockout. However if you have enumerated the policy you can become more aggressive.
To spray a SMB service you will need to provide a Windows machine with port 445 open, a list of usernames, a list of passwords, a number of attempts per lockout period, the amount of time to wait between attempts and, finally, the domain. To spray the target 10.10.10.10 on the domain SPIDERLABS, attempting 1 password every 35 minutes, you would use the following command:
$ spray.sh –smb 10.10.10.10 usernames.txt passwords.txt 1 35 SPIDERLABS
To spray an Outlook Web Access service the first thing you must do is capture the POST request for a login attempt to the service with the email 'sprayuser@domain.com', where domain.com is the target's domain and where the password is 'spraypassword'. This can be done with a tool such as Burp Free or OWASP ZAP. The full request with headers should be saved to a .txt file, this is because for some OWA services cookies that are set with JavaScript need to be included in a logon attempt. To spray an OWA service with 1 password every 35 minutes, you would use the following command:
$ spray.sh -owa https://mail.spiderlabs.com usernames.txt passwords.txt 1 35 post-request.txt
To spray a Lync Service a list of emails instead of usernames must be provided, along with the target of either a link that redirects to the autodiscover service or a direct link to the oauth part of the autodiscover service. To spray a Lync service with 1 password every 35 minutes, you would use one of the following commands:
$ spray.sh -lync https://lyncdiscover.spiderlabs.com/ emails.txt passwords.txt 1 35
$ spray.sh -lync https://lyncweb.spiderlabs.com/Autodiscover/AutodiscoverService.svc/root/oauth/user emails.txt passwords.txt 1 35
Some other features of spray are the 150-200 word password lists that come in the World's top 10 most common languages and contains the most commonly used domain passwords that have been personalized for each country. One small example would be the replacing of 'God' and 'Jesus' in the English list with 'Allah' and 'Muhammed' in the Arabic one. You can also update these lists to contain the most recent years using the tool, which will help them stay current as they use 2016/2017 heavily. You can also augment the list to add a specific password to try at the start of the list. I usually add the target companies' name.
To update the password list to the current year (beyond 2016/2017):
$ spray.sh -passupdate passwords.txt
To update and add a new word such as a companies name:
$ spray.sh -passupdate passwords.txt Spiderlabs
Finally you can use lists of the most popular names in a given country to generate usernames or emails in a desired format. For example using the following command you could generate 1 million usernames to use with your password spray in the first initial and last name format. Full stops, first names, last initials and domains can also be added to create email addresses.
spray.sh -genusers english-first-1000.txt english-last-1000.txt "<fi><ln>"
spray.sh -genusers english-first-1000.txt english-last-1000.txt "<fn>.<ln>@spiderlabs.com"
Additional features, services or lists may be added in the future, so always make sure you check for the latest version. I hope you find Spray a useful addition to your toolkit.
I also want to give a big thank you to the Black Hills Information Security and MDSec teams whose previous research, tools and blogs inspired me to create Spray.
Spray can be downloaded from the SpiderLabs Github here
Disclaimer: I take no responsibility for any accounts you lockout with this technique or tool.