AD Enumeration: AD- Password Spraying

overview

Description

Password spraying is an attack technique in which an adversary attempts to compromise user accounts by trying to authenticate with a curated list of passwords that are either frequently used or likely to be used by their target. Password spraying can be conducted by an external adversary against any internet-facing system or SaaS application, or by an adversary that has gained a foothold within the network and is seeking to widen their access.

Frequent targets for password spraying include VPN servers, web-based email applications and single sign-on providers.

Unlike credential stuffing where an adversary is targeting specific users with previously compromised passwords, password spraying is about trying common or likely passwords against as many users as possible. Thus, many adversaries structure their attacks to avoid detection, perhaps trying only one password for each user account at a time or waiting some time between attempts.

Reference: https://www.netwrix.com/password_spraying_tutorial_defense.html

Tasks

Lab Environment

In this lab environment, GUI access to a Domain User called Research/Student on a Windows Server 2012 machine, which serves as your workstation. This workstation contains vulnerabilities that are susceptible to password spraying attacks - a common method for guessing passwords that often yield results due to the habitual use of simple and predictable passwords within the Active Directory setup.

Your task is to perform a password spraying attack aiming to identify weak passwords, which could potentially provide you with escalated privileges, even up to the level of domain admin access.

Objective: Execute a password spraying attack to discover weak passwords within the Active Directory.

Below are the tasks that you need to perform:

Task 1: Identify all the users in the domain.
Task 2: Initiate the Password Spraying Attack.
Task 3: Execution and Verification of the Password Spraying Attack.

Tools

The best tools for this lab are:

PowerView
DomainPasswordSpray

solutions

Solution

Step 1: Open the lab link to access the following:

Workstation

Content Image

Task 1: Identify all the users in the domain.

We will use the PowerView script from PowerSploit to identify all the users in the domain.

What is Powerview?

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various Windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

Reference: https://powersploit.readthedocs.io/en/latest/Recon/#powerview

It seems like we have a directory called C:\Tools that contains the necessary tools for enumeration and exploitation.

Step 1: Change the directory to C:\Tools by running the following command.

Command:

cd C:\Tools

Content Image

The directory changed to C:\Tools.

Step 2: Enable execution policy bypass and import the PowerView module.

Command:

powershell -ep bypass
. .\PowerView.ps1

Content Image

This command starts a new PowerShell session with the execution policy bypassed, allowing you to run scripts that may otherwise be blocked.

The dot is followed by a space and the script's path (.\PowerView.ps1) executes the script within the current PowerShell session. Ensure that the PowerView.ps1 script is located in the current directory (C:\Tools).

Step 3: Enumerating All User Accounts on the Domain.

The first step in planning a password spraying attack is gathering the usernames of all accounts in the domain. With the power of PowerShell and the Active Directory module, we can easily retrieve this information.

Command:

Get-DomainUser | Select-Object -ExpandProperty cn |  Out-File users.txt
type .\users.txt

In the command above, Get-DomainUser fetches a list of all users within the domain. Select-Object -ExpandProperty cn is used to expand the 'cn' (common name) property of each user object, which generally represents the username. The output is then piped to Out-File users.txt which writes these usernames to a text file named 'users.txt'.

The type .\users.txt command is used to display the content of 'users.txt' in the console, giving you a view of the list of usernames extracted.

Content Image

The image above represents a successful output of this command, displaying the list of all user accounts present in the domain. You should see a list of usernames that can be used in the subsequent password-spraying attack.

Task 2: Initiate the Password Spraying Attack.

What is DomainPasswordSpray?

DomainPasswordSpray is a highly effective tool coded in PowerShell specifically designed to execute a password spray attack against users within a domain. It's quite versatile - by default, it can automatically generate a user list from the domain, but it also allows for a custom user list input, which we will utilize in our task.

Reference: https://github.com/dafthack/DomainPasswordSpray

Step 4: Import the DomainPasswordSpray Tool.

In this step, we're going to navigate to the directory containing the DomainPasswordSpray script and load the PowerShell tool into our environment.

Command:

cd .\Scripts\credentials
. .\DomainPasswordSpray.ps1

In the command sequence above, cd .\Scripts\credentials changes the current working directory to the folder containing the DomainPasswordSpray script. Next, . .\DomainPasswordSpray.ps1 sources the script into the current PowerShell environment. This is required for executing functions or calling variables that the script defines.

Content Image

The above image illustrates a successful execution of the command. With the DomainPasswordSpray tool now loaded, we're set to launch the password-spraying attack on the list of user accounts we've previously extracted.

Task 3: Execution and Verification of the Password Spraying Attack.

Step 5: Launch the Password Spraying Attack.

Once the DomainPasswordSpray tool is loaded and the list of user accounts is ready, we can proceed to execute the password-spraying attack.

Command:

cd ../../
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose

In this command sequence, cd ../../ navigates back to the original directory where 'users.txt' resides.

Then, Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose initiates the password spraying attack. Here, -UserList .\users.txt specifies our custom list of user accounts and -Password 123456 denotes the password to test on each account. The -Verbose flag is used to provide detailed output during the process.

Content Image

As depicted in the screenshot, the output validates the successful execution of the password-spraying attack against the Active Directory accounts.

Note: Password spraying attacks can often trigger account lockouts if too many attempts are made in a short period. Therefore, tools like DomainPasswordSpray are designed to automatically pause after a specific number of attempts to avoid triggering account lockouts.

Content Image

For this lab, and to prevent unwanted lockouts, we have limited our password list to a single common password. However, in a real-world scenario, an attacker might use a larger list of commonly used passwords, adjusting the delay between attempts to evade detection and account lockout policies.

Conclusion

In this laboratory exercise, we've delved into the practical application of a Password Spraying Attack in an Active Directory environment. We have seen firsthand how an adversary could potentially exploit weak or commonly used passwords, reinforcing the importance of enforcing robust password policies. As budding cybersecurity professionals, understanding such techniques not only helps in offensive security exercises but also aids in the development of stronger defence mechanisms. Remember, knowing how to protect requires an understanding of how attacks work.

References:

PreviousPivoting VIII NextBloodHound Reconnaissance

Last updated 11 minutes ago