Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Password Spraying - Making a Target User List

Before spraying, you need a list of valid domain users. The method depends on your level of access.

User Enumeration Methods

Access LevelMethods
No credentialsSMB NULL session, LDAP anonymous bind, Kerbrute with wordlists, LinkedIn scraping
Valid credentialsCrackMapExec --users, rpcclient, ldapsearch, PowerView
SYSTEM access on domain hostCan query AD directly (computer account impersonates a domain user)

SMB NULL Session

enum4linux

enum4linux -U <DC_IP> | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

rpcclient

rpcclient -U "" -N <DC_IP>
rpcclient $> enumdomusers

CrackMapExec (also shows badpwdcount)

crackmapexec smb <DC_IP> --users

The badpwdcount and baddpwdtime fields from CrackMapExec are useful – remove accounts close to the lockout threshold from your spray list. Note: badpwdcount is maintained separately per Domain Controller; query the PDC Emulator for the most accurate value.

LDAP Anonymous Bind

ldapsearch

ldapsearch -h <DC_IP> -x -b "DC=DOMAIN,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "

windapsearch

./windapsearch.py --dc-ip <DC_IP> -u "" -U

Kerbrute (No Credentials Needed)

Uses Kerberos Pre-Authentication to validate usernames. The KDC responds with PRINCIPAL UNKNOWN for invalid users and prompts for pre-auth for valid ones.

kerbrute userenum -d <domain> --dc <DC_IP> /path/to/userlist.txt

Advantages:

  • Fast (48,000+ usernames in ~12 seconds)
  • Does not generate event ID 4625 (logon failure)
  • Username enumeration alone does not cause lockouts

Caveats:

  • Generates event ID 4768 (TGT request) if Kerberos logging is enabled
  • Once you switch to password spraying with Kerbrute, failed pre-auth attempts do count toward lockout

Username wordlists: statistically-likely-usernames (e.g., jsmith.txt – 48,705 common flast format names).

Credentialed Enumeration

crackmapexec smb <DC_IP> -u <user> -p <pass> --users

External / OSINT Fallback

If no NULL session, anonymous bind, or credentials are available:

  • Search for company email addresses (email harvesting)
  • Use linkedin2username to generate candidate usernames from a company’s LinkedIn page
  • Check published PDFs for author metadata revealing username format

Activity Logging

Always log your spray attempts:

  • Accounts targeted
  • Domain Controller used
  • Date and time of each spray
  • Password(s) attempted

This protects you if lockouts occur and helps the client cross-reference against their SIEM logs.