Password spraying is a targeted login attack used to gain initial access or expand presence inside a network. Instead of trying many passwords against a single account, it tests one commonly used password across many usernames or email addresses. These account lists are typically gathered during OSINT or early enumeration. Since penetration testing is iterative, new information is constantly fed back into the process, allowing multiple techniques to run in parallel. Because assessments are time-limited, efficient use of time is critical; for example, while one task like hash cracking or poisoning runs in the background, password spraying can be performed simultaneously using collected user data.
Real-World Scenarios
Scenario 1 During an assessment, no useful misconfigurations like SMB null sessions or anonymous LDAP binds were found to retrieve user lists. To compensate, a username list was built using a statistically likely usernames dataset combined with OSINT sources such as LinkedIn. Using Kerbrute, valid domain users were identified and then sprayed with a common password like
Welcome1. Even though only a few low-privilege accounts were compromised, this foothold enabled further enumeration with tools like BloodHound, eventually leading to full domain compromise.
Scenario 2 In another case, traditional username generation methods failed. Instead, publicly available PDF documents were analyzed, revealing that the organization used a structured username format, random GUID-like strings with uppercase letters and numbers. By leveraging this metadata, a script was written to generate a large list of possible usernames:
#!/bin/bash
for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}
do echo $x;
doneThis allowed enumeration of nearly all domain accounts. With a complete target list, password spraying became far more effective, eventually leading to valid credentials and enabling advanced attack chains such as RBCD and Shadow Credentials that resulted in domain takeover.
Key Considerations
Password spraying is powerful but must be used carefully. Unlike brute-force attacks, which attempt many passwords per account, spraying uses a small number of common passwords across many accounts, reducing the risk of triggering lockouts.
Password Policy Awareness
Most environments enforce lockout policies, for example 5 failed attempts leading to a 30-minute lockout. Some organizations have stricter policies requiring manual admin resets. If the policy is unknown, a safe approach is to wait several hours between attempts.
Best practices include:
Always try to identify the password policy before spraying
Use minimal attempts with high-probability passwords
Space out attempts to avoid triggering defenses
If uncertain, perform a single cautious "hail mary" attempt
When internal access is available, password policies can often be enumerated, significantly reducing risk and improving attack precision. Password spraying is not just about guessing passwords, it is about using intelligence, timing, and efficiency to gain access with minimal noise.
Enumerating the Password Policy using Linux (With Credentials) As mentioned earlier, the domain password policy can be retrieved in several ways depending on the configuration and whether valid credentials are available. When we have valid domain credentials, tools like NetExec (nxc), a fork/replacement of CrackMapExec or rpcclient can remotely pull this information.
Using CrackMapExec, we can authenticate and request the password policy:
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-polThis provides details such as minimum password length, history, lockout threshold, and lockout duration. These values are critical for planning safe password spraying attempts.
Enumerating the Password Policy using Linux (Without Credentials / SMB NULL Session) Even without credentials, it may still be possible to retrieve the password policy if SMB NULL sessions or LDAP anonymous binds are enabled. These are legacy misconfigurations often found in older or improperly upgraded environments.
We can test for a NULL session using rpcclient:
rpcclient -U "" -N 172.16.5.5Once connected, commands like:
querydominfo
getdompwinfo
can reveal domain information and password policy details, such as minimum password length and complexity requirements.
Using enum4linux for Enumeration Tools like enum4linux automate many SMB and RPC-based enumeration techniques. They can extract password policies, user lists, and domain information:
enum4linux -P 172.16.5.5
An enhanced version, enum4linux-ng, provides cleaner output and supports exporting results in JSON or YAML:
enum4linux-ng -P 172.16.5.5 -oA ilfreightThis output is easier to parse and can be reused for automation or further analysis.
Enumerating via LDAP Anonymous Bind LDAP anonymous binds can expose domain information if misconfigured. Tools like ldapsearch can extract password policy attributes:
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Important fields include:
minPwdLength
lockoutThreshold
pwdProperties (complexity requirement)
Analyzing the Password Policy Once retrieved, the policy must be analyzed to guide attack strategy:
Minimum password length (e.g., 8) suggests weak passwords may still exist
Lockout threshold (e.g., 5) determines how many attempts are safe
Lockout duration (e.g., 30 minutes) defines waiting time between sprays
Complexity enabled means passwords require mixed character types, but common weak passwords may still satisfy it
A typical safe spraying strategy would involve:
2–3 attempts per cycle
Waiting longer than the lockout reset window
Avoiding account lockouts entirely
Understanding the password policy is essential before performing password spraying. It allows you to stay stealthy, avoid disruptions, and maximize the chances of gaining access without triggering defenses.
Detailed User Enumeration
To successfully perform a password spraying attack, the first requirement is a reliable list of valid domain users. Without accurate usernames, even a well-chosen password list will produce limited results. There are multiple techniques to build or extract this user list depending on the level of access and domain configuration.
Common Methods for User Enumeration
Valid domain users can typically be collected using the following approaches:
Exploiting SMB NULL sessions to extract full domain user listings directly from the Domain Controller
Using LDAP anonymous binds to query Active Directory without authentication and retrieve user objects
Leveraging Kerbrute with wordlists such as statistically-likely usernames or OSINT-generated lists (for example from LinkedIn using tools like linkedin2username)
Using existing credentials obtained through initial access, credential reuse, or attacks like LLMNR/NBT-NS poisoning via tools such as Responder
Expanding enumeration from a partial foothold or previously discovered accounts
Each method increases accuracy depending on available access, with credentialed enumeration providing the most complete results.
Importance of Password Policy Awareness
Before performing any spraying activity, understanding the domain password policy is essential. If SMB NULL sessions, LDAP binds, or credentials are available, the policy can often be extracted directly.
Key policy elements help shape the attack strategy:
Minimum password length influences which passwords are worth testing
Password complexity rules determine whether common passwords may still be valid
Account lockout threshold defines how many attempts are safe before locking users
Lockout reset timers determine required delay between spray cycles
If the policy is unknown, it may be obtained from the client. Otherwise, attackers must proceed cautiously, often using minimal or spaced-out attempts to avoid triggering account lockouts.
It is also critical to maintain a detailed log of activity, including:
Targeted accounts
Domain Controller used
Dates and times of attempts
Passwords tested
Results and observed responses
This ensures repeatability, prevents duplicated effort, and helps incident response teams validate activity if alerts are triggered.
SMB NULL Session Enumeration
When credentials are not available, SMB NULL sessions or LDAP anonymous access can sometimes expose domain information, including user accounts and password policies. These misconfigurations are more common in environments upgraded from older Windows Server versions.
Tools like enum4linux, rpcclient, nxc and CrackMapExec can automate this process.
Example using enum4linux:
enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
This produces a clean list of usernames that can be used for further attacks.
RPC-Based Enumeration
With rpcclient, anonymous connections may allow direct querying of domain users:
rpcclient -U "" -N 172.16.5.5Then:
enumdomusers
This returns usernames along with their RID values, confirming valid accounts within Active Directory.
CrackMapExec User Enumeration
CrackMapExec can enumerate domain users and provide additional useful metadata such as bad password counts and timestamps:
crackmapexec smb 172.16.5.5 --users
This output is valuable because it highlights accounts close to lockout thresholds, which should be avoided during spraying to reduce detection risk.
LDAP Anonymous Enumeration
If LDAP anonymous access is enabled, Active Directory can be queried directly:
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"
Filtering for sAMAccountName returns a list of valid usernames.
Tools like windapsearch simplify this process by automatically performing LDAP queries and formatting the output.
Kerbrute User Enumeration
When no credentials or internal access are available, Kerbrute can efficiently enumerate valid usernames using Kerberos pre-authentication behavior.
It sends authentication requests without pre-auth, and the KDC response reveals whether a username exists.
Example:
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt
This method is fast and stealthier in terms of avoiding traditional login failure logs, though it may still generate Kerberos-related events depending on logging configuration.
Credentialed Enumeration
If valid credentials are available, user enumeration becomes more accurate and complete.
Example using CrackMapExec:
crackmapexec smb 172.16.5.5 -u htb-student -p 'Academy_student_AD!' --users
This approach often reveals:
Full user lists
Password failure counters
Lockout status and timing
This is the most reliable method because it directly queries Active Directory with authenticated access.
External User Discovery
When internal enumeration is not possible, external sources can help build a username list. These include:
Company email patterns
Public documents and metadata
LinkedIn scraping tools such as linkedin2username
Although less accurate, these lists can still be effective when combined with password spraying techniques.
Internal Password Spraying using Linux
After building a valid username list using one of the previously discussed methods, the next step is executing the password spraying attack. This stage is critical because it is one of the primary ways to obtain valid domain credentials, but it must be performed carefully to avoid account lockouts or detection.
Internal Password Spraying from Linux
Once a username list is prepared, Linux-based tools can be used to attempt authentication against Active Directory using a single password across multiple accounts.
One common approach is using rpcclient in a loop. A successful authentication is not always obvious, but a valid login typically returns an "Authority Name" response. This can be filtered to show only successful attempts.
Example Bash one-liner:
for u in $(cat valid_users.txt); do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; doneExample output:
Account Name: tjohnson, Authority Name: INLANEFREIGHT
Account Name: sgage, Authority Name: INLANEFREIGHT
This indicates successful authentication for those users.
Using Kerbrute for Password Spraying
Kerbrute can also be used to perform password spraying directly against Kerberos authentication:
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1This method quickly tests all users against a single password. Successful logins are clearly marked in the output:
[+] VALID LOGIN: sgage@inlanefreight.local:Welcome1Kerbrute is efficient and fast, making it useful when working with large user lists.
Note :
RPCClient can appear to confirm a successful password spray because it authenticates using SMB/NTLM, which may accept the provided username and password and establish a session at the service level, even when Kerberos would not accept the same credentials; however, Kerbrute performs Kerberos pre-authentication directly against the Key Distribution Center (KDC), which enforces stricter validation rules such as correct realm formatting, proper user principal naming (UPN vs sAMAccountName), and valid Kerberos pre-auth flow, meaning that a password that seems valid in NTLM-based SMB authentication does not necessarily generate a valid Kerberos ticket-granting ticket (TGT), resulting in RPCClient showing apparent success while Kerbrute returns zero successful logins.
Using CrackMapExec for Password Spraying
CrackMapExec provides another effective method for spraying credentials across SMB:
crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +
Successful logins are displayed clearly, allowing quick identification of valid credentials.
Once a valid password is discovered, it should be verified against a single user to confirm correctness:
crackmapexec smb 172.16.5.5 -u avazquez -p Password123Local Administrator Password Reuse
Password spraying is not limited to domain accounts. Local administrator accounts are often reused across multiple systems, especially in environments that rely on standardized system images.
If a local administrator password is recovered, it can sometimes be reused across multiple hosts, significantly expanding access.
CrackMapExec can be used to test local credentials across a subnet:
crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +This checks each machine individually using the local account context. A successful result indicates that the same local administrator password is reused on multiple systems.
Key Considerations
Internal password spraying must be handled carefully due to detection and lockout risks:
Always use a single password per spray cycle
Introduce delays between attempts
Avoid exceeding lockout thresholds
Prefer low and slow testing over aggressive brute force behavior
Common Security Weakness: Password Reuse
A frequent issue in enterprise environments is password reuse:
Local administrator passwords reused across many hosts
Domain and local account passwords matching patterns
Similar passwords used across different domains in trust relationships
For example:
desktop%@admin123might also work asserver%@admin123
A user's domain password may also work for their admin account
NTLM Hash Spraying (Local Admin)
In some cases, only an NTLM hash is available instead of a plaintext password. This hash can be sprayed across multiple machines to identify reused credentials.
The --local-auth flag ensures authentication is tested only locally on each host, reducing noise and preventing domain-wide lockout issues.
Security Remediation Insight
While powerful, this technique is highly noisy and should be used carefully in assessments that require stealth. However, it remains important to test because password reuse is still a common real-world weakness.
A recommended mitigation is implementing tools like Local Administrator Password Solution (LAPS), which ensures each host has a unique, automatically rotating local administrator password managed by Active Directory.
Internal password spraying is a simple concept but highly effective when user enumeration and password policy information are available. Its success depends less on guessing power and more on preparation, timing, and understanding how authentication systems behave under repeated attempts. When used carefully, it can reveal valid credentials with minimal noise, but it also carries real risk if executed without awareness of lockout policies and detection mechanisms.
If you have any questions or require further clarification, don't hesitate to reach out. Additionally, you can stay connected for more advanced cybersecurity insights and updates:
- LinkedIn: https://www.linkedin.com/in/ehxb/
Stay tuned for more comprehensive write-ups and tutorials to deepen your cybersecurity expertise. 🚀