There are a number of tools to perform this attack but this one in particular states: “DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.”
There was a story a couple of years ago that talked about how help desks were resetting passwords using the words Winter, Spring, Summer, Fall, the year, and possibly some special characters. If we think about password complexity rules, we need an uppercase letter, a lowercase letter, a number, and maybe a special character.
For example, using that logic, the password could be reset to Winter2020 and possibly some special character thrown in there. But given how people typically layout their passwords, the special character would be on the end. Using a Hashcat Mask Attack, we could easily generate that list. Once we have our list, we start spraying.
Before we move on, let me just dump all the syntax in advance:
powershell.exe -ExecutionPolicy ByPass
Get-DomainUserList -Domain [DOMAIN] -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii users.txt
Invoke-DomainPasswordSpray -UserList users.txt -Domain [DOMAIN] -PasswordList passlist.txt -OutFile sprayed-creds.txt
After importing the module, the first thing we want to do is to get the users list:
Next, we’ll start the spray attack:
Note that it’s taken the lockout policy into account and it intentionally throws in pauses to prevent issues:
It slowly makes its way through the list but eventually — we get a hit: