Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid accounts credentials. Password spraying uses one password (e.g. 'Password01'), or small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockputs that would normally occur when brute forcing a single account with many passwords.
Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
· SSH (22/TCP)
· Telnet (23/TCP)
· FTP (21/TCP)
· NetBIOS / SMB / Samba (139/TCP & 445/TCP)
· LDAP (389/TCP)
· Kerberos (88/TCP)
· RDP / Terminal Services (3389/TCP)
· HTTP/HTTP Management Services (80/TCP & 443/TCP)
· MSSQL (1433/TCP)
· Oracle (1521/TCP)
· MySQL (3306/TCP)
· VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols", as well as externally facing email applications, such as Office 365.
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
In this method we will use Password Spraying this technique is great in big environments as sometimes there is a password reuse and we don't need to Brute Force an account in a live environment and lock them out.
A great tool for this in an Environment is CrackMapExec. (There are also alternatives that even work with PowerShell) we will just need to grab an account and typically use a very common format of passwords used in corporations such as Season+Year.
By creating a user list and using it against a single password, we are reversing the brute force technique instead of multiple passwords for 1 account and receiving a lockdown we can try 1 very common password against multiple users.