Invoke-CleverSpray: Password Spraying Script detecting current and previous passwords of Active Directory User
Invoke-CleverSpray
Password Spraying Script detecting current and previous passwords of Active Directory User by @flelievre
Behavior:
- Retrieves default or specified domain (to specify a domain, use the -Domain parameter) using Get-NetDomain from PowerView (@harmj0y) and identifies the PDCe to send authentication requests (because the domain PDCe centralizes “badPwdCount” attributes for the domain users)
- Retrieves all the domain user accounts using Get-NetUser from PowerView (@harmj0y) or within a specified file (-UsernamesFile)
- For each user, it verifies if the “badPwdCount” attribute is inferior to the threshold set passed as argument (-Limit), if it is:
- It tries to authenticate using a provided password (-Password) or a password within a specified password list file (-PasswordFile) with each users’ accounts
- If authentication is successful, the user’s current password has been discovered
- If authentication is unsuccessful:
- checks if user’s “badPwdCount” attribute was incremented: if not, a provided password is a previous password of the user account (be creative, detect the user’s password creation pattern to guess it’s actual password 😉
- if user’s “badPwdCount” attribute was incremented, no previous or current password was found for that specific user
- If a delay is set (-Delay), wait for Delay +/- Jitter (-Jitter) or directly spray on to the next user of the domain.
- It tries to authenticate using a provided password (-Password) or a password within a specified password list file (-PasswordFile) with each users’ accounts
WARNING: Default -Limit is set to 1 (i.e. the only user accounts having a “badPwdCount” lower or equal to 1 will be targeted). You can increase this value at your own risk to target more users. I cannot guarantee no users will be locked.
Download
git clone https://github.com/wavestone-cdt/Invoke-CleverSpray.git
Use
Import Invoke-CleverSpray:
Import-Module .\Invoke-CleverSpray.ps1
Spray a unique password:
Invoke-CleverSpray -Password "Passw0rd"
Spray multiple passwords:
Invoke-CleverSpray -PasswordFile ".\pwd_list.txt"
Author: Francois Lelievre (@flelievre)
