Skip to main content
Support

Password Spraying

One Password, Every Account

Try one commonly-used password against every account in the domain — statistically, someone always uses it.

Beginner~5 minT1110.003
Prerequisites:A list of valid domain usernamesKnowledge of the domain password policy (lockout threshold)CrackMapExec/NetExec, Spray, or Kerbrute
1

Enumerate the Password Policy

Password Spraying — Step 1/4
┌──(kali)-[~/tools] └─$

Click or press Enter to skip

Step 1: Check the Lockout Policy

Before spraying, check the domain password policy to know how many attempts you can make before accounts lock out. This prevents accidentally locking out every account in the domain.

We are reading the organization's password rules to know our boundaries. The lockout threshold of 5 means we can try at most 4 passwords per account per 30-minute window without triggering lockout.

Detection Events
4662LDAP enumeration of user accounts
Attack Flow
Read lockout policy
Attacker
DC01
SQL01
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org