Skip to content

A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.

Notifications You must be signed in to change notification settings

outflanknl/Spray-AD

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Spray-AD, a Cobalt Strike tool to perform a fast Kerberos password spraying attack against Active Directory.

This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon.

When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help evading detection while password spraying.

Usage:

Download the Spray-AD folder and load the Spray-AD.cna script within the Cobalt Strike Script Manager.
Syntax within beacon context: Spray-AD [password to test]
This project is written in C/C++
You can use Visual Studio to compile the reflective dll's from source.

Note to Red:

Make sure you always check the Active Directory password and lockout policies before spraying to avoid lockouts.

Note to Blue:

To detect Active Directory Password Spraying, make sure to setup centralized logging and alarming within your IT environment and enable (at least) the following Advanced Audit policy on your Domain Controllers:

Audit Kerberos Authentication Service (Success & Failure). 
This policy will generate Windows Security Log Event ID 4771 (Kerberos pre-authentication failed).

More info can be found in the following post by Sean Metcalf: https://www.trimarcsecurity.com/post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing

Credits

Author: Cornelis de Plaa (@Cneelis) / Outflank

About

A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published