To mount a successful password spraying attack, we first need a list of valid domain users to attempt to authenticate with.

There are several ways that we can gather a target list of valid users:

• By leveraging an SMB NULL session to retrieve a complete list of domain users from the domain controller
• Utilizing an LDAP anonymous bind to query LDAP anonymously and pull down the domain user list
• Using a tool such as Kerbrute to validate users utilizing a word list from a source such as the statistically-likely-usernames GitHub repo, or gathered by using a tool such as linkedin2username to create a list of potentially valid users
• Using a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using Responder or even a successful password spray using a smaller wordlist

SMB NULL Session:

• If no valid domain credentials, you can attempt an SMB NULL session on Domain Controllers to pull a list of all users and the password policy.
• LDAP Anonymous Bind:
  • Another method to query Domain Controllers for user information if anonymous LDAP binds are allowed.
• Using SYSTEM Account:
  • If you have SYSTEM access or domain user credentials, you can query Active Directory directly. The SYSTEM account can impersonate the computer, acting like a domain user.
• Alternative Methods:
  • If SMB NULL sessions or LDAP binds are not available, external resources like email harvesting or LinkedIn can help build a user list, though it may be incomplet

Some tools that can leverage SMB NULL sessions and LDAP anonymous binds include enum4linux, rpcclient, and CrackMapExec, among others.

Using enum4linux

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

Using rpcclient

rpcclient -U "" -N 172.16.5.5
rpcclient $> enumdomusers

CrackMapExec with -users flag:

• Queries a list of users and shows additional info like badpwdcount (invalid login attempts).