SharpSpray | Active Directory Password Spraying Tool

SharpSpray is a Windows domain password spraying tool written in .NET C#.

SharpSpray is a C# port of DomainPasswordSpray with enhanced and extra capabilities. This tool uses LDAP Protocol to communicate with the Domain active directory services.

Features

  • Can operate from inside and outside a domain context.
  • Exclude domain disabled accounts from the spraying.
  • Auto gathers domain users from the Active directory.
  • Avoid potential lockouts by excluding accounts within one attempt of locking out.
  • Avoid potential lockouts by auto-gathering domain lockout observation window settings.
  • Compatible with Domain Fine-Grained Password policies.
  • Custom LDAP filter for users, e.g. (description=admin)
  • Delay in seconds between each authentication attempt.
  • Jitter between each authentication attempt.
  • Support a single password or a list of passwords.
  • Single file Console Application.

Usage

Command Line Args

> SharpSpray.exe --help

  -v, --Verbose       (Default: false) Show verbose messages.
  -u                  (Optional) Username list file path. This will be
                      automatically fetched from the active directory if not
                      specified.
  -p                  A single password that will be used to perform the
                      password spray.
  -k, --pl            (Optional) Password List file path.
  -d                  (Optional) Specify a domain name.
  -m                  (Default: false) Use this option if spraying from a host located outside
                      the Domain context.
  -q, --dc-ip         Required when the option 'm' OutsideDomain is checked
  -x                  (Default: false) Attempts to exclude disabled accounts
                      from the user list (Not supported with the option -m)
  -z                  (Default: false) Exclude accounts within 1 attempt of
                      locking out (Not supported with the option -m)
  -f                  Custom LDAP filter for users, e.g. "(description=*admin*)"
  -o                  A file to output the results to.
  -w                  Do not relay on domain lockout observation window settings and use this
                      specific value. (Default 32 minute)
  -s                  (Optional) Delay in seconds between each authentication attempt.
  -j                  (Optional) Jitter in seconds.
  --Force             Force start without asking for confirmation.
  --get-users-list    Get the domain users list from the active directory.
  --show-examples     Get domain users list from the active directory.
  --show-args         Show command line args
  --help              Display this help screen.

Usage Examples

SharpSpray.exe -v -x -z --pl password.txt
SharpSpray.exe -x -z -u users.txt --pl psswd.txt
SharpSpray.exe -x -z -u users.txt -p Passw0rd!
SharpSpray.exe -x -z -s 3 -j 1 -u users.txt -k psswd.txt -o sprayed.txt

SharpSpray.exe -w 32 -d DC-1.local --dc-ip 10.10.20.20 -u users.txt --pl psswd.txt
SharpSpray.exe -w 32 -s 3 -j 1 -d DC-1.local --dc-ip 10.10.20.20 -u users.txt --pl psswd.txt

SharpSpray.exe --get-users-list
SharpSpray.exe --get-users-list > users.txt
PS> .\SharpSpray.exe --get-users-list | Out-File -Encoding ascii users.txt

If executing from within the user’s domain context, then all you need is to specify the password(s) list to start:

SharpSpray.exe -v -x -z --pl password.txt
SharpSpray.exe -v -x -z -p Passw0rd!

Fetching only the users list from the Active Directory

The following command will fetch domain users and prints the list to the console.

SharpSpray.exe -x -z --get-users-list

-x: Exclude disabled accounts from the user list.
-z: Exclude accounts within 1 attempt of locking out.

Detection

When the tool fails to authenticate an account, a Windows event 4648 is generated

4648: A logon was attempted using explicit credentials

Sample log event

Correlating similar logs we got the following

Splunk – Assistant Search Queries

index=wineventlog EventCode=* (signature="User name is correct but the password is wrong" OR signature="User name does not exist") Target_User_Name!=*$
| stats dc(Target_User_Name) AS distinct_accounts by src_ip 
| where distinct_accounts > 2
index="wineventlog"  host=wkstn-2 EventID=4648 | fillnull value=unknwon | stats count by _time, host, SubjectUserName, TargetUserName, Computer, src_ip, signature, ProcessName | sort _time
index=wineventlog EventCode=* (signature="User name is correct but the password is wrong" OR signature="User name does not exist" OR signature="An account was successfully logged on")  | fillnull value=unknown | search Target_User_Name!=*$ src_ip=1.1.1.1 | stats count by src, src_ip ,Target_User_Name, dest, signature, EventCode, LogonType, LogonProcessName, status | sort -status

What to look for?

  • Large number of failure authentication attempts using accounts does not exists.
  • Large number of failure authentication attempts from a single IP address.
  • High number of account lockout over a defined period of time.

Leave a Reply

Your email address will not be published. Required fields are marked *