SharpSpray is a Windows domain password spraying tool written in .NET C#.
SharpSpray is a C# port of DomainPasswordSpray with enhanced and extra capabilities. This tool uses LDAP Protocol to communicate with the Domain active directory services.
- Can operate from inside and outside a domain context.
- Exclude domain disabled accounts from the spraying.
- Auto gathers domain users from the Active directory.
- Avoid potential lockouts by excluding accounts within one attempt of locking out.
- Avoid potential lockouts by auto-gathering domain lockout observation window settings.
- Compatible with Domain Fine-Grained Password policies.
- Custom LDAP filter for users, e.g. (description=admin)
- Delay in seconds between each authentication attempt.
- Jitter between each authentication attempt.
- Support a single password or a list of passwords.
- Single file Console Application.
> SharpSpray.exe --help -v, --Verbose (Default: false) Show verbose messages. -u (Optional) Username list file path. This will be automatically fetched from the active directory if not specified. -p A single password that will be used to perform the password spray. -k, --pl (Optional) Password List file path. -d (Optional) Specify a domain name. -m (Default: false) Use this option if spraying from a host located outside the Domain context. -q, --dc-ip Required when the option 'm' OutsideDomain is checked -x (Default: false) Attempts to exclude disabled accounts from the user list (Not supported with the option -m) -z (Default: false) Exclude accounts within 1 attempt of locking out (Not supported with the option -m) -f Custom LDAP filter for users, e.g. "(description=*admin*)" -o A file to output the results to. -w Do not relay on domain lockout observation window settings and use this specific value. (Default 32 minute) -s (Optional) Delay in seconds between each authentication attempt. -j (Optional) Jitter in seconds. --Force Force start without asking for confirmation. --get-users-list Get the domain users list from the active directory. --show-examples Get domain users list from the active directory. --show-args Show command line args --help Display this help screen.
SharpSpray.exe -v -x -z --pl password.txt SharpSpray.exe -x -z -u users.txt --pl psswd.txt SharpSpray.exe -x -z -u users.txt -p Passw0rd! SharpSpray.exe -x -z -s 3 -j 1 -u users.txt -k psswd.txt -o sprayed.txt SharpSpray.exe -w 32 -d DC-1.local --dc-ip 10.10.20.20 -u users.txt --pl psswd.txt SharpSpray.exe -w 32 -s 3 -j 1 -d DC-1.local --dc-ip 10.10.20.20 -u users.txt --pl psswd.txt SharpSpray.exe --get-users-list SharpSpray.exe --get-users-list > users.txt PS> .\SharpSpray.exe --get-users-list | Out-File -Encoding ascii users.txt
If executing from within the user’s domain context, then all you need is to specify the password(s) list to start:
SharpSpray.exe -v -x -z --pl password.txt SharpSpray.exe -v -x -z -p Passw0rd!
Fetching only the users list from the Active Directory
The following command will fetch domain users and prints the list to the console.
SharpSpray.exe -x -z --get-users-list -x: Exclude disabled accounts from the user list. -z: Exclude accounts within 1 attempt of locking out.
When the tool fails to authenticate an account, a Windows event 4648 is generated
4648: A logon was attempted using explicit credentials
Correlating similar logs we got the following
Splunk – Assistant Search Queries
index=wineventlog EventCode=* (signature="User name is correct but the password is wrong" OR signature="User name does not exist") Target_User_Name!=*$ | stats dc(Target_User_Name) AS distinct_accounts by src_ip | where distinct_accounts > 2
index="wineventlog" host=wkstn-2 EventID=4648 | fillnull value=unknwon | stats count by _time, host, SubjectUserName, TargetUserName, Computer, src_ip, signature, ProcessName | sort _time
index=wineventlog EventCode=* (signature="User name is correct but the password is wrong" OR signature="User name does not exist" OR signature="An account was successfully logged on") | fillnull value=unknown | search Target_User_Name!=*$ src_ip=22.214.171.124 | stats count by src, src_ip ,Target_User_Name, dest, signature, EventCode, LogonType, LogonProcessName, status | sort -status
What to look for?
- Large number of failure authentication attempts using accounts does not exists.
- Large number of failure authentication attempts from a single IP address.
- High number of account lockout over a defined period of time.