Scanning/Spraying
Finding your attack surface and testing credentials
Last updated
Finding your attack surface and testing credentials
Last updated
While working on the engagement, you will often keep finding new information that you should keep track of. Here is a logical way of structuring the information you find like IPs, usernames, and passwords. The rest of the commands in this section will use these files in the examples:
ips.txt: All valid IP addresses that you can reach. For example, whenever you find a new internal network, you can add more IPs to this list.
users.txt: Every valid username or domain user. Many tools accept such a list for trying some action on every user.
emails.txt: Similar to the users.txt file, but with an @domain.tld suffix to be used in tools requiring the domain per user, or for sending mass-phishing emails.
passwords.txt: Every password you find from any source. If a password has a matching username, make sure it is put on the same line as in users.txt, this way some tools like can use --no-bruteforce to try usernames with their corresponding password only.
It may also be useful to export certain environment variables to use in commands, in order to make them more generic. Variables like $DC (domain controller) or $DOMAIN (domain of the Active Directory) will be used in commands in the following sections. Set these in Linux using export:
Some protocols with some settings in Windows allow for a special "guest" user to log in without requiring real credentials. These types of authentication often grant you very low privileges, but they may be enough to do something interesting, or at least learn more about the environment.
Here are some commands that test for the existence of these types of binds:
See Nmap for a guide on scanning IP addresses for open ports. On Windows, here is a very minimal scan that can be applied to large ranges or slow connections:
When having gotten access to some machine, it may be inside some internal network not visible from the outside. Check this using ipconfig:
When all you have is access to the domain controller, but no valid credentials yet, you can use Kerberos (port 88) to test if a given username is valid. The following tool does this using a wordlist:
When you have valid domain credentials, a simpler option than brute-force is to simply query LDAP (port 389) on the domain controller, to make sure you have all existing users:
To try one (or a few) passwords on many users, there are different protocols you can use. In the end, they all query the same data, but some protocols might be unavailable due to various reasons. The most common is SMB (port 139,445), which is mainly used for sharing files over the network, but also different mechanisms like printers or some internal communication.
Important to note is that Active Directory has rate limiting in the form of blocking accounts after too many failed login attempts. In the following example, after 5 failed attempts on the account, it will be blocked for 30 minutes. Only after that period will you be able to try again.
You can see this behavior in action in the following example:
To spray a password for all users you have, simply provide a domain-joined IP with SMB open, and use the -u and -p options from which it will try all combinations:
In Spray passwords you read how most Windows protocols have a lockout policy. RDP and SSH however don't have this by default and may allow long brute-force attacks that can guess more complex passwords. The best tool for this job is hydra:
Similar to NetExec, it implements various protocols. But this tool is specially built for brute force attacks at a large scale. It does not have further exploitation capabilities, only finding credentials.
For the username, password, and IP you can choose either a static value, or try everything from a list.
To brute force RDP, or another supported protocol, simply replace ssh with rdp:
Another common task is trying common credentials on website login pages. If the login page looks like a common piece of software, your first step should be looking up the "default credentials" in a search engine. Otherwise, some of the credentials below are common defaults:
This type of prompt comes from the following response header:
When you fill out this form the browser gives you, you will send the following header with all future requests to that origin. This contains your username and password in base64 separated by a colon (:). For example, this decodes to username:password:
Hydra can automatically encode and send data like this if you provide the http-get option:
Things to look out for here are the path, and the body itself with your input in it. These can all be put into hydra in a sort of template format, where it will fill in the username and password every time. The response to this request is also good to take note of, like "Login failed". Hydra can use this to determine if a login is successful or not. For example:
You'll notice the big string at the end that separates the path, the body with ^USER^ and ^PASS^ template variables, and lastly a failed login response to look for.
When you have found credentials, they may have access to various different places with different permissions. Try using nxc to spray them as shown above while looking at the amount of access. For SMB, for example, you can list the shares you may access on each server with READ or WRITE perms:
Some various network protocols that you can gain information from, like users or the domain structure.
SMB (Server Message Block) is a protocol used mainly for sharing files on a local network. One server has multiple shares that contain a filesystem with directories and files. List shares on a server using smbclient -L and then connect to any one of them to read/write files:
Then when you have found a share, you can use commands like ls and cd to traverse the filesystem, and get <FILENAME> to download anything. If you have write permissions, the put command also lets you upload files.
To download all files recursively and look at them locally, use the following 4 commands:
A simple tool that uses LDAP access to dump as much information about the domain as possible. This can help craft more attack ideas and get you an idea of what users, groups, and permissions exist. This writes HTML, JSON, and grepable files with the results in your current directory. Especially the HTML files give a nice table with links to view your results.
Note: This tool might not require authentication to be used, as LDAP could be misconfigured for unauthenticated access. Use the -u option empty to use an anonymous session
To be able to access other machines in this newly discovered network from your own attacking machine, a useful tool is , which can tunnel the traffic like a VPN.
As a wordlist, has some lists in the 'a.smith' and 'asmith' format as this is common for organizations. Another list for only the most common (ordered) first names is here:
LDAP contains much more domain information, not just usernames. can do this.
The tool used here is , a fork of after it has been archived. This tool is very useful for spraying various protocols with credentials, and then performing actions with found logins.
When these don't work, or you can't find any, you can try to brute force it a little. Hydra also has built-in options for this for simple HTTP forms, but for more complex flows try out (details in). When things are simple, like a Basic Auth prompt, hydra suffices:
Finally, the last thing it can do with websites is automatically submit POST forms. When a custom login page is made this is by far the most common way of authenticating, which has custom parameters and URLs that will verify the credentials. To automate such a login a little bit of analysis is required to find out how a form is built, easily done by intercepting the request in a proxy like .
Some enumeration with SMB like above, as well as with RPC can be done automatically using . This tool just needs an IP address and will try to anonymously get as much information from the domain as possible, like users but also including attributes like descriptions which may contain sensitive information. Always try to run this against machines:
RPC connections can also be manually abused using the tool:
Another great tool for enumeration through LDAP is , which is focused on relations between nodes to find privilege escalation paths in a GUI.
rpcclient
