SMB spraying with different hostnames

2 minute read

There is a really long time since I posted anything, so let’s try to change it :P

Some time ago I have seen a cool presentation about password spraying using RDP where we can spoof machine hostnames while spraying, which will turn the life of the blue team a nightmare. Video This is possible to do when the environment that we are targetting uses domain controllers that have an operating system version lower than windows server 2016.

Each time we start an RDP connection it will generate an event ID 4776 (The domain controller attempted to validate the credentials for an account)

RDP-4776

The main problem of this approach is the time that will take to spray 100 thousand users accounts. Generally each RDP connection will take 1 second and the output is not all the times correct (while testing had multiple false positives).

Sometime after, during some “testing” with the SMB protocol, noticed that the same event ID (4776) is generated when I tried to validate an account using rpcclient.

It came to my mind to use the same technique that I have seen some months ago however this time it will be much faster to get the results out.

Basically the python script is the same as the RDPSpray just using the rpcclient instead of the xfreerdp, so all the code merit goes to dafthack.

In order for this script to work we must provide a username list (after -l) and a hostname list (after -c). In order to be easier to do it we should test the users of each domain each time separately or the script can be change to handle user from multiple domains at the same time.

The main advantages of this method to the original (RDP) are the lower number of false positives (while I was testing I haven’t found any) and the speed, as an example we were able to test 333 accounts in 2:00 minutes.

If you are a fan of Pokemon as I am you will find quite interesting machine hostnames.

Pokemnon

The script code can be found here

Regarding the logs I’m using ELK stack with winlogbeat logging few event IDs.

I was just focusing on the event ID 4776 so I may have missed something to detect this attack while using the rpcclient.

The last but not the least thank you Patryk on getting the subprocess on the python script working properly.

Tags:

Updated: