Skip to content
A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
C++ C
Branch: master
Clone or download
Latest commit ac77078 Jan 9, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Spray-AD First Commit Jan 9, 2020
Src/Spray-AD First Commit Jan 9, 2020
.gitattributes Initial commit Jan 9, 2020
README.md Update README.md Jan 9, 2020

README.md

Spray-AD, a Cobalt Strike tool to perform a fast Kerberos password spraying attack against Active Directory.

This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon.

When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help evading detection while password spraying.

Usage:

Download the Spray-AD folder and load the Spray-AD.cna script within the Cobalt Strike Script Manager.
Syntax within beacon context: Spray-AD [password to test]
This project is written in C/C++
You can use Visual Studio to compile the reflective dll's from source.

Note to Red:

Make sure you always check the Active Directory password and lockout policies before spraying to avoid lockouts.

Note to Blue:

To detect Active Directory Password Spraying, make sure to setup centralized logging and alarming within your IT environment and enable (at least) the following Advanced Audit policy on your Domain Controllers:

Audit Kerberos Authentication Service (Success & Failure). 
This policy will generate Windows Security Log Event ID 4771 (Kerberos pre-authentication failed).

More info can be found in the following post by Sean Metcalf: https://www.trimarcsecurity.com/post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing

Credits

Author: Cornelis de Plaa (@Cneelis) / Outflank

You can’t perform that action at this time.