DomainPasswordSpray - Empire Module
This page contains detailed information about how to use the powershell/credentials/DomainPasswordSpray Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: DomainPasswordSpray
Module: powershell/credentials/DomainPasswordSpray
Source code [1]: empire/server/modules/powershell/credentials/DomainPasswordSpray.yaml
Source code [2]: empire/server/data/module_source/credentials/DomainPasswordSpray.ps1
MITRE ATT&CK:
T1110
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the DomainPasswordSpray module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the DomainPasswordSpray module:
Agent
Agent to run on.
Additional Module Options
This is a list of additional options that are supported by the DomainPasswordSpray module:
Domain
A domain to spray against.
OutFile
A file to output the results to.
Password
A single password that will be used to perform the password spray.
PasswordList
A list of passwords one per line to use for the password spray (File must be loaded from the target machine).
UserList
Optional UserList parameter. This will be generated automatically if not specified.
DomainPasswordSpray Example Usage
Here's an example of how to use the DomainPasswordSpray module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/DomainPasswordSpray
Author @dafthack
Background False
Comments https://github.com/dafthack/DomainPasswordSpray
Description DomainPasswordSpray is a tool written in PowerShell to perform a
password spray attack against users of a domain.
Language powershell
Name powershell/credentials/DomainPasswordSpray
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1110
,Record Optionsw-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|--------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run on. |
|--------------|-------|----------|-------------------------------------|
| Domain | | False | A domain to spray against. |
|--------------|-------|----------|-------------------------------------|
| OutFile | | False | A file to output the results to. |
|--------------|-------|----------|-------------------------------------|
| Password | | False | A single password that will be used |
| | | | to perform the password spray. |
|--------------|-------|----------|-------------------------------------|
| PasswordList | | False | A list of passwords one per line to |
| | | | use for the password spray (File |
| | | | must be loaded from the target |
| | | | machine). |
|--------------|-------|----------|-------------------------------------|
| UserList | | False | Optional UserList parameter. This |
| | | | will be generated automatically if |
| | | | not specified. |
'--------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/credentials/DomainPasswordSpray) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/DomainPasswordSpray) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/DomainPasswordSpray.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/credentials/DomainPasswordSpray.ps1
- https://github.com/dafthack/DomainPasswordSpray
- http://attack.mitre.org/techniques/T1110
- http://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/
See Also
Check also the following modules related to this module:
- powershell/credentials/rubeus
- powershell/credentials/vault_credential
- powershell/credentials/invoke_kerberoast
- powershell/credentials/sessiongopher
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/powerdump
- powershell/credentials/enum_cred_store
- powershell/credentials/invoke_ntlmextract
- powershell/credentials/get_lapspasswords
- powershell/credentials/sharpsecdump
- powershell/credentials/credential_injection
- powershell/credentials/tokens
- powershell/credentials/mimikatz/pth
- powershell/credentials/mimikatz/silver_ticket
- powershell/credentials/mimikatz/cache
- powershell/credentials/mimikatz/command
- powershell/credentials/mimikatz/terminal_server
- powershell/credentials/mimikatz/extract_tickets
- powershell/credentials/mimikatz/keys
- powershell/credentials/mimikatz/sam
- powershell/credentials/mimikatz/trust_keys
- powershell/credentials/mimikatz/purge
- powershell/credentials/mimikatz/logonpasswords
- powershell/credentials/mimikatz/certs
- powershell/credentials/mimikatz/dcsync
- powershell/credentials/mimikatz/lsadump
- powershell/credentials/mimikatz/mimitokens
- powershell/credentials/mimikatz/golden_ticket
- powershell/credentials/mimikatz/dcsync_hashdump
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.