Getting access will let you know that this account is also valid on Active Directory most of the time (Microsoft Suite includes AD)
You can do password stuffing from breached data if you’re getting desperate too!
Password Spraying:
TREVORspray:
- Identify valid emails
- Don’t be scared to be simple!!
- Think how a lazy/forgetful user might think
trevorspray -u emails.txt -p Winter24!./trevorspray.py -e /opt/trevorspray/log/valid_emails.txt --passwords 'Winter24!' --delay 15 --no-current-ip --ssh ubuntu@100.25.38.206 -k hacking.pemdelay start at 15, drop to 10, then maybe 5, watch the alerts to avoid lockout. Use delay 1 if you don’t have enough time and wanna say **** it and try to get something.
no current ip makes it not use the kali IP. Instead, it can SSH thru the AWS machines
We use multiple (he used 10) AWS machines as proxies so he doesn’t get caught/blocked. Limits the amount of detection.
hacking.pem from the AWS
Valid login can look like:
[SUCC]
OR
[WARN]
device is not in required device state: known. Or, the request was blocked due to sus activityMust know the lockout policy.
If they have 5 attempts, make 4 in the first hour then wait and do 1 in the next, etc. Slow it down to avoid lockouts. They happen, but make sure it’s not 100 and helpdesk get b********* bc of you.
AWS:
- Launch a Virtual Machine
- search for Ubuntu
- Pick free tier eligible, 64 bit
- Select and use free tier eligible for everything.
- Create new key pair
- Name it “hacking”
- View Instances
- Select the instance, actions, image and template, launch more like this
- Launch it to the same keypair
- SSH to each machine and accept fingerprint before running the trevorspray command