{
	"id": "ffb25b53-fb2c-4798-aea3-cdc43e000431",
	"created_at": "2026-04-06T00:16:06.316867Z",
	"updated_at": "2026-04-10T03:30:33.049394Z",
	"deleted_at": null,
	"sha1_hash": "8ba4f2c807c64f0f799f4633be2857582b837a15",
	"title": "Password Spraying \u0026 Other Fun with RPCCLIENT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1502492,
	"plain_text": "Password Spraying \u0026 Other Fun with RPCCLIENT\r\nBy BHIS\r\nPublished: 2015-10-30 · Archived: 2026-04-05 21:51:50 UTC\r\nJoff Thyer //  \r\nADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to\r\ncurrent situations. However, there is still potential for this blog entry to be used as an opportunity to learn and\r\nto possibly update or integrate into modern tools and techniques.\r\nMany of us in the penetration testing community are used to scenarios whereby we land a targeted phishing\r\ncampaign within a Windows enterprise environment and have that wonderful access into the world of Windows\r\ncommand line networking tools. You get your shell and before you know it, you are ready to run all your favorite\r\nenumeration commands. These are things like:\r\nC:\\\u003e NET VIEW /DOMAIN\r\nC:\\\u003e NET GROUP “Domain Administrators” /DOMAIN\r\n…and so on. Not to mention that you often have all of the wealth of Metasploit post exploitation modules and the\r\nmany wonders of various PowerShell tools, such as Veil and PowerShell Empire.\r\nImagine a world where all you have is a Linux host available on an internal network with no backdoor shell access\r\nto any existing Windows system. Imagine that world wherein you are effectively segmented away from the rest of\r\nthe network and cannot even capture useful network traffic using interception techniques such as Ettercap. This\r\nwas indeed the case for me recently whereby all I could do was SSH into a single Linux host I controlled.\r\nhttp://www.blackhillsinfosec.com/?p=4645\r\nPage 1 of 5\n\nAfter having not been in this situation in some time, I paused a moment before recalling the wonderful world of\r\nSamba. In particular, there are two excellent and useful programs in the Samba suite, namely “rpcclient” and its\r\nfriend “smbclient.” Also, let us not forget our favorite DNS utility called “dig.”\r\nMy first task was to use available reconnaissance to make informed guesses as to what the internal domain name\r\nwas likely to be. There are a few different methods to think about here, but the first thing was to play with dig to\r\ndetermine DNS information of use. I can try to look up the Windows global catalog record and authoritative\r\ndomain server records to determine domain controller addresses.   Examples as follows:\r\nThis will only give me answers if I have predicted or determined the correct “domain.corp” name.\r\nNow, luckily for me, I had access to internal Nessus vulnerability report data and had determined that SMB NULL\r\nsessions were permitted to some hosts. I matched up the data to my dig results and determined that the NULL\r\nsessions were actually corresponding to domain controller addresses. My next task was to try and enumerate user\r\nand group information from the domain controllers with rpcclient only available to me. I quickly determined by\r\nusing the “man” page that rpcclient could indeed perform an anonymous bind as follows:\r\n…whereby 10.10.10.10 was the chosen address of the domain controller I could anonymously bind to. After that\r\ncommand was run, rpcclient will give you the most excellent “rpcclient\u003e ” prompt. At this point in time, if you\r\ncan use anonymous sessions, then there are some very useful commands within the tool. \r\n1. Enumerate Domain Users\r\n2. Enumerate Domain Groups\r\nhttp://www.blackhillsinfosec.com/?p=4645\r\nPage 2 of 5\n\n3. Query Group Information and Group Membership\r\n4. Query Specific User Information (including computers) by RID.\r\nhttp://www.blackhillsinfosec.com/?p=4645\r\nPage 3 of 5\n\nSo in working with these basic commands, I was able to survey the landscape of Windows domain user and group\r\ninformation pretty thoroughly.\r\nAnother technique often used during a penetration test is called “password spraying.” This is a particularly\r\neffective technique, whereby given a list of domain users and knowledge of very common password use, the tester\r\nattempts to perform a login for every user in the list. The technique is very effective, given that you deliberately\r\nlimit the list of passwords to try to a small number. In fact, a single password per spraying attempt is advisable for\r\nthe sole reason that you really do not want to lock accounts.\r\nBefore password spraying, it is very useful to determine the Windows domain password policy using a command\r\nsuch as “NET ACCOUNTS /DOMAIN” in the Windows world. However, given that we don’t have a Windows\r\nshell available to us, rpcclient gives us the following options.\r\nAt least we are able to determine the crucial information about the password length. After I write this, I will\r\nprobably work out how to decode the password properties and match them back to the appropriate information but\r\nI have not yet done that task.\r\nIn order to perform a password spray attack, the next step is to pick a common password (such as “Autumn2015”)\r\nand work out our technique on how to spray using rpcclient. Conveniently, rpcclient allows us to specify some\r\ncommands on the command line which is very handy. The follow two examples show a successful logon versus a\r\nfailed logon. (Password of “bbb” is the correct logon).\r\nIn these examples, we specifically told rpcclient to run two commands, these being “getusername” and then “quit”\r\nto exit out of the client. Now we have all of the ingredients to perform a password spraying attack. All we need is\r\nhttp://www.blackhillsinfosec.com/?p=4645\r\nPage 4 of 5\n\na bourne/bash shell loop and we are off to the races. Example of a simple shell script or command line to spray,\r\ngiven that the “enumdomusers” output is in the “domain-users.txt” file, would be as follows.\r\nYou know that you are successful when you see the string “Authority” appear in the output. Lack of success for\r\neach user is going to be the “NT_STATUS_LOGON_FAILURE” message.\r\nIf you begin to get the “ACCOUNT_LOCKED” failure, you should immediately stop your spray because you\r\nhave likely sprayed too many times in a short period of time.\r\nAssuming you have gained access to a credential, one of the additional nice things you can do is explore the\r\nSYSVOL using the smbclient program. The syntax is as follows.\r\nI highly recommend getting familiar with the UNIX Samba suite and in particular these tools. They quite literally\r\nsaved my bacon over the past week, and you could well be in the same boat needing these fun tools in your future\r\nalso.\r\nSource: http://www.blackhillsinfosec.com/?p=4645\r\nhttp://www.blackhillsinfosec.com/?p=4645\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://www.blackhillsinfosec.com/?p=4645"
	],
	"report_names": [
		"?p=4645"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434566,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ba4f2c807c64f0f799f4633be2857582b837a15.pdf",
		"text": "https://archive.orkl.eu/8ba4f2c807c64f0f799f4633be2857582b837a15.txt",
		"img": "https://archive.orkl.eu/8ba4f2c807c64f0f799f4633be2857582b837a15.jpg"
	}
}