Spraykatz is the evolution of pentesting activities specifically used during the initial internal enumeration phase. Capturing credentials using a technique like LLMNR/NETBIOS spoofing is great, but what happens when you need to dump passwords on machines in a scalable fashion?
Whereas you could run procdump or Windows credential editor on individual machines you can use a tool like spraykatz to run it on a large scale and automate the whole freaking process.
Here’s What You Need
- Spraykatz
- Kali Linux Virtual Machine – VirtualBox
How to Use Spraykatz
Here is the what the documentation says:
Spraykatz is a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments.
It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.
You don’t have to have a password to use spraykatz it supports using pass the hash. The tool says the -p flag can accept a “User’s password or NTLM hash in the LM:NT format.”, nice.
Get the Hashes
Once you get a successful result from spraykatz the results will be dumped into /misc/results where you can check out the credential hashes.
Now that we have the password hashes we can crack them offline using john or hashcat.
After that you can use the password to move laterally.
To see which of the new credentials are local admins on machines across the network, as a way of prioritizing local admin permissions over others you can try Credninja.