Domain Password Spray by Dafthack

At the time of writing this, we do not have very much in place to enforce what passwords can and can’t be used on the network aside of the standard group policy controls. In the past, I used to gather AD Password hashes from the domain controller and then run the password through hashcat in order to give me a list of user passwords; The Domain Password Spray Powershell script from Dafthack changes everything.

Everyday when I drive into work, I listen to my favorite podcast, Black Hills Information Security Podcast. During their show “Azure AD Recon” they started to talk about spraying passwords using their domain password spray Powershell script to test active directory user passwords to gain entry into a network or web service connected to AD. I currently work on a blue team and keep my workplace’s network safe and I immediately started thinking of ways I could use this to make user passwords stronger.

  1. To get started, visit Dafthack’s Github page for his project.
  2. Download the Powershell script
  3. Open Powershell and navigate to the Powershell script
    • “CD C:\”
  4. You will need to import the Domain Password script
    • “Import-Module DomainPasswordSpray.ps1”
    • If this script doesn’t work, you’ll need to set your execution policy to unrestricted.
      • “Set-ExecutionPolicy – ExecutionPolicy Unrestricted”
  5. Next, you’ll have to get a list of your AD usernames for the script to work
    • To do this, I used the following Powershell script:
      • ” Get-ADuser -filter * -Properties “SamAccountName” | Select-Object SAMAccountName | out-file users.txt ”
  6. Run the following command to start the password spray. You will have to change the script to work for your enviroment. The outfile will output the account/password to a text file if it cracked the password.
    • Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

The script has a few different options that you could configure to your needs:

UserList - Optional UserList parameter. This will be generated automatically if not specified.
Password - A single password that will be used to perform the password spray.
PasswordList - A list of passwords one per line to use for the password spray (Be very careful not to lockout accounts).
OutFile - A file to output the results to.
Domain - A domain to spray against.
Force - Forces the spray to continue without prompting for confirmation.

All in all, it’s an awesome script that I plan to continue using in my daily Blue Team\Network Administration position.


If you have any questions or issues, please direct them to this link. This is not my script nor do I maintain it.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *