SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike’s execute-assembly.
It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. The tool takes into consideration the domain password policy, including fine-grained password policies, in an attempt to avoid account lockouts.
Fine-grained password policies are enumerated for the users and groups that the policy applies to. If the policy applied also to groups, the group users are captured. All enabled domain users are then classified according to their password policies, in order of precedence, and marked as safe or unsafe. The remaining users are filtered against an optional user-supplied exclude list.
Besides just spraying, red team operators can view all of the password policies for a domain, all the users affected by the policy, or just view the enabled domain users. Output can be sent directly to the console or to a user-supplied output folder.
Asynchronous Password Spraying Tool for LDAP
Active Directory spraying nozzle using the LDAP protocol:
- Asynchronous spraying for faster, but not too fast, results
- Domain joined and non-joined spraying
- Tight integration w/ domain password policies and fine grained password policies
- Smart lockout prevention (lockoutThreshold n-1 just to be safe)
- Optionally spray to specific domains and domain controllers
- View password policies and the affected users
Using SharpHose Asynchronous Password Spraying Tool
Domain Joined Spray w/o Interaction
1 |
SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --auto |
Domain Joined Spray w/ Exclusions
1 |
SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --exclude c:\temp\exclusion_list.txt |
Non-Domain Joined Spray
1 |
SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --domain lab.local --username demo --password DemoThePlanet --output c:\temp\ |
Domain Joined Show Policies
Active Directory stores durations in negative large integer values which need to lapse after the last lockoutThreshold is exceeded.
1 |
SharpHose.exe --action GET_POLICIES --output c:\temp\ |
You can download SharpHose here:
Or read more here.