> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/trick-0381.md).

# Active Directory Password Spraying

***

Attempt a single common password against a list of Active Directory users using NetExec (`nxc`). This helps find valid credentials without immediately triggering account lockouts, which are usually based on multiple failures against a *single* account.

```bash
nxc smb dc01.manager.htb -d manager.htb -u users.txt -p common_password.txt --continue-on-success
```

The `--continue-on-success` flag is useful to find multiple valid accounts with the same sprayed password if successful. It ensures that the tool continues password spraying the same password for all users even if a success is found.

To further manage the risk of lockouts, several options can be used:

* `--fail-limit`: Set the number of failed login attempts before moving to the next user.
* `--lockout-time`: Set the number of minutes to wait after a lockout.
* `--jitter`: Set the number of seconds to add between attempts.

An example incorporating these options might look like this:

```bash
nxc smb 10.10.10.0/24 -u users.txt -p passwords.txt --continue-on-success --fail-limit 5 --lockout-time 60 --jitter 5
```

A variation is to check if any username is used as its own password:

```bash
nxc smb dc01.manager.htb -d manager.htb -u users.txt --no-bruteforce -p users.txt
```

The `--no-bruteforce` flag prevents NetExec from pairing each username with *every* password in the list; combined with `-p users.txt`, it pairs each username with the corresponding line in the password file (which is the same username list here), effectively checking `user:user`.
