This article walks through a complete, hands-on password-spraying workflow against a Windows Server 2019 Domain Controller (192.168.1.7, ignite.local) using a curated list of usernames (users.txt) and the candidate password Password@1. We demonstrate seven industry-standard tools — Kerbrute, Hydra, Medusa, Metasploit, Patator, NetExec, and DomainPasswordSpray — across multiple protocols, including Kerberos, SSH, SMB, and RDP. Each section explains the tool, the exact command issued, and the credentials it recovered.

Table of Contents

• Introduction
• Lab Setup and Wordlist
• Kerbrute (Kerberos Pre-Authentication)
• Hydra (SSH Brute Force)
• Medusa (SMB Spraying)
• Metasploit smb_login Module
• Patator (Multi-Purpose Brute Forcer)
• NetExec over RDP
• DomainPasswordSpray (PowerShell, On-Host)
• Defensive Recommendations
• Conclusion

Introduction

Password spraying is a high-impact credential-based attack in which a tester authenticates a single common password against a large set of usernames, deliberately staying below account-lockout thresholds. Unlike traditional brute-force attacks that hammer one account with many passwords, spraying flips the model: one password, many users. This subtle shift evades most lockout policies and routinely produces valid domain credentials in real-world Active Directory environments.

Lab Setup and Wordlist

Every spraying engagement begins with reconnaissance and a curated username list. The users.txt file shown below contains 24 candidate usernames enumerated from the target domain. Building a high-quality user list — through OSINT, LDAP enumeration, or Kerberos pre-authentication probes — is the single most important factor that determines whether a spray succeeds.

Kerbrute (Kerberos Pre-Authentication)

Kerbrute, written by Ronnie Flathers (@ropnop), is a Go-based tool that abuses Kerberos pre-authentication to validate usernames and passwords without generating Windows event ID 4625 (failed logon) on the Domain Controller. Because it speaks AS-REQ directly to the KDC on port 88, it is fast, stealthy, and the de facto first choice for AD password spraying.

We download the kerbrute_linux_amd64 binary from the official GitHub release page (v1.0.3, commit 9dad6e1). The release ships pre-compiled binaries for Linux, macOS, and Windows on both 386 and amd64 architectures, so no compilation is required.

We will first grant execute permission to the file and then launch our attack by using the following commands:

chmod 777 kerbrute_linux_amd64

./kerbrute_linux_amd64 passwordspray --dc 192.168.1.7 -d ignite.local users.txt Password@1

Kerbrute tested 23 logins in 0.034 seconds and confirmed six valid Kerberos credentials: shivam, raj, sanjeet, aaru, kinjal, and ankur — all sharing the password Password@1. The blistering speed and minimal log footprint make Kerbrute an essential first step in any AD assessment.

Hydra (SSH Brute Force)

THC-Hydra is a parallelised network logon cracker that supports more than 50 protocols, including SSH, FTP, HTTP, RDP, SMB, and Telnet. While Kerbrute targets Kerberos, Hydra excels at attacking exposed services on Linux hosts and network appliances inside the same network.

We will pivot to a Linux host (192.168.1.9) running OpenSSH and run the following command:

hydra -L users.txt -p 123 192.168.1.9 ssh

The -L flag loads our username list, and -p locks the password to 123, transforming Hydra from a brute-forcer into a focused password sprayer. Within nine seconds, Hydra confirms a valid SSH login: pentest:123. The recovered credentials provide an immediate foothold on the Linux server.

Medusa (SMB Spraying)

Medusa is a speed-oriented, modular login brute-forcer maintained by Foofus Networks. Its strengths are thread-based parallelism, a clean module system, and a simple syntax that makes it well-suited for SMB password spraying against Windows hosts.

We will now execute the following command against the Domain Controller:

medusa -h 192.168.1.7 -U users.txt -p Password@1 -M smbnt

The smbnt module performs NTLM authentication over SMB on port 445. Medusa flags five SUCCESS results — raj, sanjeet, aaru, shivam, kinjal, and ankur — and additionally reports ADMIN$ access denied, indicating the accounts are valid domain users but not local administrators on the DC.

Metasploit smb_login Module

Metasploit Framework ships an auxiliary scanner module, scanner/smb/smb_login, purpose-built for SMB credential validation. Its native integration with Metasploit’s database, session creation, and post-exploitation modules makes it ideal when the spray is part of a larger attack chain.

Inside msfconsole, we issue the following set of commands:

use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.1.7
set user_file  users.txt
set password Password@1
set domain ignite.local
run

Metasploit reports six successful logins. Critically, two of these — sanjeet and shivam — carry the Administrator tag, signaling that they hold privileged group membership within the domain. This single insight transforms a credential discovery into a privilege-escalation opportunity.

Patator (Multi-Purpose Brute Forcer)

Patator is a Python-based, multi-protocol brute-force framework prized for its tabular output and granular response-code filtering. Its smb_login module can be executed with the following command:

patator smb_login host=192.168.1.7 user=FILE0 0=users.txt password=Password@1

The command iterates the username file with the FILE0 placeholder. Patator returns code 0 for six users — raj, ankur, sanjeet, aaru, shivam, kinjal — together with the IGNITE\DC banner confirming Windows 10 / Server 2019 Build 17763. Failed attempts return c000006d (STATUS_LOGON_FAILURE), making large datasets trivial to filter.

NetExec over RDP

NetExec (nxc), the actively maintained successor to CrackMapExec, is a Swiss-army knife for Active Directory operations. It supports SMB, WinRM, LDAP, MSSQL, SSH, FTP, and RDP, and integrates directly with BloodHound, Kerberos, and credential databases.

We will run the following command to spray RDP on port 3389.

nxc rdp 192.168.1.7 -u users.txt -p Password@1 --continue-on-success

The –continue-on-success flag forces NetExec to keep testing after the first hit. Six accounts authenticate successfully, and five of them — raj, sanjeet, aaru, shivam, kinjal, ankur — earn the prized Pwn3d! tag, meaning they are permitted interactive RDP sessions on the DC. This is an immediate path to graphical access on the target.

DomainPasswordSpray (PowerShell, On-Host)

DomainPasswordSpray, authored by Beau Bullock (@dafthack), is a PowerShell module that performs password spraying from a domain-joined Windows host. Because it runs natively on Windows and queries the domain through legitimate LDAP calls, it blends into normal traffic and is harder for defenders to spot than external network sprays.

We will first import the module and then execute our attack with the help of the following command:

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Userlist users.txt -Domain ignite.local -Password Password@1

The script first queries the domain password-policy observation window (30 minutes) and waits accordingly to avoid lockout. It then sprays 24 accounts and reports SUCCESS on every single one — a complete domain-wide credential compromise. The result demonstrates the catastrophic impact of a weak, shared password policy.

Defensive Recommendations

Defending Active Directory against password spraying requires a layered approach. Organisations should enforce Azure AD Password Protection or an equivalent banned-password list to block predictable patterns such as Password@1, Welcome1, and seasonal variants. Multi-factor authentication on every external-facing service — VPN, RDP, OWA, and Microsoft 365 — eliminates the value of a stolen password almost entirely.

Detective controls matter equally. Security teams should hunt for high volumes of Kerberos pre-authentication failures (event ID 4771), correlated 4625 events across many distinct usernames within short windows, and anomalous logon source addresses. Smart account-lockout policies (5–10 attempts with a 15–30-minute reset) raise the cost of spraying without creating help-desk denial-of-service. Finally, regularly auditing service accounts for weak or non-expiring passwords closes the door on the most sprayed targets.

Conclusion

Across seven distinct tools and four protocols, a single weak password — Password@1 — exposed the entire ignite.local domain. The lab demonstrates that password spraying is not a sophisticated attack; it is a low-skill, high-yield technique that consistently defeats organisations relying on password complexity alone. Penetration testers should integrate spraying into every internal engagement, while blue teams must treat MFA, password filtering, and behavioral monitoring as non-negotiable controls. If users choose predictable passwords and policies permit them, sprays like the one shown here will continue to succeed in seconds.