Spraying Works — Until It Locks Everyone Out
Password spraying remains one of the highest-yield internal and external techniques — and one of the easiest to execute unsafely. Successful penetration tests align spray cadence with lockout thresholds and document every attempt for the client.
Pre-Spray Checklist
- Confirm lockout policy with the client — threshold, window, reset time
- Build user list from OSINT, null sessions, or LDAP (in scope)
- Choose 1–2 passwords per window — season + company mutations, not rockyou.txt
- Target OWA, VPN, SSO, and Azure AD endpoints separately
Tools and Logging
NetExec, Spray (various), and custom scripts each produce verbose output. Log successes and failures with timestamps in Smart Notes tied to the user account — critical when legal or IR teams review what was tried. CredCruncher adds breach passwords to the candidate list when employees appear in leak data.