Windows FOR Loop Password Spraying Made Easy

By: Carrie Roberts @OrOneEqualsOne

Carrie Roberts
Walmart Global Tech Blog
3 min readJun 12, 2020

--

This blog post provides a quick paste-and-go solution for running a password spray from the Windows command line. Password spraying with a FOR loop is nothing new. I first learned this method many years ago from John Strand’s SANS 504 class. It looks like this:

Basic Password Spraying FOR Loop

This command iterates through a list of users and then attempts to authenticate to the domain controller using each password in the password file. It prints the username and password to the screen for each success.

Before you use this command you need to replace “DOMAIN” with the Active Directory domain name and “DC-NAME” with the name of a domain controller. There are some improvements that can be made to this command and I offer these below:

  1. Use environment variables to fill in the domain and domain controller names automagically (%userdomain% and %logonserver%)
  2. Iterate through the password list first, and then the username list so that we only try one password per user at a time. This reduces the chances of locking out accounts
  3. Properly handle spaces in usernames and passwords. For this we need to add “delims=” to each of our FOR loops and wrap the username and password variable in double quotes.
Improved Password Spraying FOR Loop

Ok, so now we are down to just having to build our username and password lists. I like to be extra careful and spray with only one password at a time, instead of a list. In this case we can remove the part of the loop that iterates through the password file.

Lastly, the most annoying part … generating the username list. It is easy to get a list of users with the “net users /domain” command but it doesn’t return them in the format we need, which is one username per line. This leaves us doing something like copying the “net users /domain” output into Excel and manipulating it until it is a one column list of all the usernames. Doing this over and over again gets old fast. There must be a better way and there is … PowerShell. But I wanted a solution that uses only the Windows Command shell for the following reasons:

  1. PowerShell may not be available for use due to controls enforced on the machine.
  2. PowerShell may be more closely monitored, increasing visibility to the password spray attempt.
  3. Because doing this using only console commands is hard, and I knew I’d learn something in the process of figuring it out.

And here we have it, a few commands we can copy and paste to parse the output of “net users /domain” into a list of users, one per line, and write it to the users.txt file in the %temp% directory.

Go ahead, copy and paste all those lines onto the command line of a domain joined computer and check out the users.txt file. There is also a batch file version of these commands here, if you prefer to run these commands from a batch file. I went to the extra effort to make sure these commands handle usernames with spaces in them. This is why things look more complex than you would expect, well that and the fact that parsing using only console commands is extremely limited.

Let’s put it all together into one chunk of text we can drop onto the command line at once:

Cool, all we have to do is set our password we want to spray with. This saves us from doing some tedious, error prone tasks and gets us off and running in a jiffy.

Remember, don’t run a password spray without permission and be very careful to not lock out user accounts.

--

--

Carrie Roberts
Walmart Global Tech Blog

Developer turned Red Team . . . then Blue. SANS STI Grad. GSE Certification Holder. Dynamic Defense Engineer at Walmart.