Description
LDAP password spray against Active Directory using SharpSpray. Supports explicit user list, built-in common-account list, or AD self-discovery.
Overview
Performs an LDAP password spray against an Active Directory domain. Built on a port of SharpSpray (itself a port of DomainPasswordSpray.ps1) that lives in the Credentials module as Invoke-PasswordSpray.
The script picks one user-source strategy via parameter sets:
| Parameter set |
Purpose |
Explicit |
Spray a comma-separated list of usernames you supply via -Users. |
BuiltIn |
Spray a curated list of common privileged & service-account names (Administrator, helpdesk, svc_*, sqladmin, backup, etc.). |
Discover |
Auto-fetch the user list from the current domain via LDAP. Throws if the host is not domain joined. |
Each authentication attempt is emitted as an object to the pipeline so the operator can correlate successes and failures in real time. By default, only successful results are emitted — pass -SuccessOnly $false to see every attempt.
Parameters (common to all sets)
| Parameter |
Description |
Passwords |
One or more passwords to attempt. Required. |
Domain |
Target domain FQDN. Required when OutsideDomain is true. |
DcIp |
IP address of a domain controller. Required with OutsideDomain. |
ObservationWindowMinutes |
Minutes between password rounds. Defaults to the domain lockout-observation window when domain joined. |
DelaySeconds |
Seconds between each individual auth attempt. |
JitterSeconds |
Jitter seconds applied to DelaySeconds. |
SuccessOnly |
Only emit successful results. Defaults to true. |
Parameter set: Explicit
| Parameter |
Description |
Users |
Comma-separated list of usernames to spray. |
OutsideDomain |
Spray from a host not joined to the target domain. Requires Domain and DcIp. |
Parameter set: BuiltIn
| Parameter |
Description |
UseBuiltInList |
Set to true to spray the built-in list. |
OutsideDomain |
Spray from a host not joined to the target domain. Requires Domain and DcIp. |
Parameter set: Discover
| Parameter |
Description |
DiscoverUsers |
Set to true to auto-fetch users from the current domain. Throws if the host is not domain joined. |
ExcludeDisabled |
Exclude disabled accounts. Defaults to true. |
ExcludePotentialLockouts |
Exclude accounts within one attempt of locking out. Defaults to true. |
LdapFilter |
Extra LDAP filter clause, e.g. (description=*admin*). |
Dependencies
credentials module (loaded automatically).- Implant must have LDAP reach to a domain controller for the target domain.
OS Support
- Windows. The
Discover parameter set requires the host to be domain joined; the implant token must additionally have rights to enumerate users from AD (use Steal-Token against a domain process if the implant is running as a local user).
Example output (default — successes only)
Domain Username Password Success Error Timestamp
------ -------- -------- ------- ----- ---------
lab.net Administrator TestPass123! True 4/6/2026 8:02:46 PM
[
{
"Domain": "lab.net",
"Username": "Administrator",
"Password": "TestPass123!",
"Success": true,
"Error": null,
"Timestamp": "2026-04-06T20:02:46"
}
]
