Password Spraying Quiz

1.What fundamentally distinguishes password spraying from brute force?

• Spraying uses stronger passwords than brute force
• Spraying tests one or a few passwords against many accounts, distributing lockout risk across the user base instead of concentrating it on one account
• Spraying only works against administrative accounts
• Spraying requires Domain Admin credentials to execute

2.Why must the domain password policy be enumerated before spraying?

• To determine which accounts have weak passwords
• To calculate the safe spray rate from the lockout threshold and reset counter, and to select passwords that match the minimum length and complexity requirements
• To disable the lockout policy before spraying
• To identify which protocol to use for spraying

3.A domain has a lockout threshold of 5 and a 30-minute reset counter. What is a safe spray rate?

• 5 passwords per account per 30 minutes
• One password per account per 35 minutes
• Unlimited — the reset counter prevents permanent lockout
• One password per account per 5 minutes

4.Why does a successful spray usually yield standard user accounts rather than Domain Admin access?

• Because Domain Admin accounts have stronger passwords that resist spraying
• Because spraying tests common human password patterns, and most accounts in any organization are standard users — the value is the authenticated foothold, not direct admin access
• Because the spray tool only targets standard user accounts
• Because spraying cannot authenticate as administrative accounts

5.If the minimum password length is 14 characters with complexity enabled, why is 'Summer2024!' a poor spray candidate?

• Because it does not meet the complexity requirement
• Because it is only 11 characters — shorter than the 14-character minimum — so no account in the domain can have this password
• Because it contains a year, which is too easy to guess
• Because spraying tools cannot handle special characters

6.An interviewer asks: 'What would you do after a successful spray hit on a standard user account?' Which response demonstrates the strongest understanding?

• Try to spray more accounts to find an admin password
• Use the authenticated foothold for BloodHound collection, group enumeration, SPN enumeration for Kerberoasting, and further credential access — the spray provides the foothold that enables the rest of the attack chain
• Report the finding and stop testing
• Immediately attempt to access domain controllers with the sprayed credentials