Spray365 v0.2 beta releases: password spraying tool
What is Spray365?
Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describes the spraying operation well before it occurs has many other benefits that Spray365 leverages, this also allows password sprays to be resumed (-R option) after a network error or other interruption. While it is easiest to generate a Spray365 execution plan using Spray365 directly, other tools that produce a compatible JSON structure make it easy to build unique password spraying workflows.
Spray365 exposes a few options that are useful when spraying credentials. Random user agents can be used to detect and bypass insecure conditional access policies that are configured to limit the types of allowed devices. Similarly, the –shuffle_auth_order argument is a great way to spray credentials in a less-predictable manner. This option was added in an attempt to bypass intelligent account lockouts (e.g., Azure Smart Lockout). While it’s not perfect, randomizing the order in which credentials are attempted has other benefits too, like making the detection of these spraying operations even more difficult. Spray365 also supports proxying traffic over HTTP/HTTPS, which integrates well with other tools like Burp Suite for manipulating the source of the spraying operation.
Changelog v0.2 beta
🎉 What’s New
- Spray365 has been refactored into different modules, making it easier to develop new features!
- Generating execution plans have been split into two different sub-types:
normal
, andaudit
. Generating normal execution plans (spray365.py generate normal
) works the same as previous versions. However, generating audit execution plans (spray365.py generate audit
) will cause Spray365 to create all combinations ofUser-Agent
,AAD_Client
, andAAD_Endpoint
for each set of credentials. Audit-type execution plans can (and should) be sprayed with known-valid credentials to identify flaws in MFA / conditional access policy configurations. - Audit-type execution plans inspired the addition of another type of password input:
--passwords_in_userfile
. When this option is specified, each line in the user file (-u / --user_file
) will be split on a colon, where the value preceding the colon is treated as the username, and the value after the colon is treated as the password (e.g.jsmith:Password01
). - Results from spraying can be reviewed using the new
review
mode (spray365.py review <results.json>
). This new mode displays valid/invalid users and valid/partial-valid/invalid credentials.
🏗️ What’s Changed
- Arguments are now parsed using Click, simplifying validation and enforcement of mutually exclusive options.
- Credential, AuthResult, and AuthError objects were refactored. This means that only new execution plans (and Spray365 results) can be processed using v0.2.0-beta.
- Dependencies were bumped to their latest versions.
Install
$ git clone https://github.com/MarkoH17/Spray365
$ cd Spray365
~/Spray365$ pip3 install -r requirements.txt
Use
Generate an Execution Plan
An execution plan is needed to spray credentials, so we need to create one! Spray365 can generate its own execution plan by running it in “generate” (-g) mode.
$ python3 spray365.py -g <path_for_saved_execution_plan> -d <domain_name> -u <file_containing_usernames> -pf <file_containing_passwords>
e.g.
$ python3 spray365.py -g ex-plan.s365 -d example.com -u usernames -pf passwords
Spraying an Execution Plan
Once an execution plan is available, Spray365 can be used to process it. Running Spray365 in “spray” (-s) mode will process the specified execution plan and spray the appropriate credentials.
$ python3 spray365.py -s <path_to_execution_plan>
e.g.
$ python3 spray365.py -s ex-plan.s365
Copyright (c) 2021 Mark Hedrick
Source: https://github.com/MarkoH17/