Spray: A Password Spraying tool for Active Directory Credentials

by do son · Published · Updated

Spray

Spray

A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)

Download

git clone https://github.com/SpiderLabs/Spray.git

Use

This script will password spray a target over a period of time It requires password policy as input so accounts are not locked out

Accompanying this script is a series of handcrafted password files for multiple languages. These have been crafted from the most common active directory passwords in various languages and all fit in the complex (1 Upper, 1 lower, 1 digit) category.

SMB

To password spray, an SMB Portal, a userlist, password list, attempts per lockout period, lockout period length and the domain must be provided

Usage:

spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>

 

Example:

spray.sh -smb 192.168.0.1 users.txt passwords.txt 1 35 SPIDERLABS

OWA

To password spray an OWA portal, a file must be created of the POST request with the Username: sprayuser@domain.com, and Password: spraypassword

Usage:

spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>

 

Example:

spray.sh -owa 192.168.0.1 users.txt passwords.txt 1 35 post-request.txt

Lync

To password spray a Lync service, a Lync autodiscover URL or a URL that returns the www-authenticate header must be provided along with a list of email addresses

Usage:

spray.sh -lync <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>

 

Example:

spray.sh -lync https://lyncdiscover.spiderlabs.com/ users.txt passwords.txt 1 35

Example:

spray.sh -lync https://lyncweb.spiderlabs.com/Autodiscover/AutodiscoverService.svc/root/oauth/user users.txt passwords.txt 1 35

 

CISCO Web VPN

To password spray a CISCO Web VPN service, a target portal or server hosting a portal must be provided

Usage:

spray.sh -cisco <targetURL> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>

 

Example:

spray.sh -ciso 192.168.0.1 usernames.txt passwords.txt 1 35

Password List Update

It is also possible to update the supplied 2016/2017 password list to the current year

Usage:

spray.sh -passupdate <passwordList>

Example:

spray.sh -passupdate passwords.txt

An optional company name can also be provided to add to the list

Usage:

spray.sh -passupdate <passwordList> <CompanyName>

Example:

spray.sh -passupdate passwords.txt Spiderlabs

Username generation

A username list can also be generated from a list of common names

Usage:

spray.sh -genusers <firstnames> <lastnames> "<<fi><li><fn><ln>>"

Example:

spray.sh -genusers english-first-1000.txt english-last-1000.txt "<fi><ln>"

Example:

spray.sh -genusers english-first-1000.txt english-last-1000.txt "<fn>.<ln>"

Spray Created by Jacob Wilkin Copyright (C) 2017 Trustwave Holdings, Inc.

Source: https://github.com/SpiderLabs/

Tags: Spray