Spray365 – Makes Spraying Microsoft Accounts (Office 365 / Azure AD) Easy Through Its Customizable Two-Step Password Spraying Approach
Spray365 is a password spraying tool that identifies valid credentials for
Spraying
Getting Started
Installation
Clone the repository, install the required Python packages, and run Spray365!
$ git clone https://github.com/MarkoH17/Spray365
$ cd Spray365
~/Spray365$ pip3 install -r requirements.txt
~/Spray365$ python3 spray365.pyUsage
Generate an Execution Plan
An execution plan is needed to spray credentials, so we need to create one! Spray365 can generate its own execution plan by running it in “generate” (-g) mode.
$ python3 spray365.py -g <path_for_saved_execution_plan> -d <domain_name> -u <file_containing_usernames> -pf <file_containing_passwords>e.g.
$ python3 spray365.py -g ex-plan.s365 -d example.com -u usernames -pf passwordsSpraying an Execution Plan
Once an execution plan is available, Spray365 can be used to process it. Running Spray365 in “spray” (-s) mode will process the specified execution plan and spray the appropriate credentials.
$ python3 spray365.py -s <path_to_execution_plan>e.g.
$ python3 spray365.py -s ex-plan.s365Other Options for Advanced Usage
Generate Mode Options
--delay <int>: Delay in seconds to wait between authentication attempts (default: 30)
-cID / --aad_client <string>: Client ID to use during authentication workflow (None for random selection, specify multiple in a comma-separated string) (default: None)
-eID / --aad_endpoint <string>: Endpoint ID to use during authentication workflow (None for random selection, specify multiple in a comma-separated string) (default: None)
-S / --shuffle_auth_order: Shuffle order of authentication attempts so that each iteration (User1:Pass1, User2:Pass1, User3:Pass1) will be sprayed in a random order, and with a random arrangement of passwords, e.g. (User4:Pass16, User13:Pass25, User19:Pass40). Be aware this option introduces the possibility that the time between consecutive authentication attempts for a given user may occur as quickly as DELAY seconds apart. Consider using the -mD / --min_cred_loop_delay option to enforce a minimum delay between authentication attempts for any given user. (default: False)
-SO / --shuffle_optimization_attempts <int>: Number of random execution plans to generate for identifying the fastest execution plan (default: 10)
-mD / --min_cred_loop_delay <int>: Minimum time to wait between authentication attempts for a given user. This option takes into account the time one spray iteration will take, so a pre-authentication delay may not occur every time (disable with 0) (default: 0)
-cUA / --custom_user_agent <string>: Set custom user agent for authentication requests (default: None)
-rUA, --random_user_agent: Randomize user agent for authentication requests (default: False)
Spray Mode Options
--lockout <int>: Number of account lockouts to observe before aborting spraying session (disable with 0) (default: 5)
--proxy <string>: HTTP Proxy URL (format: http[s]://proxy.address:port) (default: None)
-R / --resume_index <int>: Resume spraying passwords from this position in the execution plan (default: 0)
Acknowledgements
| Author | Tool / Other | Link |
|---|---|---|
| @__TexasRanger | msspray: Conduct password spray attacks against Azure AD as well as validate the implementation of MFA on Azure and Office 365 endpoints | https://github.com/SecurityRiskAdvisors/msspray |
Disclaimer
Usage of this software for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws, in addition to any applicable acceptable use policies. Using this software releases the author(s) of any responsiblity for misuse or damage caused.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
