Spray Everything

> echo $disclaimer

All information in this article is for educational use only and not to be used unless prior written authorization is given!

Spray all the things!!

One of the easiest ways to gain initial access it to gain a set of credentials. There are several common services available based on the organization. The most common ones are:

  • email (exchange, o365...etc)

  • vpns (cisco, fortinet, sonicwall...etc )

  • various web apps

  • sso pages


By finding any of the above there is a good option, given enough users, that a password spray or password bruteforce attack will work.


> echo $password_spray_description

Password spraying is a technique used to guess a set of credentials from a group of users, people, or emails.

Example: you have a group of usernames as such user1,user2,user3,user4..etc and want access to their account.

By guessing a single password for each (ex: password123 ), you perform only a single logon attempts for each user, thus potentially not alerting a blue team or affecting the end user by locking them out.


> echo $password_bruteforce_description

Bruteforcing is a technique for attempting a login against a single account. This is very noisy and potentially can cause user lockout or alert the user an attack is happening.

If a user lockout count is known or if there is no lockout, it is possible to continuously attempt login attempts until a correct password is guessed.

ex: guessing passwords for user1

perform login attempts using the following

user1:password1

user1:password2

user1:password3

user1:password123

This can also be very effective on unmonitored services where there may not be lockout capabilities.


Many password spraying tools exist and can be found on github to perform spraying attacks against various services.

I however found that there was no single platform for performing these types of attack. I also found that while performing a spraying attack they were all a single one and done command like

> sprayingtool.exe office365 -u usernames.txt -p "password123"

This is all great and nice that it works... but i don't want to remember to perform the next spray attack in 30 min or an hour... i want automation!

I could wrap this command in a bash script or something.... but that is hacky and not elegant. it also requires me to have multiple spray commands/tools based on what service i want to spray as well as goes into dependency hell...(looking at you python tools).

Several spray tools support multiple services... but typically 3-4ish at most. I wanted some of these features across the board. I also wanted some other nice features such as using the username as a password, webhooks for alerts, ingesting a username:password format for spraying a list of usernames with a specific password per account so i wrote my own framework!



Introducing....


A multi-threaded password spraying tool for use across multiple services. Written in Crystal-Lang as it supports multi-threading, is compiled for speed, static typing and is very easy to write as it shares most of the same syntax as ruby.

for a list of supported spraytypes see the git page. or

> ./spraycannon --list-spraytypes

Features:

  • multithreaded

  • backend database for logging

  • previous checks ensuring the same password is not sprayed twice

  • webhook support (teams for now but can expand)

  • username, passwords sourced from files

  • custom delay time between spray rounds

  • custom jitter time between individual attempts

  • username as password support

  • username:password support - from file as well

  • custom user-agent support

  • csv-style default output for easy readability (so stdout, other things to go stderr)

  • colored output

  • lockout detection (only if determining this is possible) - this will also pause the spray for safety

  • mfa detection (only if determining this is possible, depending on service this may set mfa off)

  • timestamps on start and end

  • currently supports 11 different spray types.


Examples

spraycannon is simple to use from the command line. but does have advanced options.

Some spray types are used with a target flag and/or a domain flag. allowing for specification of the target itself. others can use the targets flag in addition with an aws api gateway.

Valid credentials, and one with MFA detected

lockout detection is enabled where possible

if multiple passwords are queued, spraycannon will sleep between individual passwords

Timestamps are displayed on completion

Other Features

The --delay and --jitter features combined with the --webhook allow for a fire and forget approach.

This is extremely effective if you have a large number of users. you can set the delay to 1800s (30 min) and you will perform about 2 password sprays an hour.

with the --webhook feature you can also be alerted when you get a valid hit. That way once you have credentials, you will know and can use them before they get reset.

Module Development

This tool is designed so that any web request login can have the above support. All that is required is the logic for the web request series.

For example if i have a forms login as such:

POST /login
host: https://mysite.com

username=bob&password=abc123


Successfully Returns:

200 +OK
Cookie: token=MyNewSuperSecretToken


Failed Return:

302 /login


We can create a password spray template for this extremely easily. by doing the following

  1. make request

  2. accept response

  3. if response is 200 - auth successfull

  4. else not

To make this easier there is a template in src/spray_types/template.cr

Here various settings can be placed based on the use case. Going off the example above we can edit the template.cr file to the following

copy the template.cr file to a new file called "demo.cr". this will ensure the tempate can be used later as well.

Change the name "Template" to the desired module name

we will call it "demo" for this

Here we can edit the Headers our logon request has. Our User-Agent should be left as is to allow for autogeneration of useragents if desired

We can add our logic for if the responses status code is 200 the credentials are valid

this is in the base template

Finaly the relevant data is returned. all values are false by default so if mfa or lockout are not set they will not be triggered

Finally the main "spraycannon.cr" file can be edited to add out new module.

Clone a "when" statement from the testing line, and change the "testing" and "Sprayer" to your module name( we named it Demo from earlier remember). make sure to have the string be lowercase.

Now your done. you can rebuild the source by using

> make

This will recompile spraycannon.

Once completed you can use your new module like so:

> ./spraycannon -s demo -u user1 -p password -t "https://mysite.com/login"


And of course when you build a new module.... create a pull request so others can use it!!!