Spray Everything
> echo $disclaimer
All information in this article is for educational use only and not to be used unless prior written authorization is given!
Spray all the things!!
One of the easiest ways to gain initial access it to gain a set of credentials. There are several common services available based on the organization. The most common ones are:
email (exchange, o365...etc)
vpns (cisco, fortinet, sonicwall...etc )
various web apps
sso pages
By finding any of the above there is a good option, given enough users, that a password spray or password bruteforce attack will work.
> echo $password_spray_description
Password spraying is a technique used to guess a set of credentials from a group of users, people, or emails.
Example: you have a group of usernames as such user1,user2,user3,user4..etc and want access to their account.
By guessing a single password for each (ex: password123 ), you perform only a single logon attempts for each user, thus potentially not alerting a blue team or affecting the end user by locking them out.
> echo $password_bruteforce_description
Bruteforcing is a technique for attempting a login against a single account. This is very noisy and potentially can cause user lockout or alert the user an attack is happening.
If a user lockout count is known or if there is no lockout, it is possible to continuously attempt login attempts until a correct password is guessed.
ex: guessing passwords for user1
perform login attempts using the following
user1:password1
user1:password2
user1:password3
user1:password123
This can also be very effective on unmonitored services where there may not be lockout capabilities.
Many password spraying tools exist and can be found on github to perform spraying attacks against various services.
I however found that there was no single platform for performing these types of attack. I also found that while performing a spraying attack they were all a single one and done command like
> sprayingtool.exe office365 -u usernames.txt -p "password123"
This is all great and nice that it works... but i don't want to remember to perform the next spray attack in 30 min or an hour... i want automation!
I could wrap this command in a bash script or something.... but that is hacky and not elegant. it also requires me to have multiple spray commands/tools based on what service i want to spray as well as goes into dependency hell...(looking at you python tools).
Several spray tools support multiple services... but typically 3-4ish at most. I wanted some of these features across the board. I also wanted some other nice features such as using the username as a password, webhooks for alerts, ingesting a username:password format for spraying a list of usernames with a specific password per account so i wrote my own framework!
Introducing....
A multi-threaded password spraying tool for use across multiple services. Written in Crystal-Lang as it supports multi-threading, is compiled for speed, static typing and is very easy to write as it shares most of the same syntax as ruby.
for a list of supported spraytypes see the git page. or
> ./spraycannon --list-spraytypes
Features:
multithreaded
backend database for logging
previous checks ensuring the same password is not sprayed twice
webhook support (teams for now but can expand)
username, passwords sourced from files
custom delay time between spray rounds
custom jitter time between individual attempts
username as password support
username:password support - from file as well
custom user-agent support
csv-style default output for easy readability (so stdout, other things to go stderr)
colored output
lockout detection (only if determining this is possible) - this will also pause the spray for safety
mfa detection (only if determining this is possible, depending on service this may set mfa off)
timestamps on start and end
currently supports 11 different spray types.
Examples
spraycannon is simple to use from the command line. but does have advanced options.
Some spray types are used with a target flag and/or a domain flag. allowing for specification of the target itself. others can use the targets flag in addition with an aws api gateway.
Valid credentials, and one with MFA detected
lockout detection is enabled where possible
if multiple passwords are queued, spraycannon will sleep between individual passwords
Timestamps are displayed on completion
Other Features
The --delay and --jitter features combined with the --webhook allow for a fire and forget approach.
This is extremely effective if you have a large number of users. you can set the delay to 1800s (30 min) and you will perform about 2 password sprays an hour.
with the --webhook feature you can also be alerted when you get a valid hit. That way once you have credentials, you will know and can use them before they get reset.
Module Development
This tool is designed so that any web request login can have the above support. All that is required is the logic for the web request series.
For example if i have a forms login as such:
POST /login
host: https://mysite.com
username=bob&password=abc123
Successfully Returns:
200 +OK
Cookie: token=MyNewSuperSecretToken
Failed Return:
302 /login
We can create a password spray template for this extremely easily. by doing the following
make request
accept response
if response is 200 - auth successfull
else not
To make this easier there is a template in src/spray_types/template.cr
Here various settings can be placed based on the use case. Going off the example above we can edit the template.cr file to the following
copy the template.cr file to a new file called "demo.cr". this will ensure the tempate can be used later as well.
Change the name "Template" to the desired module name
we will call it "demo" for this
Here we can edit the Headers our logon request has. Our User-Agent should be left as is to allow for autogeneration of useragents if desired
We can add our logic for if the responses status code is 200 the credentials are valid
Finaly the relevant data is returned. all values are false by default so if mfa or lockout are not set they will not be triggered
Finally the main "spraycannon.cr" file can be edited to add out new module.
Clone a "when" statement from the testing line, and change the "testing" and "Sprayer" to your module name( we named it Demo from earlier remember). make sure to have the string be lowercase.
Now your done. you can rebuild the source by using
> make
This will recompile spraycannon.
Once completed you can use your new module like so:
> ./spraycannon -s demo -u user1 -p password -t "https://mysite.com/login"
And of course when you build a new module.... create a pull request so others can use it!!!