itsMe Posted January 25, 2022 Share Posted January 25, 2022 This is the hidden content, please Sign In or Sign Up What is Spray365? Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describes the spraying operation well before it occurs has many other benefits that Spray365 leverages, this also allows password sprays to be resumed (-R option) after a network error or other interruption. While it is easiest to generate a Spray365 execution plan using Spray365 directly, other tools that produce a compatible JSON structure make it easy to build unique password spraying workflows. Spray365 exposes a few options that are useful when spraying credentials. Random user agents can be used to detect and bypass insecure conditional access policies that are configured to limit the types of allowed devices. Similarly, the –shuffle_auth_order argument is a great way to spray credentials in a less-predictable manner. This option was added in an attempt to bypass intelligent account lockouts (e.g., Azure Smart Lockout). While it’s not perfect, randomizing the order in which credentials are attempted has other benefits too, like making the detection of these spraying operations even more difficult. Spray365 also supports proxying traffic over HTTP/HTTPS, which integrates well with other tools like Burp Suite for manipulating the source of the spraying operation. Changelog v0.1.5 beta What’s New 🎉 Spray365 is now split into two modes (generate and spray) for more logical argument handling. This is a breaking change that requires Spray365 to be executed using new syntax. Example comparing new and old for generating an execution plan Old Syntax: spray365.py -g demo.s365 -d <domain> -u <username_file> -pf <password_file> --delay 10 New Syntax: spray365.py generate --execution_plan demo.s365 -d <domain> -u <username_file> -pf <password_file> --delay 10 Example comparing new and old for password spraying: Old Syntax: spray365.py -s demo.s365 --lockout 3 New Syntax: spray365.py spray --execution_plan demo.s365 --lockout 3 Successive authentication attempts for a given user with known good credentials will be skipped. This new default behavior can be reverted with the -i / --ignore_success argument in spray mode. What’s Changed An authentication request requiring interactive login (AAD error “AADSTS65001”) is now considered a successful login Help documentation improved and updated to match Spray365 capabilities This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts