Search the Community

What is Spray365? Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describes the spraying operation well before it occurs has many other benefits that Spray365 leverages, this also allows password sprays to be resumed (-R option) after a network error or other interruption. While it is easiest to generate a Spray365 execution plan using Spray365 directly, other tools that produce a compatible JSON structure make it easy to build unique password spraying workflows. [hide][Hidden Content]]

What is Spray365? Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describes the spraying operation well before it occurs has many other benefits that Spray365 leverages, this also allows password sprays to be resumed (-R option) after a network error or other interruption. While it is easiest to generate a Spray365 execution plan using Spray365 directly, other tools that produce a compatible JSON structure make it easy to build unique password spraying workflows. Spray365 exposes a few options that are useful when spraying credentials. Random user agents can be used to detect and bypass insecure conditional access policies that are configured to limit the types of allowed devices. Similarly, the –shuffle_auth_order argument is a great way to spray credentials in a less-predictable manner. This option was added in an attempt to bypass intelligent account lockouts (e.g., Azure Smart Lockout). While it’s not perfect, randomizing the order in which credentials are attempted has other benefits too, like making the detection of these spraying operations even more difficult. Spray365 also supports proxying traffic over HTTP/HTTPS, which integrates well with other tools like Burp Suite for manipulating the source of the spraying operation. Changelog v0.1.5 beta What’s New 🎉 Spray365 is now split into two modes (generate and spray) for more logical argument handling. This is a breaking change that requires Spray365 to be executed using new syntax. Example comparing new and old for generating an execution plan Old Syntax: spray365.py -g demo.s365 -d <domain> -u <username_file> -pf <password_file> --delay 10 New Syntax: spray365.py generate --execution_plan demo.s365 -d <domain> -u <username_file> -pf <password_file> --delay 10 Example comparing new and old for password spraying: Old Syntax: spray365.py -s demo.s365 --lockout 3 New Syntax: spray365.py spray --execution_plan demo.s365 --lockout 3 Successive authentication attempts for a given user with known good credentials will be skipped. This new default behavior can be reverted with the -i / --ignore_success argument in spray mode. What’s Changed An authentication request requiring interactive login (AAD error “AADSTS65001”) is now considered a successful login Help documentation improved and updated to match Spray365 capabilities [hide][Hidden Content]]

What is Spray365? Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describes the spraying operation well before it occurs has many other benefits that Spray365 leverages, this also allows password sprays to be resumed (-R option) after a network error or other interruption. While it is easiest to generate a Spray365 execution plan using Spray365 directly, other tools that produce a compatible JSON structure make it easy to build unique password spraying workflows. Spray365 exposes a few options that are useful when spraying credentials. Random user agents can be used to detect and bypass insecure conditional access policies that are configured to limit the types of allowed devices. Similarly, the –shuffle_auth_order argument is a great way to spray credentials in a less-predictable manner. This option was added in an attempt to bypass intelligent account lockouts (e.g., Azure Smart Lockout). While it’s not perfect, randomizing the order in which credentials are attempted has other benefits too, like making the detection of these spraying operations even more difficult. Spray365 also supports proxying traffic over HTTP/HTTPS, which integrates well with other tools like Burp Suite for manipulating the source of the spraying operation. Changelog v0.1.3 beta What’s New 🎉 Added behavior to ensure that results from password spraying are saved on exit (even when an exception is thrown or the application is interrupted) What’s Changed Duplicate usernames are removed before generating an execution plan Better error handling when parsing a malformed execution plan [hide][Hidden Content]]

What is Spray365? Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray365 different from the many other password spraying tools that are already available? Spray365 enables passwords to be sprayed from an “execution plan”. While having a pre-generated execution plan that describes the spraying operation well before it occurs has many other benefits that Spray365 leverages, this also allows password sprays to be resumed (-R option) after a network error or other interruption. While it is easiest to generate a Spray365 execution plan using Spray365 directly, other tools that produce a compatible JSON structure make it easy to build unique password spraying workflows. Spray365 exposes a few options that are useful when spraying credentials. Random user agents can be used to detect and bypass insecure conditional access policies that are configured to limit the types of allowed devices. Similarly, the –shuffle_auth_order argument is a great way to spray credentials in a less-predictable manner. This option was added in an attempt to bypass intelligent account lockouts (e.g., Azure Smart Lockout). While it’s not perfect, randomizing the order in which credentials are attempted has other benefits too, like making the detection of these spraying operations even more difficult. Spray365 also supports proxying traffic over HTTP/HTTPS, which integrates well with other tools like Burp Suite for manipulating the source of the spraying operation. Changelog v0.1.2 beta What’s New 🎉 Added -k, --insecure argument to ignore TLS errors, which is useful when proxying traffic (@fang0654) Added urllib3 (>= 1.26.5) dependency to a requirements file What’s Changed Usernames read from file have whitespace stripped before their usage Fixed resume index usage so that -R RESUME_INDEX, --resume_index RESUME_INDEX argument will resume spraying from the specified index in the execution file (1-based index), instead of starting at the credential prior to the targeted index (an off-by-one error) Requirements file is more relaxed [hide][Hidden Content]]