SprayHound

Overview

SprayHound is a Python-based Active Directory password spraying tool that integrates with BloodHound to identify valid user accounts and perform intelligent password spray attacks. The tool helps penetration testers identify weak credential usage patterns and account lockout thresholds while leveraging BloodHound’s graph-based reconnaissance data.

SprayHound supports multiple spray strategies, integrates with BloodHound databases, and implements safety mechanisms to avoid account lockouts during authorized testing engagements.

Prerequisites

Python 3.7+
Network access to target Domain Controller
Valid domain name or IP address
BloodHound database (optional but recommended)
Administrative privileges on local machine (for packet analysis)

Installation

Linux/macOS

# Clone repository
git clone https://github.com/ShutdownRepo/SprayHound.git
cd SprayHound

# Create virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Install as command-line tool
pip install -e .

# Verify installation
sprayhound --version

Windows (PowerShell)

# Clone repository
git clone https://github.com/ShutdownRepo/SprayHound.git
cd SprayHound

# Create virtual environment
python -m venv venv
.\venv\Scripts\Activate.ps1

# Install dependencies
pip install -r requirements.txt

# Run directly
python sprayhound.py --help

Docker Installation

# Build Docker image
docker build -t sprayhound .

# Run in container
docker run -it sprayhound --help

# Mount local files
docker run -v /path/to/data:/data sprayhound --help

Basic Usage

Simple Password Spray

# Basic spray against domain
sprayhound -d example.com -u wordlist.txt -p password123

# With domain controller IP
sprayhound -d example.com -dc 192.168.1.10 -u users.txt -p Summer2024!

# Single user test
sprayhound -d example.com -u testuser -p password123

User Enumeration

# Get valid users from domain (requires valid credentials)
sprayhound -d example.com -dc 192.168.1.10 --enum-users

# Enumerate with specific account
sprayhound -d example.com -u admin -p password -dc 192.168.1.10 --enum-users

# Export user list
sprayhound -d example.com --enum-users --output users_list.txt

BloodHound Integration

# Use BloodHound data for user targeting
sprayhound -d example.com -p password123 --bloodhound-import results.zip

# Target specific user groups from BloodHound
sprayhound -d example.com -p password123 --bloodhound-group "Domain Users"

# Integration with Neo4j database
sprayhound -d example.com -p password123 --neo4j-uri bolt://localhost:7687 \
  --neo4j-user neo4j --neo4j-password password

Common Commands

Command	Description
`sprayhound -d DOMAIN -u USERS -p PASSWORD`	Basic spray attack
`sprayhound -d DOMAIN --enum-users`	Enumerate valid users
`sprayhound -d DOMAIN -u USERS -p WORDLIST --wordlist`	Spray with password list
`sprayhound -d DOMAIN --dc IP_ADDRESS`	Specify domain controller
`sprayhound -d DOMAIN --bloodhound-import FILE`	Load BloodHound data
`sprayhound -d DOMAIN --lockout-threshold 5`	Set lockout safety
`sprayhound -d DOMAIN -u USERS -p PASS --delay 5`	Add delay between attempts
`sprayhound -d DOMAIN --smtp SERVER`	Use SMTP server for spray
`sprayhound -d DOMAIN --output results.txt`	Save results to file
`sprayhound -d DOMAIN --verbose`	Detailed output

Advanced Spray Strategies

Intelligent Spray with Lockout Protection

# Query lockout threshold and spray safely
sprayhound -d example.com -u users.txt -p password123 \
  --query-lockout \
  --delay 60 \
  --safety-check

# Use specific lockout threshold
sprayhound -d example.com -u users.txt -p password123 \
  --lockout-threshold 5 \
  --lockout-observation-window 30

Multiple Password Spray

# Spray multiple passwords from file
sprayhound -d example.com -u users.txt -p passwords.txt --wordlist

# Spray with common passwords
sprayhound -d example.com -u users.txt --common-passwords

# Custom password list with frequency control
sprayhound -d example.com -u users.txt -p passwords.txt \
  --wordlist \
  --delay 120 \
  --per-password-delay 5

BloodHound-Targeted Attacks

# Target high-value accounts from BloodHound
sprayhound -d example.com -p password123 \
  --bloodhound-import output.zip \
  --target-high-privilege

# Spray against specific group members
sprayhound -d example.com -p password123 \
  --bloodhound-import output.zip \
  --target-group "Domain Admins"

# Use BloodHound to find spray targets
sprayhound -d example.com \
  --bloodhound-import output.zip \
  --analyze-for-spray \
  --output spray_targets.txt

Credential Stuffing

# Spray using credential pairs
sprayhound -d example.com --credentials credentials.txt --wordlist-style

# CSV format credentials
sprayhound -d example.com --credentials users_passwords.csv \
  --csv-format username,password

# Multiple credential sources
cat wordlists/*.txt | sprayhound -d example.com -u users.txt --stdin

User Enumeration Techniques

LDAP-Based Enumeration

# Anonymous LDAP enumeration
sprayhound -d example.com --ldap-enum --anonymous

# LDAP with credentials
sprayhound -d example.com -u admin -p password \
  --ldap-enum \
  --ldap-filter "(objectClass=user)"

# Export LDAP data
sprayhound -d example.com --ldap-enum --output ldap_users.txt

SMTP User Enumeration

# Use SMTP for user validation
sprayhound -d example.com --smtp mailserver.example.com --enum-smtp

# SMTP with authentication
sprayhound -d example.com --smtp mailserver.example.com \
  --smtp-user admin \
  --smtp-password password \
  --enum-smtp

Kerberos Pre-auth Enumeration

# AS-REP roasting user enumeration
sprayhound -d example.com --asrep-enum

# Export AS-REP-roastable accounts
sprayhound -d example.com --asrep-enum --output asrep_accounts.txt

Configuration

Config File Example

# Create configuration file
cat > sprayhound.conf << 'EOF'
[domain]
name = example.com
dc = 192.168.1.10
timeout = 5

[spray]
delay_between_attempts = 5
delay_per_password = 120
safety_check_enabled = true
lockout_threshold = 5

[logging]
verbose = true
output_file = sprayhound_results.txt
debug = false

[bloodhound]
enabled = true
import_path = /path/to/bloodhound/output.zip
neo4j_uri = bolt://localhost:7687
EOF

# Use configuration file
sprayhound --config sprayhound.conf

Environment Variables

# Set domain controller
export SPRAYHOUND_DC=192.168.1.10
export SPRAYHOUND_DOMAIN=example.com

# Set spray parameters
export SPRAYHOUND_DELAY=5
export SPRAYHOUND_LOCKOUT_THRESHOLD=5

# Run with environment variables
sprayhound -u users.txt -p password123

Output and Results Analysis

Result Formats

# Text output (default)
sprayhound -d example.com -u users.txt -p password123 --output results.txt

# JSON output for processing
sprayhound -d example.com -u users.txt -p password123 --output results.json --json

# CSV output for spreadsheets
sprayhound -d example.com -u users.txt -p password123 --output results.csv --csv

Parsing Results

# Find successful credentials
grep "SUCCESS\|FOUND" sprayhound_results.txt

# Extract valid users
grep "valid user" results.txt | cut -d':' -f1 > valid_users.txt

# Count attempts and successes
echo "Total attempts: $(wc -l < results.txt)"
echo "Successful: $(grep -c "SUCCESS" results.txt)"

JSON Result Analysis

# Parse JSON results with jq
cat results.json | jq '.successful_credentials[]'

# Extract username/password pairs
cat results.json | jq -r '.successful_credentials[] | "\(.username):\(.password)"'

# Filter by domain
cat results.json | jq '.[] | select(.domain == "example.com")'

Integration with Other Tools

BloodHound Integration

# Run BloodHound collection first
python3 bloodhound.py -d example.com -u admin -p password123 -c All -ns 192.168.1.10

# Import results into SprayHound
sprayhound -d example.com -p password123 \
  --bloodhound-import 20240101_120000_bloodhound.zip

# Import into Neo4j directly
sprayhound -d example.com -p password123 \
  --neo4j-uri bolt://localhost:7687 \
  --neo4j-user neo4j \
  --neo4j-password password

Metasploit Integration

# Export valid users for Metasploit
sprayhound -d example.com --enum-users --output users_for_msf.txt

# Use results in Metasploit
msfconsole << 'EOF'
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 192.168.1.10
set DOMAINUSER_FILE /path/to/users_for_msf.txt
run
EOF

Hashcat/JohnTheRipper

# Export credentials found for offline cracking
sprayhound -d example.com --export-ntlm >> hashes.txt

# Use with Hashcat
hashcat -m 1000 hashes.txt rockyou.txt

# Pass to John
john --wordlist=rockyou.txt --format=NT hashes.txt

Defensive Countermeasures

Detection and Monitoring

# Test detection signatures
sprayhound -d example.com -u users.txt -p password123 --simulate

# Log analysis
grep "SprayHound\|Password\|Failed" /var/log/auth.log

# Event log analysis (Windows)
Get-EventLog -LogName Security -InstanceId 4625 | tail -100

Safe Testing Parameters

# Conservative spray settings
sprayhound -d example.com -u users.txt -p password123 \
  --delay 300 \
  --per-password-delay 10 \
  --lockout-threshold 3 \
  --safety-check \
  --log-events

# Test spray without actual authentication
sprayhound -d example.com -u users.txt -p password123 --dry-run

Troubleshooting

Common Issues

# Connection timeout
sprayhound -d example.com -u users.txt -p password123 \
  --timeout 10 \
  --retry 3

# DNS resolution issues
sprayhound -d example.com -u users.txt -p password123 \
  --dc 192.168.1.10 \
  --dns-server 192.168.1.1

# Kerberos errors
export KRB5_CONFIG=/etc/krb5.conf
sprayhound -d example.com -u users.txt -p password123 --kerberos

Debugging

# Enable debug mode
sprayhound -d example.com -u users.txt -p password123 --debug

# Log to file
sprayhound -d example.com -u users.txt -p password123 \
  --log-file debug.log \
  --verbose

# Test single attempt
sprayhound -d example.com -u testuser -p password123 --verbose

Best Practices

Obtain Authorization: Ensure written approval before spraying any credentials
Lockout Protection: Always query lockout threshold and implement safety delays
Account Selection: Use BloodHound to target relevant accounts, avoid bulk spraying
Monitoring: Coordinate with Blue Team to monitor for detection
Documentation: Record all attempts and results for the assessment report
Cleanup: Account for created resources and reset any modified attributes
Stealth: Use appropriate delays and test spray patterns during safe hours
Communication: Maintain contact with customer throughout testing

Practical Assessment Workflows

Tier-Based Spray Strategy

# Phase 1: Enumerate users
sprayhound -d example.com --enum-users --output phase1_users.txt

# Phase 2: Test with single password
sprayhound -d example.com -u phase1_users.txt -p Password123! \
  --delay 120 \
  --output phase2_results.txt

# Phase 3: Use BloodHound for targeting
sprayhound -d example.com -p Password123! \
  --bloodhound-import output.zip \
  --target-high-privilege \
  --output phase3_admin_results.txt

# Phase 4: Analyze results
grep "SUCCESS" phase*_results.txt > successful_credentials.txt

Post-Compromise Assessment

# After gaining initial access
sprayhound -d example.com -u compromised_user -p found_password \
  --enum-users \
  --output internal_users.txt

# Identify adjacent accounts
sprayhound -d example.com -u internal_users.txt -p reused_password \
  --delay 180 \
  --output lateral_movement_targets.txt

Resources

GitHub: https://github.com/ShutdownRepo/SprayHound
BloodHound: https://github.com/BloodHoundAD/BloodHound
SharpHound (C# BloodHound collector): https://github.com/BloodHoundAD/SharpHound
Active Directory Security: https://adsecurity.org

Summary

SprayHound provides effective password spraying capabilities with intelligent account targeting through BloodHound integration. Proper authorization, lockout protection, and coordinated testing approaches are essential for safe and effective use during authorized security assessments.