Skip to content

codewatchorg/PowerSniper

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
PowerEnum.ps1
 
 
PowerSniper.ps1
 
 
README.md
 
 
passdist.py
 
 
toplist_rockyou.txt
 
 
PowerSniper Requirements Usage

README.md

PowerSniper

Password spraying script and helper for creating password lists.

The Python script uses configurable parameters to extract complex passwords from a password list such as rockyou.txt. It then analyzes the Damerau-Levenshtein distance between that password and a list of common passwords (the text file in this repository is the top 20 most common rockyou passwords that could be easily modified to be a complex password, i.e. not the one's that are all digits). The script is configurable for the maximum distance to keep a password, with a default of 4, and will output results to a CSV file.

The PowerShell script loops through usernames and passwords and attempts to authenticate with them against various Microsoft Exchange web-based services.  The script supports pausing after a specified lockout count for a specified period of time to prevent account lockouts.

PowerSniper supports password spraying against the following services at this time:

  • Outlook Web Access
  • Outlook Anywhere
  • ActiveSync
  • Microsoft Online
  • SMB
  • WMI

PowerEnum is a tool that performs account enumeration only. It sprays Microsoft Online with a given username list using a password of 'password' and identifies valid accounts based on error messages.

The code that loads the Microsoft.Exchange.WebServices.dll for Outlook Anywhere authentication was found in the MailSniper tool (https://github.com/dafthack/MailSniper) created by @dafthack.

Requirements

passdist.py requires jellyfish

Usage

usage: passdist.py [-h] --wordlist WORDLIST --toplist TOPLIST [--output OUTPUT] [--passmin PASSMIN] 
                        [--passmax PASSMAX] [--complex] [--passdist PASSDIST]
                        
  Get the distances between complex passwords and top passwords used

  optional arguments:  
    -h, --help           show this help message and exit  
    --wordlist WORDLIST  the file with the complex rockyou passwords (default: None)  
    --toplist TOPLIST    the file with the top rockyou passwords (default: None)  
    --output OUTPUT      the CSV output of the analysis (default: analysis.csv)  
    --passmin PASSMIN    the minimum size password to choose from (default: 7)  
    --passmax PASSMAX    the maximum size password to choose from (default: 12)  
    --complex            require complex passwords (default: 0)  
    --passdist PASSDIST  the maximum distance between passwords to keep (default: 4)

Example passdist.py command:

    python passdist.py --wordlist rockyou.txt --toplist toplist_rockyou.txt --output lowdist.csv --passmin 7 
        --passmax 12 --complex --passdist 4

NAME    
  Invoke-PowerSniper
  
SYNOPSIS    
  This module loops through usernames and passwords and attempts to authenticate with them against various 
  Microsoft Exchange web-based services.
  
    PowerSniper Function: Invoke-PowerSniper    
    Author: Josh Berry (@codewatchorg)    
    License: BSD 3-Clause    
    Required Dependencies: None    
    Optional Dependencies: None

SYNTAX    
  Invoke-PowerSniper [[-uri] <Object>] [[-svc] <Object>] [[-userlist] <Object>] 
      [[-passlist] <Object>] [[-sos] <Object>] [[-lockout] <Object>] 
      [[-locktime] <Object>] [<CommonParameters>]

DESCRIPTION    
  This module loops through usernames and passwords and attempts to authenticate with them against 
  various Microsoft Exchange web-based services.  The script supports pausing after a specified 
  lockout count for a specified period of time to prevent account lockouts.

RELATED LINKS    
  https://blogs.technet.microsoft.com/meamcs/2015/03/06/powershell-script-to-simulate-outlook-web-access-url-user-logon/
  http://mobilitydojo.net/2010/03/30/rolling-your-own-exchange-activesync-client/
  http://mobilitydojo.net/2011/08/24/exchange-activesync-building-blocks-first-sync/
  http://mobilitydojo.net/files/EAS_BB/Part_02/HTTP_GET.cs
  https://blogs.technet.microsoft.com/heyscriptingguy/2011/12/02/learn-to-use-the-exchange-web-services-with-powershell/
  http://stackoverflow.com/questions/1582285/how-to-remove-elements-from-a-generic-list-while-iterating-over-it
  https://github.com/dafthack/MailSniper

Example PowerSniper.ps1 usage:

    # Outlook Anywhere Test
    Invoke-PowerSniper -uri https://outlook.office365.com -svc oa -userlist users.txt -passlist passwords.txt 
        -sos false -lockout 6 -locktime 30
    
    # ActiveSync Test
    Invoke-PowerSniper -uri https://outlook.office365.com -svc as -userlist users.txt -passlist passwords.txt 
        -sos false -lockout 6 -locktime 30
    
    # Outlook Web Access Test
    Invoke-PowerSniper -uri https://mail.victim.com/owa/auth.owa -svc owa -userlist users.txt 
        -passlist passwords.txt -sos false -lockout 6 -locktime 30

NAME    
  Invoke-PowerEnum
  
SYNOPSIS    
  This module loops through usernames to validate accounts on MSOL.
  
    PowerEnum Function: Invoke-PowerEnum    
    Author: Josh Berry (@codewatchorg)    
    License: BSD 3-Clause    
    Required Dependencies: None    
    Optional Dependencies: None

SYNTAX    
  Invoke-PowerEnum [[-userlist] <Object>] 

DESCRIPTION    
  This module loops through usernames to spray against Microsoft Online to identify valid accounts.

RELATED LINKS    
  https://github.com/dafthack/MSOLSpray

Example PowerEnum.ps1 usage:

    Invoke-PowerEnum -userlist

About

Password spraying script and helper for creating password lists

Resources

Readme
Activity

Stars

34 stars

Watchers

3 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages