Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Launch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.

Shoutout to @ustayready for his CredKing and FireProx tools, which form the base of this suite.

See all the full notes on the Wiki, tool released with specifics in this blogpost

For detection tips, see the blogpost and detection section.

Be careful for account lockouts, know the reset policies of your target


  1. git clone the repo down
  2. If unsure how to create correct keys see this blog.
  3. pip install -r requirements.txt
  4. Fill out the config file (wiki) with desired options, or provide through CLI

Benefits & Features

  • Rotates the requesting IP address for every request
  • Automatically generates APIs for proxy passthru
  • Spoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers = fully anonymous
  • Easily configuation via config file
  • Multi-threaded processing
  • Password delay counters & configuration for lockout policy evasion
  • Easily add new plugins
  • Colourised output
  • Notification systems for Keybase, Slack, Discord, Teams & Pushover
  • WeekdayWarrior setting for timed spraying and SOC evasion


Quick Use

The following plugins are currently supported:

  • OWA - Outlook Web Access
    • --plugin owa
  • EWS - Exchange Web Services
    • --plugin ews
  • O365 - Office365
    • --plugin o365
  • ADFS - Active Directory Federation Services
    • --plugin adfs
  • O365Enum - Office365 User Enum (No Authentication Request)
    • --plugin o365enum
  • MSOL - Microsoft Online
    • --plugin msol
  • MSGraph - MSGraph Module, msgraph spray point for azure and MSOL credentials
    • --plugin msgraph
  • AzureSSO - Azure AD Seamless SSO Endpoint
    • --plugin azuresso
  • AzVault - AzVault Module, Azure spray point different to MSOL/AzureSSO
    • --plugin azvault
  • Okta - Okta Authentication Portal
    • --plugin okta
  • FortinetVPN - Fortinet VPN Client
    • --plugin fortinetvpn
  • HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)
    • --plugin httpbrute
  • GMailEnum - GSuite/Gmail enumeration
    • --plugin gmailenum

Example Use:

python3 --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs}


python3 --config config.json

This tool requires AWS API access keys, a walkthrough on how to acquire these keys can be found here:

All other usage details can be found on the wiki


PRs welcome :)

  • New Plugin: Optiv's Go365 Method - Includes Office365 auth and userenum capabilities via SOAP
  • "Resume" functionality for paused/cancelled scans. Ideally storing data for APIs used, if they were destroyed and what user/pwd the spray was on
  • Method to reliably determine if an auth attempt was throttled, so the username could be re-queued and tried again later for full cover (would have to be per-plugin, return "throttled" boolean value in plugin script, requeue if throttled)
  • Notification system for webhooks (Teams TODO)
  • Stop on success flag
  • Spray profile overhaul
  • Development notes
  • Spray username==password


  • Mike Felch (ustayready) - CredKing & FireProx
  • Beau Bullock (dafthack) - MSOLSpray tool
  • Martin Ingesen (mrtn9) - MSOLSpray Python tool
  • Oliver Morton (grimhacker) - Office365UserEnum tool
  • Marcello (byt3bl33d3r) - SprayingToolkit
  • Erforschr - HTTP Bruteforce tool
  • Florian Hauser (frycos from codewhitesec) - ADFS plugin
  • nyxgeek - Azure AD Seamless SSO python implementation
  • Joe Helle (joehelle) - Oh365UserFinder
  • Cameron Geehr (BarrelTit0r) - o365enum tool
  • Max Gruenberg (Max_Gruenberg) - o365enum plugin
  • x0rz - GmailEnum technique
  • Kole Swesey (0xPanic_) - Assorted PR
  • Logan (TheToddLuci0) - Assorted bug squashing, AWS authing, and Keybase notifying
  • Andy Gill (ZephrFish) - Colour functions + Tweaks/Notifications, helping on dev rewrite, AzVault module

Feel free to drop me a line


Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling