View the README in Fullscreen for the best experience!
A curated list of password spraying tools, projects, and resources.
Note that this project primarily focuses on password-spraying tools and resources for Microsoft Office 365 and Azure Entra environments. Please help organize these resources so that they are easy for newcomers to find and understand. PRs are welcome and encouraged!
Not all of the code in these frameworks has been audited for security or opsec. Use at your own risk. Always read code before you run it!
| Name | Description | Programming Language | Last Commit |
|---|---|---|---|
| Outsider_Recon | This module, a port of various cmdlets from AADInternals, requires only a domain to successfully enumerate information such as Tenant OpenID configuration, domain login information, domain details, Tenant ID, and other domains under the shared tenant. | Python |  |
| succ | succ is a simple command line tool that queries Microsoft for a list of domains associated with an Office 365 tenant. Find more domains to spray! | Go |  |
| Invoke-AADIntReconAsOutsider | A specific script from AADInternals for public enumeration. AADInternals is a collection of PowerShell scripts that can be used to perform reconnaissance and post-exploitation activities on Azure AD environments. | PowerShell |  |
| Name | Description | Programming Language | Last Commit |
|---|---|---|---|
| linkedin2username | Generate username lists from LinkedIn. | Python |  |
| o365enum | Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover, or office.com login page. | Python |  |
| onedrive_user_enum | enumerate valid onedrive users without authentication attempts | Python |  |
| TeamsUserEnum | Teams exposes a feature allowing to look for external users. It can be abused to enumerate internal users of the organization. | Go |  |
| Oh365UserFinder | Oh365UserFinder is used for identifying valid o365 accounts and domains without the risk of account lockouts. | Python |  |
| Name | Description | Programming Language | Last Commit |
|---|---|---|---|
| weakpasswords.net | Automatically generated weak password API for password spraying. Built by nyxgeek. | Python |  |
| pypassgen | A simple password generator CLI tool for password spraying. | Python |  |
| Name | Description | Programming Language | Last Commit |
|---|---|---|---|
| spraycharles | Low and slow password spraying tool, designed to spray on an interval over a long period of time. Extensible with a plugin based framework that utilizes change instead of static indicators. | Python |  |
| TeamFiltration | TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. Tons of features, could be in every catagory here really. | C# |  |
| CredMaster | Launch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays. | Python |  |
| TREVORspray | TREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more! One of the most fully featured tools on the market. | Python |  |
| git-rotate | Leveraging GitHub Actions for IP Rotation and O365 password spraying. Very unique technique with a complex setup. | Python |  |
| Go365 | Go365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365). Go365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use. | Go |  |
| Spray365 | Spray365 is a password spraying tool designed for Microsoft accounts (Office 365/Azure AD) that distinguishes itself by using an "execution plan." Several evasion featuresand uses the adal library under the hood. | Python |  |
| RagingRotator | A tool for carrying out brute force attacks against Office 365, with built in IP rotation use AWS gateways. | Go |  |
| MSOLSpray | MSOLSpray is a password spraying tool for Microsoft Online accounts (Azure/O365). One of the OG spraying tools. | PowerShell |  |
| MSOLSpray.py | MSOLSpray is a password spraying tool for Microsoft Online accounts (Azure/O365). Python port of dafthack's PowerShell MSOLSpray. | Python |  |
| Omnispray | Omnispray aims to replace tools such as o365spray and provide a modular framework to expand enumeration and spraying beyond just a single target/application. | Python |  |
| Trident | Google cloud based password spraying tool for multiple IdPs. Such a great idea and architecure, but has since been archived. | Go |  |
| GoMapEnum | Another all in one framework for password spraying, enumeration, and more. | Go |  |
| SprayCannon | A really interesting and obscure password spraying framework written in...Crystal? | Crystal |  |
| SprayingToolkit | A set of Python scripts/utilities that tries to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient. (ARCHIVED) | Python |  |
| AzurePasswordSprayer | Tool written in Rust to perform Password Spraying attacks against Azure/Office 365 accounts. It is multi threaded and makes no connection attempts. | Rust |  |
| SSOh-No | This tool is designed to enumerate users, password spray and perform brute force attacks against any organisation that utilises Azure AD or O365. | Go |  |
| Name | Description | Programming Language | Last Commit |
|---|---|---|---|
| ROADTools | ROADtools is a framework to interact with Azure AD. It consists of a library (roadlib) with common components, the ROADrecon Azure AD exploration tool and the ROADtools Token eXchange (roadtx) tool. | Python |  |
| Azure-AD-Password-Checker | Enumerate MFA configuration and other insecure accounts using a Roadrecon database. | Python |  |
| msspray | Enumerate where a user can log in without MFA. Sort of loud, but effective. I don't know why they archived this, it's great! | Python |  |
| TeamSniper | Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.). | Python |  |
| MailSniper | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange and O365 environment for specific terms (passwords, insider intel, etc.). OG | PowerShell |  |
| MFade | A python port of @dafthack's MFAsweep with some added OPSEC functionality. MFAde can be used to find single-factor authentication failure points in Mircrosoft Services. | Python |  |
| MFASweep | MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. | PowerShell |  |
| AzureHound | The BloodHound data collector for Microsoft Azure | Go |  |
| BARK | BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft's Azure suite of products and services. | PowerShell |  |
| GraphRunner | GraphRunner is a post-exploitation toolset for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account. | PowerShell |  |
| offensive-azure | Collection of offensive tools targeting Microsoft Azure written in Python to be platform agnostic. | Python | |
| TokenTacticsV2 | This is an updated version of TokenTactics originally written by Stephan Borosh @rvrsh3ll & Bobby Cooke @0xBoku. | PowerShell |  |
| TokenTactics | Azure JSON Web Token ("JWT") Manipulation Toolset | PowerShell |  |
| GraphSpy | Very similar to GraphRunner, but written in Python with a few more features. Very awesome architecture with support for multiple databases. | Python |  |
| Name | Description | Programming Language | Last Commit |
|---|---|---|---|
| family-of-client-ids-research | Research on undocumented functionality in Azure Active Directory allows a group of Microsoft OAuth client applications to obtain special “family refresh tokens,” which can be redeemed for bearer tokens as any other client in the family. i | Python |  |
| saas-attacks | A collection of tools and resources for attacking SaaS platforms. | N/A |  |
| AAD Kill chain | The Azure AD and Microsoft 365 kill chain is a collection of recon techniques and hacking tools discovered and documented by @DrAzureAD | N/A | N/A |
| Bypassing Conditional Access | A post by @DrAzureAD on bypassing conditional access policies in Azure AD by faking device compliance. | N/A | N/A |
| dirkjanm.io | Dirk-jan's blog with a ton of great resources on Azure AD and Microsoft 365. | N/A | N/A |
| Okta for Red Teamers — Perimeter Edition | A blog post by @nickvangilder on attacking Okta. | N/A | N/A |
| Hacking Cloud Tokens 2.0 | Using TokenTacticsV2 to attack Microsoft environments. | N/A | N/A |