aas-n / spraykatz Goto Github PK

View Code? Open in Web Editor NEW

747.0 27.0 123.0 21.55 MB

Credentials gathering tool automating remote procdump and parse of lsass process.

Home Page: https://twitter.com/aas_s3curity

License: MIT License

Python 100.00%

procdump pypykatz lsass mimikatz credentials minidump spray love

spraykatz's Introduction

Spraykatz

Spray love around the world

Index

Title	Description
About	Brief Description about the tool
Installation	Installation and Requirements
Usage	How to use Spraykatz
Changelog	Spraykatz changelog
Acknowlegments	Acknowlegments

About

Spraykatz is a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments.

It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.

Installation

This tool is written for python3 to python3.6. Do not use this on production environments!

Ubuntu

On a fresh updated Ubuntu.

apt update
apt install -y python3.6 python3-pip git nmap
git clone https://github.com/aas-n/spraykatz.git
cd spraykatz
pip3 install -r requirements.txt

Using Spraykatz

A quick start could be:

./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24

Mandatory arguments

Switches	Description
-u, --username	User to spray with. He must have admin rights on targeted systems in order to gain remote code execution.
-p, --password	User's password or NTLM hash in the `LM:NT` format.
-t, --targets	IP addresses and/or IP address ranges. You can submit them via a file of targets (one target per line), or inline (separated by commas).

Optional arguments

Switches	Description
-d, --domain	User's domain. If he is not member of a domain, simply use `-d .` instead.
-r, --remove	Only try to clean up ProcDump and dumps left behind on distant machines. Just in case.
-v, --verbosity	Verbosity mode {warning, info, debug}. Default == info.
-w, --wait	How many seconds Spraykatz waits before exiting gracefully. Default is 180 seconds.

Changelog

Version 0.9.9
=============
- Removing impacket submodules (just use pip).

Version 0.9.8
=============
- ProcDump binaries are not embedded anymore. Spraykatz ask for downloading them now.

Version 0.9.7
=============
- adding the "-r" switch to remove procdump & dumps left behind, just in case.
- adding the "-w" switch to specify a timeout before exiting gracefully.
- Debug mode enhanced
- Bugs fixes

Acknowlegments

Spraykatz uses slighlty modified parts of the following projects:

Thanks:

Written by aas

spraykatz's People

Contributors

Stargazers

Watchers

Forkers

vanquishsecurity2 sandalsoft thetraker arockia-arulnathan faidamine w0rtw0rt johndoex1 c002 ashr fr34k8 layzhi samuelriesz bbhunter dviros gavz slooppe jertwaz smolige001 refael613 filipposm imulmul ignitionlab jongmartinez threeape mrtaheramine masterscott mlynchcogent incredibleindishell wikijm nobody0404 zshell melkorazo muhammadabubakar cclauss marciopocebon kaisaryousuf jermainlaforce ellerbrock unsecureio thebarristersway rdincel1 norseh grumo35 hackndo pretech86 x0xr00t gitakaal yehias jack51706 unforeseenocean pentest-tools spudgunman pwnfoo red-infosec veter069 secfb listinvest 5l1v3r1 zobber a6avind az0ne reanimat0r gadoi ondrik8 chertogun freeide idkwim nullcult askyeye marcostolosa r4b3rt cfs1981 lallouslab dannymas pentesttoolz materaj2 singularidad mmg1 opensesamedoors polling-repo-continua hollow667 hack-payload-collection p3km3k gh0st0ne ass77 zha0 jakuta-tech fadinglr tylous cham423 zpaav nosorry pwnf hartl3y94 pitbullcan yadliaa a-new oakkaya actorexpose latkes

spraykatz's Issues

enhacement

First of all, thank you for this tool!
Secondly, as an enhacement why don't you use masscan instead of nmap and add the option to add on targets file an ip on each line, it would be better for a mass aproach.
thirdly, can be multi procesing as well..for a faster aproach.
i use masscan for taking out ips and it would be much more better to add a list of ips scanned on port 135 before then scanning them with nmap.
a nice touch will be if in creds.txt will be wroted the ip too.

Python3.8 support - impacket out of date

fortra/impacket#702

[~]   192.168.0.10 is not pwnable! (`digestmod` is required.)

Error when using passwords that starts with $ character

I think their is an error when trying to use the tool with a password that starts with the $ character, as it is showing in the screen shots below, an error message appears at the end stating that Error: argument -p/--password: expected one argument

Hash in place of Password

Hello Lydéric,

Can you add support to use Hash instead of password ?

script returns hash instead of password

Hello
The script is returning a hash where password is expected (see screenshot below), why is this ?

parse for kerberos tickets

I had the idea to add to pypkatz funtionality. Prior to an update, there is only logonpassword parsing. I had the idea of adding kerberos ticket key parsing, to save all the kerberos tickets from the dump.
Example scenerio: dumping an unconstrained delegated server that the dc has logged into :)

Unable to parse complex password

Should a password contain "(" or ")", error code "zsh: parse error near ')'"

No module named 'wget'

Hi
spraykatz# ./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24

Traceback (most recent call last):
File "./spraykatz.py", line 11, in
from core.Resources import initSpraykatz
File "/root/ATTACK-1-/spraykatz/core/Resources.py", line 6, in
import wget, zipfile
ModuleNotFoundError: No module named 'wget'

why??

Error occurs with target when accessing value (pypykatz)

Executing spraykatz but getting error when executing the pypykatz.

Installed on Ubuntu 18.04.

Created a test machine running Windows 2012 so fictional user accounts.

Installed as per instructions given (https://github.com/aas-n/spraykatz)