/sprayhound

Password spraying tool and Bloodhound integration

Primary LanguagePythonMIT LicenseMIT

SprayHound

PyPI version Twitter

Example

Python library to safely password spray in Active Directory, set pwned users as owned in Bloodhound and detect path to Domain Admins

This library uses python-ldap project for all LDAP operations.

Chapters Description
Requirements Requirements to install sprayhound
Warning Before using this tool, read this
Installation Installation instructions
Usage Usage and command lines examples

Requirements

  • Python >= 3.6

Warning

Only default domain policy is checked for now. If custom GPO is used for password policy, it won't be detected. That's some work in progress.

Installation

From pip

python3 -m pip install sprayhound

From source

sudo apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev
git clone git@github.com:Hackndo/sprayhound.git
cd sprayhound
python3 setup.py install

Usage

Parameters

$ sprayhound -h

usage: sprayhound [-h] [-u USERNAME] [-U USERFILE]
                  [-p PASSWORD | --lower | --upper] [-t THRESHOLD]
                  [-dc DOMAIN_CONTROLLER] [-d DOMAIN] [-lP LDAP_PORT]
                  [-lu LDAP_USER] [-lp LDAP_PASS] [-lssl]
                  [-lpage LDAP_PAGE_SIZE] [-nh NEO4J_HOST] [-nP NEO4J_PORT]
                  [-nu NEO4J_USER] [-np NEO4J_PASS] [--unsafe] [--force]
                  [--nocolor] [-v]

sprayhound v0.0.1 - Password spraying

optional arguments:
  -h, --help            show this help message and exit
  --unsafe              Enable login tries on almost locked out accounts
  --force               Do not prompt for user confirmation
  --nocolor             Do not use color for output
  -v                    Verbosity level (-v or -vv)

credentials:
  -u USERNAME, --username USERNAME
                        Username
  -U USERFILE, --userfile USERFILE
                        File containing username list
  -p PASSWORD, --password PASSWORD
                        Password
  --lower               User as pass with lowercase password
  --upper               User as pass with uppercase password
  -t THRESHOLD, --threshold THRESHOLD
                        Number of password left allowed before locked out

ldap:
  -dc DOMAIN_CONTROLLER, --domain-controller DOMAIN_CONTROLLER
                        Domain controller
  -d DOMAIN, --domain DOMAIN
                        Domain FQDN
  -lP LDAP_PORT, --ldap-port LDAP_PORT
                        LDAP Port
  -lu LDAP_USER, --ldap-user LDAP_USER
                        LDAP User
  -lp LDAP_PASS, --ldap-pass LDAP_PASS
                        LDAP Password
  -lssl, --ldap-ssl     LDAP over TLS (ldaps)
  -lpage LDAP_PAGE_SIZE, --ldap-page-size LDAP_PAGE_SIZE
                        LDAP Paging size (Default: 200)

neo4j:
  -nh NEO4J_HOST, --neo4j-host NEO4J_HOST
                        Neo4J Host (Default: 127.0.0.1)
  -nP NEO4J_PORT, --neo4j-port NEO4J_PORT
                        Neo4J Port (Default: 7687)
  -nu NEO4J_USER, --neo4j-user NEO4J_USER
                        Neo4J user (Default: neo4j)
  -np NEO4J_PASS, --neo4j-pass NEO4J_PASS
                        Neo4J password (Default: neo4j)

Unauthenticated

When used unauthenticated, sprayhound won't be able to check password policies. Account could be locked out.

# Single user, single password
sprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1

# User list, single password
sprayhound -U ./users.txt -p Pentest123.. -d hackn.lab -dc 10.10.10.1

# User as pass
sprayhound -U ./users.txt -d hackn.lab -dc 10.10.10.1

# User as pass with password lowercase
sprayhound -U ./users.txt --lower -d hackn.lab -dc 10.10.10.1

# User as pass with password uppercase
sprayhound -U ./users.txt --upper -d hackn.lab -dc 10.10.10.1

Authenticated

When providing a valid domain account, sprayhound will try and find default domain policy and check badpwdcount attribute of each user against lockout threshold. If too close, it will skip these accounts.

# Single user, single password
sprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd

# All domain users, single password
sprayhound -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd

# User as pass on all domain users
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd

# User as pass with password lowercase
sprayhound --lower -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd

# User as pass with password uppercase
sprayhound --upper -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd

Difference between badpwdcount and lockout threshold can be tuned using --threshold parameter. If set to 2, and password policy locks out accounts after 5 login failure, then sprayhound won't test users with badpwdcount 3 (and more).

sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd --threshold 1

Bloodhound integration

When sprayhound finds accounts credentials, it can set these accounts as Owned in BloodHound. BloodHound information should be provided to this tool.

# -nh: Neo4J server
# -nP: Neo4J port
# -nu: Neo4J user
# -np: Neo4J password
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd -nh 127.0.0.1 -nP 7687 -nu neo4j -np bloodhound

Changelog

v0.0.2
------
First release