Password spraying with BloodHound integration
Project description
SprayHound
Python library to safely password spray in Active Directory, set pwned users as owned in Bloodhound and detect path to Domain Admins
This library uses python-ldap project for all LDAP operations.
| Chapters | Description |
|---|---|
| Requirements | Requirements to install lsassy from source |
| Warning | Before using this tool, read this |
| Installation | Installation instructions |
| Usage | Usage and command lines examples |
Requirements
- Python >= 3.6
Warning
Only default domain policy is checked for now. If custom GPO is used for password policy, it won't be detected. That's some work in progress.
Installation
From pip
python3 -m pip install sprayhound
From source
git clone git@github.com:Hackndo/sprayhound.git
cd sprayhound
python3 setup.py install
Usage
Parameters
$ sprayhound -h
usage: sprayhound [-h] [-u USERNAME] [-U USERFILE]
[-p PASSWORD | --lower | --upper] [-t THRESHOLD]
[-dc DOMAIN_CONTROLLER] [-d DOMAIN] [-lP LDAP_PORT]
[-lu LDAP_USER] [-lp LDAP_PASS] [-lssl]
[-lpage LDAP_PAGE_SIZE] [-nh NEO4J_HOST] [-nP NEO4J_PORT]
[-nu NEO4J_USER] [-np NEO4J_PASS] [--unsafe] [--force]
[--nocolor] [-v]
sprayhound v0.0.1 - Password spraying
optional arguments:
-h, --help show this help message and exit
--unsafe Enable login tries on almost locked out accounts
--force Do not prompt for user confirmation
--nocolor Do not use color for output
-v Verbosity level (-v or -vv)
credentials:
-u USERNAME, --username USERNAME
Username
-U USERFILE, --userfile USERFILE
File containing username list
-p PASSWORD, --password PASSWORD
Password
--lower User as pass with lowercase password
--upper User as pass with uppercase password
-t THRESHOLD, --threshold THRESHOLD
Number of password left allowed before locked out
ldap:
-dc DOMAIN_CONTROLLER, --domain-controller DOMAIN_CONTROLLER
Domain controller
-d DOMAIN, --domain DOMAIN
Domain FQDN
-lP LDAP_PORT, --ldap-port LDAP_PORT
LDAP Port
-lu LDAP_USER, --ldap-user LDAP_USER
LDAP User
-lp LDAP_PASS, --ldap-pass LDAP_PASS
LDAP Password
-lssl, --ldap-ssl LDAP over TLS (ldaps)
-lpage LDAP_PAGE_SIZE, --ldap-page-size LDAP_PAGE_SIZE
LDAP Paging size (Default: 200)
neo4j:
-nh NEO4J_HOST, --neo4j-host NEO4J_HOST
Neo4J Host (Default: 127.0.0.1)
-nP NEO4J_PORT, --neo4j-port NEO4J_PORT
Neo4J Port (Default: 7687)
-nu NEO4J_USER, --neo4j-user NEO4J_USER
Neo4J user (Default: neo4j)
-np NEO4J_PASS, --neo4j-pass NEO4J_PASS
Neo4J password (Default: neo4j)
Unauthenticated
When used unauthenticated, sprayhound won't be able to check password policies. Account could be locked out.
# Single user, single password
sprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1
# User list, single password
sprayhound -U ./users.txt -p Pentest123.. -d hackn.lab -dc 10.10.10.1
# User as pass
sprayhound -U ./users.txt -d hackn.lab -dc 10.10.10.1
# User as pass with password lowercase
sprayhound -U ./users.txt --lower -d hackn.lab -dc 10.10.10.1
# User as pass with password uppercase
sprayhound -U ./users.txt --upper -d hackn.lab -dc 10.10.10.1
Authenticated
When providing a valid domain account, sprayhound will try and find default domain policy and check badpwdcount attribute of each user against lockout threshold. If too close, it will skip these accounts.
# Single user, single password
sprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# All domain users, single password
sprayhound -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# User as pass on all domain users
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# User as pass with password lowercase
sprayhound --lower -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# User as pass with password uppercase
sprayhound --upper -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
Difference between badpwdcount and lockout threshold can be tuned using --threshold parameter. If set to 2, and password policy locks out accounts after 5 login failure, then sprayhound won't test users with badpwdcount 3 (and more).
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd --threshold 1
Bloodhound integration
When sprayhound finds accounts credentials, it can set these accounts as Owned in BloodHound. BloodHound information should be provided to this tool.
# -nh: Neo4J server
# -nP: Neo4J port
# -nu: Neo4J user
# -np: Neo4J password
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd -nh 127.0.0.1 -nP 7687 -nu neo4j -np bloodhound
Changelog
v0.0.2
------
First release
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for sprayhound-0.0.3-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 485aaade797a3496db0ac14acddabede9a5a79aa16ba70f014575801c53d2e54 |
|
| MD5 | 7ff8710fa33d7ac249209ed1374180a4 |
|
| BLAKE2b-256 | d594a8cee609be9d6e39ba74604a1823ba0cbcc1a2763598a72a8c1e0d779339 |
