Password spraying with BloodHound integration
Project description
SprayHound
Python library to safely password spray in Active Directory, set pwned users as owned in Bloodhound and detect path to Domain Admins
This library uses ldap3 project for all LDAP operations.
| Chapters | Description |
|---|---|
| Requirements | Requirements to install sprayhound |
| Warning | Before using this tool, read this |
| Installation | Installation instructions |
| Usage | Usage and command lines examples |
Requirements
- Python >= 3.6
Warning
Only default domain policy is checked for now. If custom GPO is used for password policy, it won't be detected. That's some work in progress.
Installation
From pip
python3 -m pip install sprayhound
From source
sudo apt-get install libsasl2-dev python3-dev libldap2-dev libssl-dev
git clone git@github.com:Hackndo/sprayhound.git
cd sprayhound
python3 setup.py install
Usage
Parameters
$ sprayhound -h
usage: sprayhound [-h] [-u USERNAME] [-U USERFILE]
[-p PASSWORD | --lower | --upper] [-t THRESHOLD]
[-dc DOMAIN_CONTROLLER] [-d DOMAIN] [-lP LDAP_PORT]
[-lu LDAP_USER] [-lp LDAP_PASS] [-lssl]
[-lpage LDAP_PAGE_SIZE] [-nh NEO4J_HOST] [-nP NEO4J_PORT]
[-nu NEO4J_USER] [-np NEO4J_PASS] [--unsafe] [--force]
[--nocolor] [-v]
sprayhound v0.0.1 - Password spraying
optional arguments:
-h, --help show this help message and exit
--unsafe Enable login tries on almost locked out accounts
--force Do not prompt for user confirmation
--nocolor Do not use color for output
-v Verbosity level (-v or -vv)
credentials:
-u USERNAME, --username USERNAME
Username
-U USERFILE, --userfile USERFILE
File containing username list
-p PASSWORD, --password PASSWORD
Password
--lower User as pass with lowercase password
--upper User as pass with uppercase password
-t THRESHOLD, --threshold THRESHOLD
Number of password left allowed before locked out
ldap:
-dc DOMAIN_CONTROLLER, --domain-controller DOMAIN_CONTROLLER
Domain controller
-d DOMAIN, --domain DOMAIN
Domain FQDN
-lP LDAP_PORT, --ldap-port LDAP_PORT
LDAP Port
-lu LDAP_USER, --ldap-user LDAP_USER
LDAP User
-lp LDAP_PASS, --ldap-pass LDAP_PASS
LDAP Password
-lssl, --ldap-ssl LDAP over TLS (ldaps)
-lpage LDAP_PAGE_SIZE, --ldap-page-size LDAP_PAGE_SIZE
LDAP Paging size (Default: 200)
neo4j:
-nh NEO4J_HOST, --neo4j-host NEO4J_HOST
Neo4J Host (Default: 127.0.0.1)
-nP NEO4J_PORT, --neo4j-port NEO4J_PORT
Neo4J Port (Default: 7687)
-nu NEO4J_USER, --neo4j-user NEO4J_USER
Neo4J user (Default: neo4j)
-np NEO4J_PASS, --neo4j-pass NEO4J_PASS
Neo4J password (Default: neo4j)
Unauthenticated
When used unauthenticated, sprayhound won't be able to check password policies. Account could be locked out.
# Single user, single password
sprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1
# User list, single password
sprayhound -U ./users.txt -p Pentest123.. -d hackn.lab -dc 10.10.10.1
# User as pass
sprayhound -U ./users.txt -d hackn.lab -dc 10.10.10.1
# User as pass with password lowercase
sprayhound -U ./users.txt --lower -d hackn.lab -dc 10.10.10.1
# User as pass with password uppercase
sprayhound -U ./users.txt --upper -d hackn.lab -dc 10.10.10.1
Authenticated
When providing a valid domain account, sprayhound will try and find default domain policy and check badpwdcount attribute of each user against lockout threshold. If too close, it will skip these accounts.
# Single user, single password
sprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# All domain users, single password
sprayhound -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# All domain users, single password, using an account from a trusted domain
sprayhound -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu 'babdcatha.net\Babd' -lp P4ssw0rd
# User as pass on all domain users
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# User as pass with password lowercase
sprayhound --lower -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
# User as pass with password uppercase
sprayhound --upper -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd
Difference between badpwdcount and lockout threshold can be tuned using --threshold parameter. If set to 2, and password policy locks out accounts after 5 login failure, then sprayhound won't test users with badpwdcount 3 (and more).
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd --threshold 1
Bloodhound integration
When sprayhound finds accounts credentials, it can set these accounts as Owned in BloodHound. BloodHound information should be provided to this tool.
# -nh: Neo4J server
# -nP: Neo4J port
# -nu: Neo4J user
# -np: Neo4J password
sprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd -nh 127.0.0.1 -nP 7687 -nu neo4j -np bloodhound
Changelog
v0.0.2
------
First release
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sprayhound-0.0.4.tar.gz.
File metadata
- Download URL: sprayhound-0.0.4.tar.gz
- Upload date:
- Size: 14.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b88c3b7c17ab411772ee176b04ebe8aebfcf59c0764a7ac71602cdf99575f12a
|
|
| MD5 |
353ecd05425382695a376a13f4a1e967
|
|
| BLAKE2b-256 |
591140af17f0b3a248e9612cee2bca6b6430cd18dc056cd2edcb3050704c67f1
|
File details
Details for the file sprayhound-0.0.4-py3-none-any.whl.
File metadata
- Download URL: sprayhound-0.0.4-py3-none-any.whl
- Upload date:
- Size: 15.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ca5a1fd9cbeaec446c181811d0a743fa7b29e0cdfdb2a54a277f2cb14ad474f7
|
|
| MD5 |
481a542041cc039aacb22d51071ccfb3
|
|
| BLAKE2b-256 |
3ef38a32b142410a2ad1c5af2a7227bee4f6e0e036ae75213cb764ac0b28289b
|
