This is a fire-and-forget long-running password spraying tool. You hand it a list of usernames and passwords and walk away. It will perform a horizontal login attack while keeping in mind lockout times, erroneous responses, etc... Set it up on your attack box at the beginning of an assessment and check back for creds gradually over time. Output is intended to be easy to read through and grep. Focus is on simplicity.
This tool requires Python 3 and was written with Python 3.6 in mind. Refer to the file header for any needed modules.
- Run
git clone https://github.com/depthsecurity/passpr3y.git. - Run
chmod 755 passpr3y. - Create a users file containing all users you'd like you spray. Name the file
usernames.txt. - Create a passwords file containing all the passwords you'd like to attempt, such as Summer2018. Name the file
passwords.txt. - Create a requests file that uses the Burp proxy request format. Simply copy over the request to a file called
request.txt. - In request.txt, replace the username parameter you would like to spray with
USERPR3Y. - In request.txt, replace the password parameter you would like to spray with
PASSPR3Y. - Run
./passpr3y --ssl --duration=3600if you'd like to spray every hour. Default is 7200 seconds (two hours). - On successful output,
watch passpr3y_hits.txtfor hits as time goes on.
- For NTLM requests, make sure your request file contains the NTLM request in Burp format and you specify the
--ntlmflag when running the script. (And--sslif you need it.)
Run ./passpr3y -h to explore options.
- This program comes with no promises, warranties, or apologies.
- Use this program at your own risk and responsibility.
- When this program is used aggressively, there is a good chance that you may lock out a large number of Active Directory accounts. Refer to number 2. Default settings of this program are meant to help prevent something like that from happening.