~poptart/sprey

Password Spraying Campaign Manager
54cc96c1 — poptart 6 days ago
More basic updates, added a readme
2611a11b — poptart a month ago
Updated to fit a more formal structure
544d1ff7 — poptart a month ago
Updated DB to working version for entry

refs

main
browse  log 

clone

read-only
https://git.sr.ht/~poptart/sprey
read/write
git@git.sr.ht:~poptart/sprey

You can also use your local clone with git send-email.

#Sprey - Password Spraying Framework

⚠⚠⚠ IN DEVELOPMENT - DO NOT USE ⚠⚠⚠

All things will be squashed, history is a lie

⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠

A generic password spraying framework focused on the little details and a simple interface. Unlike other spraying frameworks Sprey attempts to log all the details of all spraying activities to a database and follows a job driven framework that allows for multiple type of user interfaces, distributed jobs, post-spray analysis, and reporting.

#Planned Features

  • Simple template based HTTP request usage and injection
  • Module system allows for templates to follow complex logic
  • Data oriented and persistent storage for long term analysis
  • Password mangling
  • Distributed based on work flow generation and splitting

#Running

#Simple

# Generic spraying, attempts to automatically analyze responses and match based on variance
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m match

# Spray and match success based on HTTP response code
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -c '302'

# Spray and match success based on HTTP response matching regex
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -x '^User Authentication - Success.*$' 

# Stop after successful spraying and run an action with HTTP response 
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -s -a './headless-keepalive.sh "{{Response}}"'


# Generic spraying, attempts to automatically analyze responses and match based on timing
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 60ms -low
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 60ms -high
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 50% -high

#Web Interface

#Distributed Spraying

#Documentation

  • man page
spray - Core runner

-r, -request - HTTP request
-host - Host header override
-k, -ignore-tls - Ignore HTTPS errors
-d, -db - Database storage location
-u, -users - Username list
-p, -passwords - Password candidate list
-a, -action - Run action
-o, -out - Output successful authentications (TODO format)
-b, -bail - Bail/Fail on response regex
-j, -module - Add module and import it's template for use in Sprey templates
-f, -follow - Follow redirect
-proxy - Proxy
-resume - Resume session

-dist - Distributed mode, without '-s' outputs the disributed job list, with '-q' assigns number of sprey lists to split by 
-dist-list - Split distribution based on file list
-nodes - Number of distributed nodes 

-v, -verbose - Verbose
-q, -quiet - Quiet
-h, -help - Help
-print - Print template variables and information
-socket - UNIX socket path for management

-delay - 
-delay-user - Time between a user spray that is allowed
-delay-lockout -
-delay-window - 
-delay-random - 

#modes
-m, -mode - Match mode - (timing, match, analysis)

#match mode options
	-c - HTTP codes to successfully match, prefix of '-' to match NOT the error code
#timing mode options
	-V - Manually set HTTP variance
	-n - Do not establish timing baseline 
	-baseline-requests - Default 10 requests to establish statistical timing baseline
	-low - Match quicker responses
	-high - Match slower responses based on variance
-i - Analysis mode
	-t - Output mode (list,json,csv,TODO)
	-clear - Clear the database
	-report - Generate static HTML report

#timing settings
-policy - Password policy TODO format (dur,thresh,window)

#misc
-utility - Utilities (user-agent-update,signal-stop,signal-start,add-candidate,remove-candidate)
	- user-agent-update - Updates the user-agent 
	- add-candidate - Given '-add' flag adds a "user:password" pair candidate to a current running job (Requires control socket with -socket), can be specified with just '-add'
	- remove-candidate - Given '-remove' flag adds a "user:password" pair candidate to a current running job (Requires control socket with -socket), can be specified with just '-remove'
-add - Add candidate to running process (Requires -socket) TODO syntax
-remove - Remove candidate to running process (Requires -socket) TODO syntax
sprayd - HTTP server

#Installation

go get git.sr.ht/~poptart/sprey/...