@@ 0,0 1,128 @@
+Sprey - Password Spraying Framework
+===================================
+
+⚠⚠⚠ IN DEVELOPMENT - DO NOT USE ⚠⚠⚠
+
+All things will be squashed, history is a lie
+
+⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
+
+A generic password spraying framework focused on the little details and a simple interface. Unlike other spraying frameworks Sprey attempts to log all the details of all spraying activities to a database and follows a job driven framework that allows for multiple type of user interfaces, distributed jobs, post-spray analysis, and reporting.
+
+
+Planned Features
+----------------
+
+- Simple template based HTTP request usage and injection
+- Module system allows for templates to follow complex logic
+- Data oriented and persistent storage for long term analysis
+- Password mangling
+- Distributed based on work flow generation and splitting
+
+
+Running
+-------
+
+### Simple
+
+```
+# Generic spraying, attempts to automatically analyze responses and match based on variance
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m match
+
+# Spray and match success based on HTTP response code
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -c '302'
+
+# Spray and match success based on HTTP response matching regex
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -x '^User Authentication - Success.*$'
+
+# Stop after successful spraying and run an action with HTTP response
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -s -a './headless-keepalive.sh "{{Response}}"'
+
+
+# Generic spraying, attempts to automatically analyze responses and match based on timing
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 60ms -low
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 60ms -high
+sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 50% -high
+```
+
+### Web Interface
+
+### Distributed Spraying
+
+Documentation
+-------------
+
+- man page
+
+```
+spray - Core runner
+
+-r, -request - HTTP request
+-host - Host header override
+-k, -ignore-tls - Ignore HTTPS errors
+-d, -db - Database storage location
+-u, -users - Username list
+-p, -passwords - Password candidate list
+-a, -action - Run action
+-o, -out - Output successful authentications (TODO format)
+-b, -bail - Bail/Fail on response regex
+-j, -module - Add module and import it's template for use in Sprey templates
+-f, -follow - Follow redirect
+-proxy - Proxy
+-resume - Resume session
+
+-dist - Distributed mode, without '-s' outputs the disributed job list, with '-q' assigns number of sprey lists to split by
+-dist-list - Split distribution based on file list
+-nodes - Number of distributed nodes
+
+-v, -verbose - Verbose
+-q, -quiet - Quiet
+-h, -help - Help
+-print - Print template variables and information
+-socket - UNIX socket path for management
+
+-delay -
+-delay-user - Time between a user spray that is allowed
+-delay-lockout -
+-delay-window -
+-delay-random -
+
+#modes
+-m, -mode - Match mode - (timing, match, analysis)
+
+#match mode options
+ -c - HTTP codes to successfully match, prefix of '-' to match NOT the error code
+#timing mode options
+ -V - Manually set HTTP variance
+ -n - Do not establish timing baseline
+ -baseline-requests - Default 10 requests to establish statistical timing baseline
+ -low - Match quicker responses
+ -high - Match slower responses based on variance
+-i - Analysis mode
+ -t - Output mode (list,json,csv,TODO)
+ -clear - Clear the database
+ -report - Generate static HTML report
+
+#timing settings
+-policy - Password policy TODO format (dur,thresh,window)
+
+#misc
+-utility - Utilities (user-agent-update,signal-stop,signal-start,add-candidate,remove-candidate)
+ - user-agent-update - Updates the user-agent
+ - add-candidate - Given '-add' flag adds a "user:password" pair candidate to a current running job (Requires control socket with -socket), can be specified with just '-add'
+ - remove-candidate - Given '-remove' flag adds a "user:password" pair candidate to a current running job (Requires control socket with -socket), can be specified with just '-remove'
+-add - Add candidate to running process (Requires -socket) TODO syntax
+-remove - Remove candidate to running process (Requires -socket) TODO syntax
+```
+
+```
+sprayd - HTTP server
+```
+
+Installation
+------------
+
+```sh
+go get git.sr.ht/~poptart/sprey/...
+```
@@ 3,6 3,7 @@ package sprey
import (
"database/sql"
"fmt"
+ "log"
"net/http"
"time"
)
@@ 13,6 14,7 @@ type Meta struct {
Attempts []Attempt
DelaySettings Delay
FollowRedirects bool
+ Logger log.Logger
}
type Attempt struct {
@@ 86,12 88,12 @@ func Start(s Spray, db *sql.DB, campaign *DBCampaign) error {
if err != nil {
return err
}
- fmt.Printf("%#v\n", att)
- fmt.Printf("%#v\n", att.Exchange.Timing)
- fmt.Printf("DNS - %s\n", att.Exchange.Timing.DNSStop.Sub(att.Exchange.Timing.DNSStart).String())
- fmt.Printf("Connect - %s\n", att.Exchange.Timing.ConnectStop.Sub(att.Exchange.Timing.ConnectStart).String())
- fmt.Printf("First Byte - %s\n", att.Exchange.Timing.FirstByte.Sub(att.Exchange.Timing.InitialStart).String())
- fmt.Printf("Real - %s\n", att.Exchange.Timing.Real.String())
+ //fmt.Printf("%#v\n", att)
+ //fmt.Printf("%#v\n", att.Exchange.Timing)
+ //fmt.Printf("DNS - %s\n", att.Exchange.Timing.DNSStop.Sub(att.Exchange.Timing.DNSStart).String())
+ //fmt.Printf("Connect - %s\n", att.Exchange.Timing.ConnectStop.Sub(att.Exchange.Timing.ConnectStart).String())
+ //fmt.Printf("First Byte - %s\n", att.Exchange.Timing.FirstByte.Sub(att.Exchange.Timing.InitialStart).String())
+ //fmt.Printf("Real - %s\n", att.Exchange.Timing.Real.String())
err = campaign.RecordAttempt(db, att)
att, err = s.Do()
if err != nil {