~poptart/sprey

54cc96c17fc193b230290a202247becada997e6d — poptart 2 years ago 2611a11 main
More basic updates, added a readme
2 files changed, 136 insertions(+), 6 deletions(-)

A README.md
M sprey.go
A README.md => README.md +128 -0
@@ 0,0 1,128 @@
Sprey - Password Spraying Framework
===================================

⚠⚠⚠ IN DEVELOPMENT - DO NOT USE ⚠⚠⚠

All things will be squashed, history is a lie

⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠

A generic password spraying framework focused on the little details and a simple interface. Unlike other spraying frameworks Sprey attempts to log all the details of all spraying activities to a database and follows a job driven framework that allows for multiple type of user interfaces, distributed jobs, post-spray analysis, and reporting.


Planned Features
----------------

- Simple template based HTTP request usage and injection
- Module system allows for templates to follow complex logic
- Data oriented and persistent storage for long term analysis
- Password mangling
- Distributed based on work flow generation and splitting


Running
-------

### Simple

```
# Generic spraying, attempts to automatically analyze responses and match based on variance
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m match

# Spray and match success based on HTTP response code
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -c '302'

# Spray and match success based on HTTP response matching regex
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -x '^User Authentication - Success.*$' 

# Stop after successful spraying and run an action with HTTP response 
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -s -a './headless-keepalive.sh "{{Response}}"'


# Generic spraying, attempts to automatically analyze responses and match based on timing
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 60ms -low
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 60ms -high
sprey -r request.http -d database.db -u userlist.txt -p passwordlist.txt -m timing -V 50% -high
```

### Web Interface

### Distributed Spraying

Documentation
-------------

- man page

```
spray - Core runner

-r, -request - HTTP request
-host - Host header override
-k, -ignore-tls - Ignore HTTPS errors
-d, -db - Database storage location
-u, -users - Username list
-p, -passwords - Password candidate list
-a, -action - Run action
-o, -out - Output successful authentications (TODO format)
-b, -bail - Bail/Fail on response regex
-j, -module - Add module and import it's template for use in Sprey templates
-f, -follow - Follow redirect
-proxy - Proxy
-resume - Resume session

-dist - Distributed mode, without '-s' outputs the disributed job list, with '-q' assigns number of sprey lists to split by 
-dist-list - Split distribution based on file list
-nodes - Number of distributed nodes 

-v, -verbose - Verbose
-q, -quiet - Quiet
-h, -help - Help
-print - Print template variables and information
-socket - UNIX socket path for management

-delay - 
-delay-user - Time between a user spray that is allowed
-delay-lockout -
-delay-window - 
-delay-random - 

#modes
-m, -mode - Match mode - (timing, match, analysis)

#match mode options
	-c - HTTP codes to successfully match, prefix of '-' to match NOT the error code
#timing mode options
	-V - Manually set HTTP variance
	-n - Do not establish timing baseline 
	-baseline-requests - Default 10 requests to establish statistical timing baseline
	-low - Match quicker responses
	-high - Match slower responses based on variance
-i - Analysis mode
	-t - Output mode (list,json,csv,TODO)
	-clear - Clear the database
	-report - Generate static HTML report

#timing settings
-policy - Password policy TODO format (dur,thresh,window)

#misc
-utility - Utilities (user-agent-update,signal-stop,signal-start,add-candidate,remove-candidate)
	- user-agent-update - Updates the user-agent 
	- add-candidate - Given '-add' flag adds a "user:password" pair candidate to a current running job (Requires control socket with -socket), can be specified with just '-add'
	- remove-candidate - Given '-remove' flag adds a "user:password" pair candidate to a current running job (Requires control socket with -socket), can be specified with just '-remove'
-add - Add candidate to running process (Requires -socket) TODO syntax
-remove - Remove candidate to running process (Requires -socket) TODO syntax
```

```
sprayd - HTTP server
```

Installation
------------

```sh
go get git.sr.ht/~poptart/sprey/...
```

M sprey.go => sprey.go +8 -6
@@ 3,6 3,7 @@ package sprey
import (
	"database/sql"
	"fmt"
	"log"
	"net/http"
	"time"
)


@@ 13,6 14,7 @@ type Meta struct {
	Attempts        []Attempt
	DelaySettings   Delay
	FollowRedirects bool
	Logger          log.Logger
}

type Attempt struct {


@@ 86,12 88,12 @@ func Start(s Spray, db *sql.DB, campaign *DBCampaign) error {
	if err != nil {
		return err
	}
	fmt.Printf("%#v\n", att)
	fmt.Printf("%#v\n", att.Exchange.Timing)
	fmt.Printf("DNS - %s\n", att.Exchange.Timing.DNSStop.Sub(att.Exchange.Timing.DNSStart).String())
	fmt.Printf("Connect - %s\n", att.Exchange.Timing.ConnectStop.Sub(att.Exchange.Timing.ConnectStart).String())
	fmt.Printf("First Byte - %s\n", att.Exchange.Timing.FirstByte.Sub(att.Exchange.Timing.InitialStart).String())
	fmt.Printf("Real - %s\n", att.Exchange.Timing.Real.String())
	//fmt.Printf("%#v\n", att)
	//fmt.Printf("%#v\n", att.Exchange.Timing)
	//fmt.Printf("DNS - %s\n", att.Exchange.Timing.DNSStop.Sub(att.Exchange.Timing.DNSStart).String())
	//fmt.Printf("Connect - %s\n", att.Exchange.Timing.ConnectStop.Sub(att.Exchange.Timing.ConnectStart).String())
	//fmt.Printf("First Byte - %s\n", att.Exchange.Timing.FirstByte.Sub(att.Exchange.Timing.InitialStart).String())
	//fmt.Printf("Real - %s\n", att.Exchange.Timing.Real.String())
	err = campaign.RecordAttempt(db, att)
	att, err = s.Do()
	if err != nil {