Password Attackspassword sprayingactive directorysmbowalynccisco vpn

spray

Password Spraying tool for Active Directory Credentials. Sprays passwords against targets over time using password policy input to avoid account lockouts.

Description

Spray is a password spraying tool designed for Active Directory credentials. It targets services like SMB, OWA, Lync, and Cisco Web VPN by attempting passwords over a controlled period, requiring password policy details such as attempts per lockout period and lockout duration in minutes to prevent account lockouts.

The tool includes hand-crafted password files for multiple languages, derived from common Active Directory passwords that meet complexity requirements (1 upper, 1 lower, 1 digit). These files support spraying against various authentication portals and services.

Additional features allow updating password lists to the current year and generating username lists from common first and last names using customizable formats.

How It Works

Spray operates by distributing password attempts across a lockout period based on provided policy inputs (attempts per lockout, lockout minutes). For SMB, it uses smbclient to authenticate against domain targets. OWA spraying requires a custom POST request file with placeholders for username and password. Lync targets autodiscover or auth header URLs with email lists. Cisco VPN sprays against portal URLs. Password updates append current year; user generation combines name lists with format strings.

Installation

bash
sudo apt install spray

Flags

-smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <Domain>Password spray SMB target
-owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestFile>Password spray OWA portal using POST request file
-lync <lyncDiscoverOrAutodiscoverUrl> <emailAddressList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>Password spray Lync service
-cisco <targetURL> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>Password spray Cisco Web VPN
-passupdate <passwordList>Update password list to current year
-passupdate <passwordList> <CompanyName>Update password list to current year and add company name
-genusers <firstnames> <lastnames> "<<fi><li><fn><ln>>"Generate username list from first and last names

Examples

Password spray SMB target
spray -smb 192.168.0.1 users.txt passwords.txt 1 35 CORPORATION
Password spray OWA portal
spray -owa 192.168.0.1 usernames.txt passwords.txt 1 35 post-request.txt
Password spray Lync using discover URL
spray -lync https://lyncdiscover.company.com/ emails.txt passwords.txt 1 35
Password spray Lync using autodiscover service URL
spray -lync https://lyncweb.company.com/Autodiscover/AutodiscoverService.svc/root/oauth/user emails.txt passwords.txt 1 35
Password spray Cisco Web VPN
spray -cisco 192.168.0.1 usernames.txt passwords.txt 1 35
Update password list to current year
spray -passupdate passwords.txt
Update password list with company name
spray -passupdate passwords.txt Company
Generate usernames as first initial + last name
spray -genusers english-first-1000.txt english-last-1000.txt "<fi><ln>"
Updated 2026-04-16kali.org ↗