Password Attackspassword sprayingactive directorysmbowalynccisco vpn

spray

Password Spraying tool for Active Directory Credentials. Sprays passwords against targets over time using password policy input to avoid account lockouts.

Description

Spray is a password spraying tool designed for Active Directory credentials. It targets services like SMB, OWA, Lync, and Cisco Web VPN by attempting passwords over a controlled period, requiring password policy details such as attempts per lockout period and lockout duration in minutes to prevent account lockouts.

The tool includes hand-crafted password files for multiple languages, derived from common Active Directory passwords that meet complexity requirements (1 upper, 1 lower, 1 digit). These files support spraying against various authentication portals and services.

Additional features allow updating password lists to the current year and generating username lists from common first and last names using customizable formats.

How It Works

Spray operates by distributing password attempts across a lockout period based on provided policy inputs (attempts per lockout, lockout minutes). For SMB, it uses smbclient to authenticate against domain targets. OWA spraying requires a custom POST request file with placeholders for username and password. Lync targets autodiscover or auth header URLs with email lists. Cisco VPN sprays against portal URLs. Password updates append current year; user generation combines name lists with format strings.

Installation

bash

sudo apt install spray

Flags

-smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <Domain>Password spray SMB target

-owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestFile>Password spray OWA portal using POST request file

-lync <lyncDiscoverOrAutodiscoverUrl> <emailAddressList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>Password spray Lync service

-cisco <targetURL> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>Password spray Cisco Web VPN

-passupdate <passwordList>Update password list to current year

-passupdate <passwordList> <CompanyName>Update password list to current year and add company name

-genusers <firstnames> <lastnames> "<<fi><li><fn><ln>>"Generate username list from first and last names

Examples

Password spray SMB target

spray -smb 192.168.0.1 users.txt passwords.txt 1 35 CORPORATION

Password spray OWA portal

spray -owa 192.168.0.1 usernames.txt passwords.txt 1 35 post-request.txt

Password spray Lync using discover URL

spray -lync https://lyncdiscover.company.com/ emails.txt passwords.txt 1 35

Password spray Lync using autodiscover service URL

spray -lync https://lyncweb.company.com/Autodiscover/AutodiscoverService.svc/root/oauth/user emails.txt passwords.txt 1 35

Password spray Cisco Web VPN

spray -cisco 192.168.0.1 usernames.txt passwords.txt 1 35

Update password list to current year

spray -passupdate passwords.txt

Update password list with company name

spray -passupdate passwords.txt Company

Generate usernames as first initial + last name

spray -genusers english-first-1000.txt english-last-1000.txt "<fi><ln>"

Updated 2026-04-16kali.org ↗