Password Attackspassword sprayingactive directorybloodhoundldapneo4j

SprayHound

SprayHound is a Python library for safely password spraying in Active Directory. It sets pwned users as owned in Bloodhound and detects paths to Domain Admins.

Description

SprayHound is designed for password spraying attacks against Active Directory environments. It enables testers to attempt common passwords across multiple user accounts while minimizing account lockouts through safety mechanisms like thresholds. Integration with Bloodhound allows automatic marking of compromised users as owned and identification of privilege escalation paths to Domain Admins.

Use cases include penetration testing of AD infrastructures, red team operations targeting weak password policies, and auditing for default or seasonal passwords like 'Winter202'. The tool supports single usernames, user lists, and common patterns such as username as password in lower or upper case.

It relies on LDAP for AD queries and authentication attempts, and Neo4j for Bloodhound database interactions, making it suitable for environments with pre-existing Bloodhound data collection.

How It Works

SprayHound connects to Active Directory via LDAP to query user accounts and perform password spraying attempts, respecting lockout thresholds to avoid disabling accounts. Successful logins are recorded, and compromised users are updated in a Bloodhound Neo4j database as 'owned'. It then analyzes the graph to detect shortest paths from owned users to Domain Admins using Bloodhound's pathfinding capabilities. Options like --unsafe allow spraying on nearly locked accounts, and defaults handle common Neo4j setups.

Installation

bash

sudo apt install sprayhound

Flags

-h, --helpshow this help message and exit

--unsafeEnable login tries on almost locked out accounts

--forceDo not prompt for user confirmation

--nocolorDo not use color for output

-vVerbosity level (-v or -vv)

-u, --username USERNAMEUsername

-U, --userfile USERFILEFile containing username list

-p, --password PASSWORDPassword

--lowerUser as pass with lowercase password

--upperUser as pass with uppercase password

-t THRESHOLDThreshold for spraying attempts

-dc, --domain-controller DOMAIN_CONTROLLERDomain controller

-d, --domain DOMAINDomain FQDN

-lP, --ldap-port LDAP_PORTLDAP Port

-lu, --ldap-user LDAP_USERLDAP User

-lp, --ldap-pass LDAP_PASSLDAP password

-lsslUse SSL for LDAP

-lpage LDAP_PAGE_SIZELDAP page size

-nh, --neo4j-host NEO4J_HOSTNeo4J Host (Default: 127.0.0.1)

-nP, --neo4j-port NEO4J_PORTNeo4J Port (Default: 7687)

-nu, --neo4j-user NEO4J_USERNeo4J user (Default: neo4j)

-np, --neo4j-pass NEO4J_PASSNeo4J password (Default: neo4j)

Examples

Password sprays 'Winter202' against users in the adsec.local domain

sprayhound -d adsec.local -p Winter202

Password sprays using a user list from userlist.txt against adsec.local domain

sprayhound -U userlist.txt -d adsec.local

Attempts to spray a single username 'testuser' with password 'Password123' against example.com

sprayhound -u testuser -p Password123 -d example.com

Sprays lowercase username-as-password against users in users.txt for corp.local

sprayhound -U users.txt --lower -d corp.local

Sprays uppercase username-as-password against userlist targeting specific domain controller

sprayhound -U targets.txt --upper -dc dc01.corp.local

Sprays 'Summer2024' with a threshold of 5 attempts per account in adsec.local

sprayhound -d adsec.local -p Summer2024 -t 5

Unsafe spraying on a user list with custom Neo4j host

sprayhound -U list.txt -p pass123 --unsafe -nh 10.0.0.5

Updated 2026-04-16kali.org ↗