Password Attackspassword sprayinglyncs4bowao365atomizerspindrift

SprayingToolkit

A set of Python scripts for efficient password spraying attacks against Lync/S4B, OWA, and O365. Includes tools like atomizer for spraying and spindrift for username generation.

Description

SprayingToolkit provides scripts to perform password spraying attacks against Lync/S4B, OWA, and O365 services. Password spraying involves attempting a single password against many usernames to avoid account lockouts, making it quicker and less detectable than brute-force attacks.

The toolkit includes atomizer for direct spraying over Lync, OWA, or IMAP protocols, spindrift for generating username lists from names, and other utilities like aerosol, vaporizer, and core modules located in /usr/share/sprayingtoolkit. It supports various input formats including user files, password lists, and CSV files.

Use cases include red team assessments targeting Microsoft services where common passwords are suspected across many accounts. It integrates notifications via gchat or slack and offers recon mode for information gathering without spraying.

How It Works

Atomizer handles spraying by connecting to target domains over protocols for Lync/S4B (likely SIP/HTTPS), OWA (HTTPS), or IMAP (port 993 by default), using multiple threads (default 3) to test passwords against usernames. It supports single passwords, password files with intervals to evade detection, CSV inputs, or user-as-pass spraying. Spindrift generates usernames from name lists by appending domains or formatting (default {f}{last}). Scripts leverage Python libraries like requests-ntlm for NTLM auth, imapclient for IMAP, and boto3 for potential cloud integrations.

Installation

bash

sudo apt install sprayingtoolkit

Flags

--targetPort PORTtarget port of the IMAP server (IMAP only) [default: 993]

--threads THREADSnumber of concurrent threads to use [default: 3]

--debugenable debug output

--interval TIMEspray at the specified interval [format: "H:M:S"]

--gchat URLGChat webhook URL for notifications

--slack URLSlack webhook URL for notifications

--csvfile CSVFILEcsv file containing usernames and passwords

--user-row-name NAMEname of the user column in CSV

--pass-row-name NAMEname of the password column in CSV

--user-as-pass USERFILEuse usernames as passwords from userfile

--recononly collect info, don't password spray

--target TARGEToptional domain or url to retrieve the internal domain name from OWA (spindrift)

--domain DOMAINmanually specify the domain to append to each username (spindrift)

--format FORMATusername format [default: {f}{last}] (spindrift)

Examples

Spray a single password against usernames from userfile on target

atomizer (lync|owa|imap) <target> <password> <userfile>

Spray passwords from file against userfile at specified interval

atomizer (lync|owa|imap) <target> <passwordfile> <userfile> --interval <TIME>

Spray using usernames and passwords from CSV file

atomizer (lync|owa|imap) <target> --csvfile CSVFILE

Spray usernames as passwords from userfile

atomizer (lync|owa|imap) <target> --user-as-pass USERFILE

Recon mode: collect info without spraying passwords

atomizer (lync|owa|imap) <target> --recon

Spray on Lync target with 5 threads and debug output

atomizer lync example.com password users.txt --threads 5 --debug

Generate usernames from names.txt appending corp.local with first initial + last name format

spindrift names.txt --domain corp.local --format {f}{last}

Spray OWA every 10 seconds with Slack notifications

atomizer owa target.com passfile.txt userfile.txt --interval 00:00:10 --slack https://hooks.slack.com/...

Updated 2026-04-16kali.org ↗