Skip to content

Latest commit

 

History

History
114 lines (93 loc) · 6.2 KB

readme.md

File metadata and controls

114 lines (93 loc) · 6.2 KB

Crimson-Spray


Crimson-Spray is a lockout aware password sprayer for active directory testing. The goal of this tool was allow password spraying without having lock out end user accounts. Most tools do allow throttling, but this tool aim to make locking out accounts less of an issue.

Safe Guard Features:

  • Each user has their own thread. A single lockout will not prevent other user attempts from proceeding with their guess, nor will it effect the order passwords are guess.
  • Once a password has been confirmed as working, attempts for that user will cease.
  • If account is detected to be lockedout, crimson-spray will wait the duration of lockout period plus an additional minute.

crimson-spray -u ".\testcase\users.txt" -p ".\testcase\passwords.txt" -d "attack.local" -t "10.255.0.2" -a 10 -l 5 -r 15 -v 1

This command will run 9 password attempts then wait 6 minutes before trying another 9 attempts. If the account is detected to be locked out, it will wait 16 minutes before trying more passwords. This will only show success messages.

--help output

usage: crimson-spray [-h|--help] -u|--username-file "<value>"
                     -p|--password-file "<value>" -d|--domain "<value>"
                     -t|--target "<value>" -a|--Lockout-Attempt-Threshold
                     <integer> -l|--Lockout-Attempt-Threshold-Timer <integer>
                     -r|--Lockout-Timer <integer> [--bypass-wait] [--no-stats]
                     [-v|--verbose <integer>] [-o|--logfile "<value>"]
                     [--no-console] [-T|--max-threads <integer>]

                     (v.0.2.0) A lockout aware password sprayer for Active
                     Directory. Please enter the raw net accounts /domain
                     variables for best results. It is also advisable to use
                     this against service accounts.

Arguments:

  -h  --help                             Print help information
  -u  --username-file                    (Required) File of users separated by
                                         newlines
  -p  --password-file                    (Required) File of passwords seperated
                                         by newlines. A good wordlist generator
                                         can be found at
                                         https://weakpass.com/generate
  -d  --domain                           (Required) Domain of user
  -t  --target                           (Required) IP or Hostname of target to
                                         authenticate against
  -a  --Lockout-Attempt-Threshold        (Required) Number of passwords
                                         attempts before lockout. Attempts will
                                         not exceed this amount - 1.
  -l  --Lockout-Attempt-Threshold-Timer  (Required) Duration of time in minutes
                                         for the threshold timer to elapse. An
                                         addition minute is added
  -r  --Lockout-Timer                    (Required) Duration of time in minutes
                                         for an locked out account to become
                                         unlocked. If account lockout is
                                         detected, program will wait this time
                                         + 1 minute.

      --bypass-wait                      Bypass initial lock threshold reset
                                         period
      --no-stats                         Suppress stats banner. Default: false
  -v  --verbose                          0 - Reserved | 1 - Success Messages |
                                         2 - Lockout , Pause , and Success
                                         Messages | 3 - Attempts, Pause,
                                         Lockout and Success Messages | 4 -
                                         Debug Messages. Default: 2
  -o  --logfile                          If defined, output log to file.
                                         Default:
      --no-console                       No console output
  -T  --max-threads                      Max number threads to user. 1 per
                                         user. Default is the user list length.
                                         0 is unlimited. Default: 0

Considerations before running

  • Although the command net accounts /domain will show you the lockout policy in the current context, the Domain may have separate policy's for different user groups and you may end up locking out accounts. Default verbosity is set to show when lockouts occur.
  • Ensure there is no duplicates in the usernames list. This will cause a lockout as they are run twice.
  • Don't run rockyou.txt or any other giant wordlist. It will just increase the time considerably. This is a tool for weak password that could be easily guesses. Check out https://weakpass.com/generate for good password generation.
  • At the moment, this tool does not limit how many users at once it can do. Try to limit your users list to only service accounts, high value targets, or handpicked users.
  • Consider the password policy and don't include passwords that don't meet the required length or complexity. This might be set independently for certain groups.
  • If running on a non interactive session, consider using --no-console and --logfile <file> to output to a file.

Installation instructions

Install instructions:

go get github.com/ILightThings/crimson-spray

Linux:

~/go/bin/crimson-spray

Windows:

%USERPATH%/go/bin/crimson-spray

Alternatively, add the GOPATH/bin to your env:PATH variable.

Todo:

  • Add a pause and resume feature.
  • Add a lockout check before ever attempt (Will need working creds)
  • Add LDAP as a protocol method
  • Add estimated timer completion
  • Add Jitter option
  • Add a default flag to wait lockout threshold before beginning
  • Add different attack modes
  • Add an option for max concurrent users
  • Add a pre-Spray Stats display
  • Add found_users.txt file for output
  • Verbose Levels
  • Add a message for account password expiry
  • Check for duplicates in passwordlist and username list
  • Add Output to file
  • Trim whitespace
  • Spray across multiple IPs