Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Password list creation
  • Cred Master
  1. OFFENSIVE SECURITY
  2. External Infrastructure
  3. Exploitation

Password Spraying

How to password spray.

PreviousExploitationNextVulnerability Scanning

Last updated 11 months ago

Password list creation

Before you begin spraying passwords to the email addresses you may have collated using methods shown in . You will need a good quality password list. Here's some things that you can use to create your password list:

  • Use

  • Use variations of the organisation name + special characters + the current year

Cred Master

A password spraying tool that uses FireProx to rotate IP addresses, stay anonymous, and beat throttling. CredMaster is perfect for attempting to login to the following services:

OWA - Outlook Web Access
--plugin owa

EWS - Exchange Web Services
--plugin ews

O365 - Office365 - DEPRECATED
plugin removed

ADFS - Active Directory Federation Services
--plugin adfs

O365Enum - Office365 User Enum (No Authentication Request)
--plugin o365enum

MSOL - Microsoft Online
--plugin msol

MSGraph - MSGraph Module, msgraph spray point for azure and MSOL credentials
--plugin msgraph

AzureSSO - Azure AD Seamless SSO Endpoint
--plugin azuresso

AzVault - AzVault Module, Azure spray point different to MSOL/AzureSSO
--plugin azvault

Okta - Okta Authentication Portal
--plugin okta

FortinetVPN - Fortinet VPN Client
--plugin fortinetvpn

HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)
--plugin httpbrute

GMailEnum - GSuite/Gmail enumeration
--plugin gmailenum

python3 credmaster.py --access_key <a_key> --secret_access_key <sec_key> --plugin msol -u email.txt -p passwords.txt -a useragents.txt -t 5 -j 20 -d 30 --passwordsperdelay 2

Email Address Discovery
http://weakpasswords.net/
https://github.com/knavesec/CredMaster