# Password Spraying

## Password list creation

Before you begin spraying passwords to the email addresses you may have collated using methods shown in [Email Address Discovery](/offensive-security/external-infrastructure/discovery/email-address-discovery.md). You will need a good quality password list. Here's some things that you can use to create your password list:

* Use <http://weakpasswords.net/>
* Use variations of the organisation name + special characters + the current year

### Cred Master

A password spraying tool that uses FireProx to rotate IP addresses, stay anonymous, and beat throttling. CredMaster is perfect for attempting to login to the following services:

```
OWA - Outlook Web Access
--plugin owa

EWS - Exchange Web Services
--plugin ews

O365 - Office365 - DEPRECATED
plugin removed

ADFS - Active Directory Federation Services
--plugin adfs

O365Enum - Office365 User Enum (No Authentication Request)
--plugin o365enum

MSOL - Microsoft Online
--plugin msol

MSGraph - MSGraph Module, msgraph spray point for azure and MSOL credentials
--plugin msgraph

AzureSSO - Azure AD Seamless SSO Endpoint
--plugin azuresso

AzVault - AzVault Module, Azure spray point different to MSOL/AzureSSO
--plugin azvault

Okta - Okta Authentication Portal
--plugin okta

FortinetVPN - Fortinet VPN Client
--plugin fortinetvpn

HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)
--plugin httpbrute

GMailEnum - GSuite/Gmail enumeration
--plugin gmailenum
```

* <https://github.com/knavesec/CredMaster>

`python3 credmaster.py --access_key <a_key> --secret_access_key <sec_key> --plugin msol -u email.txt -p passwords.txt -a useragents.txt -t 5 -j 20 -d 30 --passwordsperdelay 2`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.pentestlist.com/offensive-security/external-infrastructure/exploitation/password-spraying.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.