SpearSpray: The Stealthy Tool That Bypasses Lockout Policies in Active Directory

SpearSpray is an advanced password spraying tool designed specifically for Active Directory environments. It combines user enumeration via LDAP with intelligent pattern-based password generation to perform controlled and stealthy password spraying attacks over Kerberos.

Features

• LDAP Integration: Direct enumeration of Active Directory users through LDAP queries
• Custom LDAP Queries: Define specific queries to target only certain users or groups for spraying
• Pattern-Based Password Generation: Flexible templating system for creating targeted password lists
• Domain Policy Awareness: Automatic retrieval and respect of domain password policies
• Account Lockout Protection: Smart filtering to avoid locking out user accounts
• PSO Detection: Identification and handling of users with Password Settings Objects
• Kerberos Authentication: Fast and efficient authentication testing via Kerberos pre-authentication
• Neo4j Integration: Automatic marking of compromised users as “owned” in Neo4j/BloodHound databases
• Real-time Results: Live feedback showing which users are marked as owned during the attack
• Attack Summary: Comprehensive results summary with statistics and success rates

• Jitter Support: Configurable delays between authentication attempts
• Threshold Management: Automatic filtering of users near lockout thresholds
• Multi-threaded: Configurable thread count for performance optimization
• Rate Limiting: Control requests per second to prevent overwhelming domain controllers
• SSL/LDAPS Support: Secure LDAP connections when required

• Dynamic Variables: Support for user-specific data (name, date of last password change…)
• Custom Separators & Suffixes: Flexible password pattern customization
• Extra Argument: Integration of company-specific terms.
• Interactive Pattern Selection: Dynamic menu system for pattern selection

Attack Results Summary

SpearSpray provides a comprehensive summary at the end of each attack, displaying key statistics and results in an easy-to-read format.

• Valid Credentials: Number of users with active, working credentials
• Expired Passwords: Number of users with correct but expired passwords (still compromised)
• Marked as Owned: Number of users successfully marked in Neo4j (when integration is enabled)
• Total Attempts: Total number of authentication attempts made during the attack
• Success Rate: Percentage of successful authentications vs total attempts

This summary helps security professionals quickly assess the impact and effectiveness of their password spraying assessment.

Pattern System

SpearSpray uses an advanced pattern system to generate highly targeted and personalized passwords for each user. Unlike generic wordlists, every password attempt is customized based on the user’s specific information retrieved from Active Directory.

All temporal variables (years, months, seasons) are calculated based on each user’s individual password change date (pwdLastSet attribute), not the current date. This means that if a user changed their password in March 2024, the patterns will generate passwords for that user using March 2024 data. This personalized approach is applied to each user individually based on their own password change timeline, significantly increasing the likelihood of success.

Note: The conversion mappings for temporal variables (months and seasons) are defined in spearspray/utils/constants.py.

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy