SpearSpray: The Stealthy Tool That Bypasses Lockout Policies in Active Directory

by ddos · December 12, 2025

SpearSpray is an advanced password spraying tool designed specifically for Active Directory environments. It combines user enumeration via LDAP with intelligent pattern-based password generation to perform controlled and stealthy password spraying attacks over Kerberos.

Features

Core Capabilities

LDAP Integration: Direct enumeration of Active Directory users through LDAP queries
Custom LDAP Queries: Define specific queries to target only certain users or groups for spraying
Pattern-Based Password Generation: Flexible templating system for creating targeted password lists
Domain Policy Awareness: Automatic retrieval and respect of domain password policies
Account Lockout Protection: Smart filtering to avoid locking out user accounts
PSO Detection: Identification and handling of users with Password Settings Objects
Kerberos Authentication: Fast and efficient authentication testing via Kerberos pre-authentication
Neo4j Integration: Automatic marking of compromised users as “owned” in Neo4j/BloodHound databases
Real-time Results: Live feedback showing which users are marked as owned during the attack
Attack Summary: Comprehensive results summary with statistics and success rates

Security & Stealth Features

Jitter Support: Configurable delays between authentication attempts
Threshold Management: Automatic filtering of users near lockout thresholds
Multi-threaded: Configurable thread count for performance optimization
Rate Limiting: Control requests per second to prevent overwhelming domain controllers
SSL/LDAPS Support: Secure LDAP connections when required

Advanced Pattern System

Dynamic Variables: Support for user-specific data (name, date of last password change…)
Custom Separators & Suffixes: Flexible password pattern customization
Extra Argument: Integration of company-specific terms.
Interactive Pattern Selection: Dynamic menu system for pattern selection

Attack Results Summary

SpearSpray provides a comprehensive summary at the end of each attack, displaying key statistics and results in an easy-to-read format.

Valid Credentials: Number of users with active, working credentials
Expired Passwords: Number of users with correct but expired passwords (still compromised)
Marked as Owned: Number of users successfully marked in Neo4j (when integration is enabled)
Total Attempts: Total number of authentication attempts made during the attack
Success Rate: Percentage of successful authentications vs total attempts

This summary helps security professionals quickly assess the impact and effectiveness of their password spraying assessment.

Pattern System

SpearSpray uses an advanced pattern system to generate highly targeted and personalized passwords for each user. Unlike generic wordlists, every password attempt is customized based on the user’s specific information retrieved from Active Directory.

Key Innovation: User-Specific Temporal Data

All temporal variables (years, months, seasons) are calculated based on each user’s individual password change date (pwdLastSet attribute), not the current date. This means that if a user changed their password in March 2024, the patterns will generate passwords for that user using March 2024 data. This personalized approach is applied to each user individually based on their own password change timeline, significantly increasing the likelihood of success.

Available Variables

Variable	Description	Example
`{name}`	User’s first name (from displayName)	Eren
`{samaccountname}`	User’s SAM account name	eren.yeager
`{year}`	Year from pwdLastSet (or whenCreated)	2024
`{short_year}`	Last two digits of year	24
`{month_number}`	Month number (zero-padded)	03
`{month_en}`	Month name in English	March
`{month_es}`	Month name in Spanish	Marzo
`{season_en}`	Season in English	Spring
`{season_es}`	Season in Spanish	Primavera
`{extra}`	Extra word provided via `-x` argument	CompanyName
`{separator}`	Custom separator via `-sep` argument	@
`{suffix}`	Custom suffix via `-suf` argument	!