fang0654/401_spraying

# 401 喷射 这是一个简单的密码喷洒工具，用于针对连接 AD 的 NTLM 端点。它的设计考虑到了锁定策略。 例如，假设锁定策略是 30 分钟内尝试 5 次。你可以使用如下命令： ``` ./401_spray.py -u list_of_usernames.txt -p list_of_passwords.txt -d acmecorp.intl -U https://totslegit.acme.com/admin/ntlmauth -a 3 -i 40 --authtype ntlm --threads 10 ``` 这将喷洒列表，尝试三个密码，然后休眠 40 分钟。 ## 用户名枚举 某些 NTLM 端点容易受到基于时间差异的用户名枚举攻击，最著名的是本地部署的 Exchange/OWA。为了方便利用这一点，可以使用 `--enum` 标志自动确定有效和无效用户名响应之间的基线，然后将所有有效用户名写入 `valid-usernames.txt`。例如，你可以这样做： ``` ./401_spray.py -u list_of_usernames_to_test.txt -d acmecorp.intl -U https://totslegit.acme.com/admin/ntlmauth --enum ``` ``` usage: 401_spray.py [-h] [-u USERNAMES] [-p PASSWORDS] [-c USERPASS] [-d DOMAIN] -U URL [-a ATTEMPTS] [-i INTERVAL] [--authtype {ntlm,basic}] [--proxy PROXY] [--threads THREADS] [--output OUTPUT] [--add_response] [-v] [--webhook WEBHOOK] [--enum] [--enum-threshold ENUM_THRESHOLD] options: -h, --help show this help message and exit -u, --usernames USERNAMES List of usernames to attack -p, --passwords PASSWORDS List of passwords to try -c, --userpass USERPASS File containing user/password combinations -d, --domain DOMAIN Domain name to append. If not included, then domains will be assumed to be in username list. -U, --url URL URL to authenticate against -a, --attempts ATTEMPTS Number of attempts to try before sleeping. If your lockout policy is 5 attempts per 10 minutes, then set this to like 3 -i, --interval INTERVAL Number of minutes to sleep between attacks. If your lockout policy is per 10 minutes, set this to like 11 --authtype {ntlm,basic} Authentication type - basic or ntlm. Note: You can't use a proxy with NTLM --proxy PROXY Proxy server to route traffic through --threads THREADS Number of threads --output OUTPUT File to write successful pairs to --add_response Add response times to output -v, --verbose Enable verbose output --webhook WEBHOOK Discord webhook URL for notifications --enum Username enumeration mode (timing attack) --enum-threshold ENUM_THRESHOLD Timing threshold in ms for username enumeration (default: 500) ```

标签：401认证, Active Directory, AD攻击, HTTP Basic认证, NTLM认证, Plaso, PoC, Python, 密码喷射, 数据展示, 无后门, 暴力破解, 用户枚举, 红队, 网络认证, 账户锁定策略, 逆向工具