Spray ‘n Pray
Introducing Spray ‘n PraySpray ‘n Pray - Autonomous Password Spraying Tool
Spray ‘n Pray is an automated password spraying tool. With its roots originally in Active Directory, Spray ‘n Pray is a Go Native SPA application that utilizes the go-fiber framework, Vanilla JS, sqlc + SQLite3 and Web Sockets to create an easy to use interface that can be left unattended to perform a scheduled set of password sprays in an environment, externally, or via SOCKS5 Proxy using logically isolated infrastructure.
What Spray ‘n Pray Does
Spray ‘n Pray is capable of spraying the following protocols:
Spray ‘n Pray is capable of notifying a set of recipients for a series of event occurrences:
Compatible Operating Systems
Coming Soon
Getting Started
To use Spray ‘n Pray the user needs to retrieve a copy of the latest binary from the KrakenTech Release and do the following:Run the software
Run the software
On the attacker host, simply ensure the binary is executable and run the file. It is recommended to do so in a screen session. Interruptions will not disrupt the application but will prevent future sprays from occurring until the app is started again.

Access the SPA
Access the SPA
After successfully starting the bin, access it on the web.
- Port: 1337
- Interface: 0.0.0.0

First Time Startup
On initial start up it will generate a SQLite3 database at$HOME/.local/share/spraynpray
It will then attempt to enumerate the domain and any domain controllers in the environment as target hosts.
Domains
Adding a domain
For Active Directory, the domain can be overwritten and confirmed in the activity pane in real-time. The domain field can be left as empty in which case a local authentication spray will be conducted if possible.Hosts
Adding target hosts
Target hosts can be supplied in the Hosts input field, newline delimited.Example
Unresponsive Hosts
Hosts that become unresponsive during the spray attempt will be marked in red below the input field. They will be attempted again during the next spray if they are not removed.Users
Adding Users
Users can be supplied in three different ways

Single Entry
Single Entry
User(s) can be added using the Users Input field. These must either be comma or newline delimited.
File Entry
File Entry
User(s) can also be added using an input file with newline deliimited values.
Modifying Users
A user can be searched using the search field above the users. Once found, they can be deleted but not modified. A deleted user can be re-added again later.
User Statuses
Users can be in one of three different status. A grey indicator means that they have not yet been a part of a spray attempt. Purple indicates that the user was part of a spray and orange indicates they have credentials discovered.
Passwords
Enqueuing Passwords
Passwords can be added similarly to users in that they can be added adhoc, comma or newline delimited or as a file upload. It is recommended to upload users with commas using the single entry or file upload.
Adhoc
Adhoc
List
List
File
File
Removing Passwords
Passwords in the queue can be removed by clicking the on their card.
Executions
The executed list is a historical record of all previous password attempts. Clicking an item of the list will tell you the protocol used, and list an successfully sprayed users for the execution. An execution will appear in orange if it was successful.Reset Run
The reset run button will place all previously executed passwords back into the queue to be sprayed again.Cadence
Cadence represents the valid time frame and number of sprays to run in a given interval. The user can specify what days of the week and the time of day to use when calculating the next scheduled run time. They can also specify how many threads should be used during the execution. The cadence section allows the user to specify minutes, hours and says as interval units and the number of sprays / interval in the Attempts/Interval field.Example
Spray once every 2 hours on Monday, Wednesday and Friday using 10 threads

Safe Mode
Safe mode utilizes the responses from the protocol to determine whether or not the sprayed user’s account is locked out. This is only applicable to some protocols, most of which utilize Active Directory. You can set a maximum threshold of locked out users before the spray is terminated and the run results are converted into an execution. The spray will still track cracked accounts for a prematurely stopped spray. It will indicate the number of users that were successfully sprayed as the total instead of the full count. Any locked out accounts will appear in the activity pane along with a message indicating that the spray was stopped due to the safety threshold.Spray Next Password
In the event that the user would like to run a password spray now, they can hit the Spray Next Password Button to move the execution up to now. This will run a spray and recalculate the next valid run time.Notifications
To support Spray ‘n Pray’s autonomous work, you can configure a sending profile and recipients for even alerts in the Notifications Pane. It is possible to set a mail sending account that utilizes one of the following SMTP services:- Mailgun
- Sendgrid
- Outlook
- Standard SMTP
- StartTLS
- TLS
- ESMTP
- Lockouts - An account was locked out during a spray
- Valid HIts - Successful spray credential discovered
- Unresponsive Hosts - A target host was deemed unresponsive during the spray
Socks5 Proxies
Spray ‘n Pray is capable of proxying password spray attempts through a series of ssh accessible hosts using a socks5 proxy. To do this, simply supply the credentials to the host and its address in the Socks Pane.Not all services can be proxied, currently Kerberos is not yet proxy compatible.
- Password
- Certificate

