> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Spray-n-Pray

> Autonomous Password Sprayer

# Spray 'n Pray

Introducing Spray 'n Pray

# Spray 'n Pray - Autonomous Password Spraying Tool

Spray 'n Pray is an automated password spraying tool. With its roots originally in Active Directory, Spray 'n Pray is a **Go Native SPA** application that utilizes the **go-fiber framework**, **Vanilla JS**, **sqlc + SQLite3** and **Web Sockets** to create an easy to use interface that can be left unattended to perform a scheduled set of password sprays in an environment, externally, or via **SOCKS5 Proxy** using logically isolated infrastructure.

<img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/spray-n-pray-nobg.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=cff3428a4ff50c1ad8f1c16dd33549b1" alt="Spray N Pray Nobg" width="400" height="400" data-path="images/spray-n-pray-nobg.png" />

# What Spray 'n Pray Does

Spray 'n Pray is capable of spraying the following protocols:

| Protocol      | Socks Proxyable       | Safe Mode Compatible  | Notes                   |
| ------------- | --------------------- | --------------------- | ----------------------- |
| ADWS          | <Icon icon="check" /> | <Icon icon="check" /> |                         |
| FTP           | <Icon icon="check" /> | <Icon icon="x" />     |                         |
| HTTP          | <Icon icon="check" /> | <Icon icon="x" />     |                         |
| HTTPS         | <Icon icon="check" /> | <Icon icon="x" />     |                         |
| KERBEROS (v5) | <Icon icon="x" />     | <Icon icon="check" /> |                         |
| LDAP          | <Icon icon="check" /> | <Icon icon="check" /> |                         |
| LDAPS         | <Icon icon="check" /> | <Icon icon="check" /> |                         |
| MSSQL         | <Icon icon="check" /> | <Icon icon="check" /> |                         |
| RDP           | <Icon icon="check" /> | <Icon icon="x" />     |                         |
| SMB (v1,2,3)  | <Icon icon="check" /> | <Icon icon="check" /> | Auto Negotiates Version |
| SSH           | <Icon icon="check" /> | <Icon icon="x" />     |                         |
| OWA           | <Icon icon="check" /> | <Icon icon="check" /> | Not Yet Implemented     |

Spray 'n Pray is capable of notifying a set of recipients for a series of event occurrences:

| Type       | Description                           | Notes                               |
| ---------- | ------------------------------------- | ----------------------------------- |
| Lockout    | When an account is locked out         | Safe Mode Compatible Protocols Only |
| Threshold  | When a lockout threshold is met       | Safe Mode Compatible Protocols Only |
| Valid HIts | When a valid credential is discovered | N/A                                 |

# Compatible Operating Systems

## Coming Soon

# Getting Started

To use Spray 'n Pray the user needs to retrieve a copy of the latest binary from the KrakenTech [Release](https://hub.krkn.tech/KrakenTech/spray-n-pray-support) and do the following:

<AccordionGroup>
  <Accordion title="Run the software">
    On the attacker host, simply ensure the binary is executable and run the file. It is recommended to do so in a screen session. Interruptions will not disrupt the application but will prevent future sprays from occurring until the app is started again.

    <Frame>
      <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-64.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=7745c75f68245aff5fb06928586cb259" alt="Image" width="1174" height="626" data-path="images/image-64.png" />
    </Frame>
  </Accordion>

  <Accordion title="Access the SPA">
    After successfully starting the bin, access it on the web.

    * Port: 1337
    * Interface: 0.0.0.0
          <Frame>
            <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-63.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=c34b56f3bc7f6db3af93d0abd09b96e0" alt="Image" width="3930" height="2250" data-path="images/image-63.png" />
          </Frame>
  </Accordion>
</AccordionGroup>

# First Time Startup

On initial start up it will generate a SQLite3 database at `$HOME/.local/share/spraynpray`

It will then attempt to enumerate the domain and any domain controllers in the environment as target hosts.

## Domains

### Adding a domain

For Active Directory, the domain can be overwritten and confirmed in the activity pane in real-time.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-65.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=455796b8d7c1c2c3201f46b80afb82b5" alt="Image" width="596" height="222" data-path="images/image-65.png" />
</Frame>

The domain field can be left as empty in which case a local authentication spray will be conducted if possible.

## Hosts

### Adding target hosts

Target hosts can be supplied in the Hosts input field, newline delimited.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-66.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=f220c4d7135909a8e77bf5f450cec6fb" alt="Image" width="610" height="516" data-path="images/image-66.png" />
</Frame>

#### Example

```text theme={null}
10.3.10.10
10.3.10.11
dc1.sevenkingdoms.local
```

### Unresponsive Hosts

Hosts that become unresponsive during the spray attempt will be marked in red below the input field. They will be attempted again during the next spray if they are not removed.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/l5e3nuOB7YhOUQA7/images/image-78.png?fit=max&auto=format&n=l5e3nuOB7YhOUQA7&q=85&s=f5fe0f33d8b490e36a9e5c9f08ffcd2a" alt="Image" width="628" height="518" data-path="images/image-78.png" />
</Frame>

## Users

### Adding Users

#### Users can be supplied in three different ways

<Frame>
  <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-59.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=60a94fa6d643ca46dcc76b1493da3d38" alt="Image" width="610" height="498" data-path="images/image-59.png" />
</Frame>

<AccordionGroup>
  <Accordion title="Single Entry">
    User(s) can be added using the Users Input field. These must either be comma or newline delimited.

    ```text theme={null}
    s.smith, b.smith, c.smith
    ```

    ```text theme={null}
    a.smith
    s.smith
    b.smith
    ```

    <Tip>
      Users should be added in sAMAccountName format, the domain will be appended as necessary.
    </Tip>
  </Accordion>

  <Accordion title="File Entry">
    User(s) can also be added using an input file with newline deliimited values.

    ```text theme={null}
    // Users.txt
    a.smith
    b.smith
    c.smith
    ```

    <Tip>
      Spray 'n Pray already handles de-duplication of users
    </Tip>
  </Accordion>
</AccordionGroup>

### Modifying Users

A user can be searched using the search field above the users. Once found, they can be deleted but not modified. A deleted user can be re-added again later.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-61.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=6c00fbd15fd95b53349f62445c5a59da" alt="Image" width="768" height="200" data-path="images/image-61.png" />
</Frame>

### User Statuses

Users can be in one of three different status. A grey indicator means that they have not yet been a part of a spray attempt. Purple indicates that the user was part of a spray and orange indicates they have credentials discovered.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-67.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=142bf7580f7b242ae721bb2e791ab0f5" alt="Image" width="578" height="978" data-path="images/image-67.png" />
</Frame>

## Passwords

### Enqueuing Passwords

Passwords can be added similarly to users in that they can be added adhoc, comma or newline delimited or as a file upload. It is recommended to upload users with commas using the single entry or file upload.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-58.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=af8371a1b4ad2372fc276ae42d9e2221" alt="Image" width="680" height="656" data-path="images/image-58.png" />
</Frame>

<AccordionGroup>
  <Accordion title="Adhoc">
    ```text theme={null}
    Password123!
    ```
  </Accordion>

  <Accordion title="List">
    ```text theme={null}
    Password123!,Password2,Welcome01
    ```

    ```text theme={null}
    Password123!
    Password2
    Welcome01
    ```
  </Accordion>

  <Accordion title="File">
    ```text theme={null}
    // Passwords.txt
    Password123!
    Password2
    Welcome01
    ```
  </Accordion>
</AccordionGroup>

## Removing Passwords

Passwords in the queue can be removed by clicking the <Icon icon="x" /> on their card.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-62.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=1444cdcd906380b6061c419c99d26d44" alt="Image" width="820" height="86" data-path="images/image-62.png" />
</Frame>

## Executions

The executed list is a historical record of all previous password attempts. Clicking an item of the list will tell you the protocol used, and list an successfully sprayed users for the execution. An execution will appear in orange if it was successful.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-68.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=2a702987525b4d88a9aab67d607b4d9c" alt="Image" width="674" height="488" data-path="images/image-68.png" />
</Frame>

## Reset Run

The reset run button will place all previously executed passwords back into the queue to be sprayed again.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-69.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=44a217c8f2e74754b7ccc8df387ddbd6" alt="Image" width="1398" height="864" data-path="images/image-69.png" />
</Frame>

## Cadence

Cadence represents the valid time frame and number of sprays to run in a given interval.

The user can specify what days of the week and the time of day to use when calculating the next scheduled run time.  They can also specify how many threads should be used during the execution.

The cadence section allows the user to specify minutes, hours and says as interval units and the number of sprays / interval in the Attempts/Interval field.

### Example

Spray once every 2 hours on Monday, Wednesday and Friday using 10 threads

<Frame>
  <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-56.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=e1640e9f05ac7182f2d2d5d66ccff99c" alt="Image" width="1736" height="676" data-path="images/image-56.png" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/krakentechllc/WBaxY_43Xic0hWqI/images/image-57.png?fit=max&auto=format&n=WBaxY_43Xic0hWqI&q=85&s=327f5d91bbf97d01cec6882210a93068" alt="Image" width="1092" height="434" data-path="images/image-57.png" />
</Frame>

## Safe Mode

Safe mode utilizes the responses from the protocol to determine whether or not the sprayed user's account is locked out. This is only applicable to some protocols, most of which utilize Active Directory. You can set a maximum threshold of locked out users before the spray is terminated and the run results are converted into an execution.

The spray will still track cracked accounts for a prematurely stopped spray. It will indicate the number of users that were successfully sprayed as the total instead of the full count.

Any locked out accounts will appear in the activity pane along with a message indicating that the spray was stopped due to the safety threshold.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-70.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=985020b971aedca9b9a001f91384b6cd" alt="Image" width="704" height="132" data-path="images/image-70.png" />
</Frame>

## Spray Next Password

In the event that the user would like to run a password spray now, they can hit the Spray Next Password Button to move the execution up to now. This will run a spray and recalculate the next valid run time.

<Tip>
  It is best to ensure the Cadence is correct before hitting the Spray Next Password button.
</Tip>

# Notifications

To support Spray 'n Pray's autonomous work, you can configure a sending profile and recipients for even alerts in the Notifications Pane. It is possible to set a mail sending account that utilizes one of the following SMTP services:

* Mailgun
* Sendgrid
* Outlook
* Standard SMTP
  * StartTLS
  * TLS
  * ESMTP

A list of recipients can be added, and a test email can be sent to these inboxes using the button on their card.

You can specify the types of events that should be sent to these recipients using the checkboxes. The event types are:

* Lockouts - An account was locked out during a spray
* Valid HIts - Successful spray credential discovered
* Unresponsive Hosts - A target host was deemed unresponsive during the spray <br />

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-75.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=45879b821424fe909917cf5d73fdeffb" alt="Image" width="1278" height="1474" data-path="images/image-75.png" />
</Frame>

Once notifications have been configured, the notifications button will appear as green.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-74.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=1e8ac54e5597d401300a3dc0d74dea87" alt="Image" width="974" height="120" data-path="images/image-74.png" />
</Frame>

### Sample Email

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-76.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=6365b96e655d0c7a0232dfe0f2181ea7" alt="Image" width="1160" height="322" data-path="images/image-76.png" />
</Frame>

# Socks5 Proxies

Spray 'n Pray is capable of proxying password spray attempts through a series of ssh accessible hosts using a socks5 proxy. To do this, simply supply the credentials to the host and its address in the Socks Pane.

<Note>
  Not all services can be proxied, currently Kerberos is not yet proxy compatible.
</Note>

Proxies can be configured with the following authentication methods:

* Password
* Certificate

Once you have configured the hosts, enable proxy mode in the pane before closing it.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-72.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=95517ba36b625adcdde180dbc662569b" alt="Image" width="1292" height="1388" data-path="images/image-72.png" />
</Frame>

Once proxies have been configured and the proxy is enabled, the proxy button will appear in green.

<Frame>
  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-73.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=885d49a159bfea5ac578256a8f171dfe" alt="Image" width="932" height="108" data-path="images/image-73.png" />
</Frame>

<Frame>
  Sample Proxy Traffic

  <img src="https://mintcdn.com/krakentechllc/yacVzsppAizdaBAc/images/image-77.png?fit=max&auto=format&n=yacVzsppAizdaBAc&q=85&s=385db44c839fd7c1dbcb0af5624837c9" alt="Image" width="3138" height="1870" data-path="images/image-77.png" />
</Frame>
