Password spraying script and helper for creating password lists.
The Python script uses configurable parameters to extract complex passwords from a password list such as rockyou.txt. It then analyzes the Damerau-Levenshtein distance between that password and a list of common passwords (the text file in this repository is the top 20 most common rockyou passwords that could be easily modified to be a complex password, i.e., not the ones that are all digits). The script is configurable for the maximum distance to keep a password, with a default of 4, and will output results to a CSV file.
The PowerShell script loops through usernames and passwords and attempts to authenticate with them against various Microsoft Exchange web-based services. The script supports pausing after a specified lockout count for a specified period to prevent account lockouts.
PowerSniper supports password spraying against the following services at this time:
Outlook Web Access
Outlook Anywhere
ActiveSync
Microsoft Online
SMB
WMI
PowerEnum is a tool that performs account enumeration only. It sprays Microsoft Online with a given username list using a password of 'password' and identifies valid accounts based on error messages.
Source code and additional information can be found here: https://github.com/codewatchorg/PowerSniper