SmartSpray is a specialized Red Team tool designed for stealthy, targeted password auditing in Active Directory environments. Built entirely on native Impacket libraries, it eliminates dependencies on external binaries like CrackMapExec.
Key Capabilities:
- Stealth Operations: Randomized SMB fingerprints and per-request jitter.
- Policy Compliance: Granular password complexity filters (GPO-aware).
- Smart Safety: Built-in logic to strictly adhere to Account Lockout Policies.
- Resilience: Automated state tracking for resume-on-interrupt.
Note
This tool is intended for authorized security assessments only.
- True Native: Pure Python implementation using
impacket.smbconnection. - Stealth Mode (
--stealth):- Randomizes client hostnames (e.g.,
DESKTOP-7X91D2) per connection. - Injects random micro-delays (0.5s - 1.5s) between attempts to evade burst detection.
- Randomizes client hostnames (e.g.,
- Jitter (
--jitter): Adds randomized delays to the lockout wait timer, making traffic patterns unpredictable.
- Complexity Enforcement (
--complexity): Pre-validates passwords against AD policies before spraying, saving precious lockout attempts.- Level 0: None (Spray all).
- Level 1: Standard AD (3 of 4 character classes).
- Level 2: GPO Compliant (Standard + Username check).
- Level 3: Strict (4 of 4 character classes).
- Length Enforcement (
-pl): Automatically skips passwords shorter than the domain minimum.
- Smart Thresholds: Automatically calculates a safe buffer zone based on the domain's real lockout policy (e.g., sprays 2 times for a threshold of 5).
- Interactive Mode: Full guided configuration if no arguments are provided.
- Quiet Mode (
--quiet): Minimalist output showing only successful compromises. - Session Resume: Tracks progress in
spray_state.jsonto resume after interruptions.
Requires Python 3.6+ and the Impacket library.
git clone https://github.com/GabrielDuschl/Automated-SMB-Password-Spraying.git
cd Automated-SMB-Password-Spraying
pip3 install impacketSimply run the script without arguments. Validates input and guides you through Evasion and Policy settings.
python3 SmartSpray.pyFor CI/CD pipelines or scripted attacks.
python3 SmartSpray.py [OPTIONS]| Argument | Flag | Description | Default |
|---|---|---|---|
| Domain | -d, --domain |
Target Domain Name (and Host to auth against) | Required |
| User File | -u, --user |
Path to file containing usernames | Required |
| Pass File | -p, --password |
Path to file containing passwords | Required |
| Min Length | -pl, --pass-length |
Minimum Password Length (Policy) | Required |
| Threshold | -t, --threshold |
Real Account Lockout Threshold. Script buffers this by -3. | 5 |
| Lockout | -l, --lockout |
Reset Account Lockout Counter (minutes) | 15 |
| Jitter | -j, --jitter |
Max random minutes added to the lockout timer | 0 |
| Complexity | -c, --complexity |
0=None, 1=Standard, 2=GPO+User, 3=Strict | 0 |
| Stealth | --stealth |
Enable Random Hostnames & Micro-Delays | False |
| Quiet | -q, --quiet |
Suppress "Testing..." logs. Show hits only. | False |
| Output | -o, --output |
CSV file to write valid credentials to | None |
| No Resume | --no-resume |
Ignore saved state and start fresh | False |
Standard Spray (Safe Default)
python3 SmartSpray.py -d corp.local -u users.txt -p common.txt -pl 7Stealth Op (GPO-Compliant Filter + Max Evasion)
python3 SmartSpray.py -d corp.local -u users.txt -p common.txt -pl 7 -t 5 -l 30 --stealth --complexity 2 --jitter 10 --quiet- Explanation: Sprays only 2 passwords per batch (Threshold 5), waits 30-40 mins between batches (Lockout 30 + Jitter 10), enables random footprints, and skips passwords containing usernames or failing complexity.*
This tool is for educational and authorized testing purposes only. The author acts with no liability for the usage of this tool.