Password Spray Orchestrator

Password Spray Orchestrator

Controlled and distributed password spraying to avoid account lockouts:

• Lockout-Aware Scheduling — Queries the domain password policy (lockout threshold, observation window, reset timer) and automatically spaces spray attempts to stay below the lockout threshold.
• Multi-Protocol Support — Sprays across SMB, LDAP, OWA/EWS, ADFS, Azure AD, RDP, and Kerberos AS-REQ with protocol-specific error handling for each target.
• Distributed Execution — Supports spraying from multiple source IPs simultaneously to distribute the authentication load and evade per-IP rate limiting.
• Smart Scheduling — Sprays during business hours to blend with normal authentication traffic. Configurable time windows and spray intervals per attempt round.
• User Filtering — Automatically excludes accounts approaching lockout based on badPwdCount LDAP attribute queries between spray rounds.
• Result Analysis — Parses authentication responses to identify valid credentials, expired passwords, accounts requiring password change, and MFA-enabled accounts.