v0.2.2-beta

⚠️ Notice

When upgrading from a previous version of Spray365, ensure that you install the latest dependencies! Install the latest version of Spray365 and its dependencies with:

$ git clone https://github.com/MarkoH17/Spray365
$ cd Spray365
~/Spray365$ pip3 install -r requirements.txt -U
~/Spray365$ python3 spray365.py

🎉 What's New

• Review module now shows which AAD endpoints are accessible (e.g., not protected by MFA / conditional access policies)

🏗️ What's Changed

• Exceptions are now displayed in more detail to aid in debugging
• Code cleanup (import re-ordering)

Full Changelog: 0.2.1-beta...0.2.2-beta

v0.2.1-beta

⚠️ Notice

When upgrading from a previous version of Spray365, ensure that you install the latest dependencies! Install the latest version of Spray365 and its dependencies with:

$ git clone https://github.com/MarkoH17/Spray365
$ cd Spray365
~/Spray365$ pip3 install -r requirements.txt -U
~/Spray365$ python3 spray365.py

🎉 What's New

• Version checking warns users when running Spray365 with older versions of Python
• Added PEP 563 (Postponed Evaluation of Annotations) to enable the use of modern type hints (3.10+) on older versions of Python (3.7+)

🏗️ What's Changed

• Passwords supplied in the userfile may now contain a colon
• Execution plans are properly saved when generated in audit mode

Full Changelog: 0.2.0-beta...0.2.1-beta

v0.2.0-beta

⚠️ Notice

When upgrading from a previous version of Spray365, ensure that you install the latest dependencies! Install the latest version of Spray365 and its dependencies with:

$ git clone https://github.com/MarkoH17/Spray365
$ cd Spray365
~/Spray365$ pip3 install -r requirements.txt -U
~/Spray365$ python3 spray365.py

🎉 What's New

• Spray365 has been refactored into different modules, making it easier to develop new features!
• Generating execution plans have been split into two different sub-types: normal, and audit. Generating normal execution plans (spray365.py generate normal) works the same as previous versions. However, generating audit execution plans (spray365.py generate audit) will cause Spray365 to create all combinations of User-Agent, AAD_Client, and AAD_Endpoint for each set of credentials. Audit-type execution plans can (and should) be sprayed with known-valid credentials to identify flaws in MFA / conditional access policy configurations.
• Audit-type execution plans inspired the addition of another type of password input: --passwords_in_userfile. When this option is specified, each line in the user file (-u / --user_file) will be split on a colon, where the value preceding the colon is treated as the username, and the value after the colon is treated as the password (e.g. jsmith:Password01).
• Results from spraying can be reviewed using the new review mode (spray365.py review <results.json>). This new mode displays valid/invalid users and valid/partial-valid/invalid credentials.

🏗️ What's Changed

• Arguments are now parsed using Click, simplifying validation and enforcement of mutually exclusive options.
• Credential, AuthResult, and AuthError objects were refactored. This means that only new execution plans (and Spray365 results) can be processed using v0.2.0-beta.
• Dependencies were bumped to their latest versions.

Full Changelog: 0.1.5-beta...0.2.0-beta

v0.1.5-beta

What's New 🎉

• Spray365 is now split into two modes (generate and spray) for more logical argument handling. This is a breaking change that requires Spray365 to be executed using new syntax.
  
  Example comparing new and old for generating an execution plan
  Old Syntax: spray365.py -g demo.s365 -d <domain> -u <username_file> -pf <password_file> --delay 10
  New Syntax: spray365.py generate --execution_plan demo.s365 -d <domain> -u <username_file> -pf <password_file> --delay 10
  
  Example comparing new and old for password spraying:
  Old Syntax: spray365.py -s demo.s365 --lockout 3
  New Syntax: spray365.py spray --execution_plan demo.s365 --lockout 3

• Successive authentication attempts for a given user with known good credentials will be skipped. This new default behavior can be reverted with the -i / --ignore_success argument in spray mode.

What's Changed

• An authentication request requiring interactive login (AAD error "AADSTS65001") is now considered a successful login
• Help documentation improved and updated to match Spray365 capabilities

Full Changelog: 0.1.4-beta...0.1.5-beta

v0.1.4-beta

What's New 🎉

• N/A

What's Changed

• Successful login no longer causes a fatal error
• An authentication request for a nonexistent application (client id) returns AAD error "AADSTS700016", and is now considered a successful login

Full Changelog: 0.1.3-beta...0.1.4-beta

v0.1.3-beta

What's New 🎉

• Added behavior to ensure that results from password spraying are saved on exit (even when an exception is thrown or the application is interrupted)

What's Changed

• Duplicate usernames are removed before generating an execution plan
• Better error handling when parsing a malformed execution plan

Full Changelog: 0.1.2-beta...0.1.3-beta

v0.1.2-beta

What's New 🎉

• Added -k, --insecure argument to ignore TLS errors, which is useful when proxying traffic (@fang0654)
• Added urllib3 (>= 1.26.5) dependency to requirements file

What's Changed

• Usernames read from file have whitespace stripped before their usage
• Fixed resume index usage so that -R RESUME_INDEX, --resume_index RESUME_INDEX argument will resume spraying from the specified index in the execution file (1-based index), instead of starting at the credential prior to the targeted index (an off-by-one error)
• Requirements file is more relaxed

Full Changelog: 0.1.1-beta...0.1.2-beta

v0.1.1-beta

• Support for rotating or using a custom user agent during authentication requests
• Better enforcement of the account lockout threshold argument
• Detection of more relevant authentication-related failures
• More useful help text
• Code cleanup

This release likely contains bugs and other unwanted behavior.

v0.1.0-beta

• First release to support spraying passwords against O365 endpoints.

Likely contains bugs and other unwanted behavior.