blacklanternsecurity / trevorspray Goto Github PK

I have successfully installed trevorspray.
git clone https://github.com/blacklaternsecurity/tervorspray
cd trevorspray

pip install -r requirements.txt

pip3 install git+https://github.com/blacklanternsecurity/trevorproxy
pip3 install git+https://github.com/blacklanternsecurity/trevorspray

how do you run it afterwards.

Hello, great tool!

Was curious if there's time to add an option for delay that randomizes the amount of seconds for delay between each request up to X maximum seconds.

Thanks!

There seems to be an issue with user enumeration when using Trevorspray. No options are given when attempting to enumerate users.
Output:

[06/27/23 5:53:00] root@kali:~/trevorspray# trevorspray --users users.txt --recon example.net -v
[INFO] Command: /usr/local/bin/trevorspray --users users.txt --recon example.net -v
[INFO] User enumeration enabled with --recon and --users
[INFO] Choosing user enumeration method (skip by exporting TREVOR_userenum_method=)

[USER] Which user enumeration method would you like to use? () 

I have spun up a Linode server and provisioned a /64 IPv6 subnet as described in your blog. When I list the interface I can see the correct subnet listed on the eth0 interface. I then use the following command and receive the following error:

trevorspray -u emails.txt -p “Password2021" --url https://login.windows.net/xxxx-xxxx-xxxx-xxxxxxx/oauth2/token --subnet 2xxx:3xxx:e0xx:00xx::/64 -i eth0

Warning:

[DEBUG] Accepting connection from 127.0.0.1:46886
[DEBUG] Address type == IPv4
[DEBUG] Destination address: 2x.x.x.x
[WARNING] AddressFamily.AF_INET does not match that of subnet (AddressFamily.AF_INET6, source IP randomization is impossible.
[DEBUG] Connected to 2x.x.x.x:443

This appears to me as though it is not sending the requests on the IPv6 subnet and instead sending all requests out of the IPv4 interface.

Additionally, when trying to perform the proof of concept for trevorproxy as shown in the blog (proxychains curl 'http:/[::1]:8080') I recieve the following error when standing up the python webserver:

root@localhost:~# python3 -m http.server --bind ::1 8080
Traceback (most recent call last):
  File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.6/http/server.py", line 1211, in <module>
    test(HandlerClass=handler_class, port=args.port, bind=args.bind)
  File "/usr/lib/python3.6/http/server.py", line 1185, in test
    with ServerClass(server_address, HandlerClass) as httpd:
  File "/usr/lib/python3.6/socketserver.py", line 456, in __init__
    self.server_bind()
  File "/usr/lib/python3.6/http/server.py", line 136, in server_bind
    socketserver.TCPServer.server_bind(self)
  File "/usr/lib/python3.6/socketserver.py", line 470, in server_bind
    self.socket.bind(self.server_address)
socket.gaierror: [Errno -9] Address family for hostname not supported

I will continue to troubleshoot this error and get back

This is how I installed the tool:

pip3 install --upgrade setuptools pip
pip3 install git+https://github.com/blacklanternsecurity/trevorproxy
pip3 install git+https://github.com/blacklanternsecurity/trevorspray

Running poetry install returns the following error:

$ poetry install                                                                                                                                                                             
Installing dependencies from lock file                                                                                                                                                        
Warning: poetry.lock is not consistent with pyproject.toml. You may be getting improper dependencies. Run `poetry lock [--no-update]` to fix it.                                              
                                                                                                                                                                                              
Because trevorspray depends on trevorproxy (^1.0.5) which doesn't match any versions, version solving failed.

The errors comes from the version specified for trevorproxy in pyproject.toml ("^1.0.5"), which is different from the one specified in the poetry.lock file (1.0.4) . By changing the version from 1.0.5 to 1.0.4 in the pyproject.toml file, the installation process with poetry install completes without any error.

Updated Kali to the newest version 6.0.0, now im getting this error? In the past I believe it was my own syntax causing the issue but now I cannot work out the problem.

[ERRR] Traceback (most recent call last):
File "/home/kali/Tools/TREVORspray/trevorspray/./cli.py", line 155, in main
sprayer = TrevorSpray(options)
File "/home/kali/Tools/TREVORspray/trevorspray/lib/trevor.py", line 59, in init
proxy = ProxyThread(
File "/home/kali/Tools/TREVORspray/trevorspray/lib/proxy.py", line 70, in init
self.proxy.start()
File "/home/kali/.local/lib/python3.10/site-packages/trevorproxy/lib/ssh.py", line 62, in start
raise SSHProxyError(f'Failed to start SSHProxy {self}')
trevorproxy.lib.errors.SSHProxyError: Failed to start SSHProxy socks5://127.0.0.1:33482

Hey all, great tool!

Quick question: the spraying tool seems to allow you to round robin SSH sessions when spraying, so I'm a bit confused on the use of the proxy tool? Do these need to be used together for the tool to work correctly? In other words, set the proxy script to use the droplets I want it to, then set those same droplets in the command for the spray?

Thanks!

SMTP looter can run forever

[ERRR] Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/trevorspray/lib/looters/msol.py", line 62, in test_smtp
    session = smtplib.SMTP(host, timeout=5)
  File "/usr/lib/python3.9/smtplib.py", line 253, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib/python3.9/smtplib.py", line 339, in connect
    self.sock = self._get_socket(host, port, self.timeout)
  File "/usr/lib/python3.9/smtplib.py", line 310, in _get_socket
    return socket.create_connection((host, port), timeout,
  File "/usr/lib/python3.9/socket.py", line 843, in create_connection
    raise err
  File "/usr/lib/python3.9/socket.py", line 831, in create_connection
    sock.connect(sa)
socket.timeout: timed out

Hello,

First off I just wanted to say what a great tool and it does a whole lot more than just spraying.
My only question, and maybe I missed the flags. If I want to re use a password for spraying to see that it was successful in all green, how can I skip the "skipping" aspect of the spray. In other words, I dont want it to skip the password spray because it recognizes it was already used.

Thank you

pipx install git+https://github.com/blacklanternsecurity/TREVORspray
Fatal error from pip prevented installation. Full pip output in file:
    /home/user/.local/pipx/logs/cmd_2023-05-16_15.43.52_pip_errors.log

pip seemed to fail to build package:
    beautifulsoup4<5.0.0,>=4.10.0

Some possibly relevant errors from pip install:
    ERROR: Could not find a version that satisfies the requirement trevorproxy<2.0.0,>=1.0.5 (from trevorspray) (from versions: 1.0.0, 1.0.1, 1.0.3, 1.0.4)
    ERROR: No matching distribution found for trevorproxy<2.0.0,>=1.0.5

Error installing trevorspray from spec 'git+https://github.com/blacklanternsecurity/TREVORspray'.

something wrong with requirements it seems

When running the following command:

poetry run trevorspray -u Users -p password -m okta -j 10 --random-useragent --ssh root@IP root@IP root@IP root@IP root@IP -n

The tool then fires up and outputs this:

[USER] Enter target subdomain (<subdomain>.okta.com): subdomain

And after entering the valid subdomain, the following error occurs:

[ERRR] Unhandled error in Okta.create_request(): 'subdomain' (-v to debug)
[ERRR] Traceback (most recent call last): File "/root/tools/TREVORspray/trevorspray/lib/proxy.py", line 247, in check_cred prepared_request = sprayer.create_request(user, password).prepare() File "/root/tools/TREVORspray/trevorspray/lib/sprayers/base.py", line 78, in create_request url = self.url.format(**self.globalparams, **runtimeparams) KeyError: 'subdomain'

Using Python 3.8.7 in Kali Linux

Not sure what the issue is, thanks!

When supplying an on-prem OWA url (e.g., https://mail.company.com/Autodiscover/Autodiscover.xml) via --url argument to -m owa module, the following error occurs:

[ERRR] Unhandled error in OWA.initialize(): local variable 'discovery' referenced before assignment
[ERRR] Traceback (most recent call last):
  File "/home/user/.local/lib/python3.9/site-packages/trevorspray/lib/trevor.py", line 140, in spray
    ready = sprayer.initialize()
  File "/home/user/.local/lib/python3.9/site-packages/trevorspray/lib/sprayers/owa.py", line 52, in initialize
    discovery.owa_internal_domain(self.url)
UnboundLocalError: local variable 'discovery' referenced before assignment

[ERRR] Failed to initialize OWA

This is due to an unnecessary discovery check initialized at line 51 in owa.py. Commenting out or removing line 51-52 in owa.py resolves this issue.

i am having issues installing.

I get this

└─$ sudo pip install git+https://github.com/blacklanternsecurity/trevorproxy
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Collecting git+https://github.com/blacklanternsecurity/trevorproxy
Cloning https://github.com/blacklanternsecurity/trevorproxy to /tmp/pip-req-build-mKi0tJ
Running command git clone -q https://github.com/blacklanternsecurity/trevorproxy /tmp/pip-req-build-mKi0tJ
Installing build dependencies ... done
Getting requirements to build wheel ... error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python /usr/local/lib/python2.7/dist-packages/pip/_vendor/pep517/_in_process.py get_requires_for_build_wheel /tmp/tmplmnVGj
cwd: /tmp/pip-req-build-mKi0tJ
Complete output (4 lines):
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/pep517/_in_process.py", line 16, in
from importlib import import_module
ImportError: No module named importlib

ERROR: Command errored out with exit status 1: /usr/bin/python /usr/local/lib/python2.7/dist-packages/pip/_vendor/pep517/_in_process.py get_requires_for_build_wheel /tmp/tmplmnVGj Check the logs for full command output.

Hi,

Can I use TREVORSpray In the case where the o365 login page redirects to an adfs login page?

When I tried it the output was showing success for all emails! Is there any way to differentiate the response?

Thank you.

I'm getting this error anytime I try against an OWA instance:

[ERRR] Unhandled error in OWA.create_request(): BaseSprayModule.create_request() missing 1 required positional argument: 'proxythread' (-v to debug)
[ERRR] Traceback (most recent call last):
File "/opt/homebrew/lib/python3.11/site-packages/trevorspray/lib/proxy.py", line 268, in check_cred
prepared_request = sprayer.create_request(
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/lib/python3.11/site-packages/trevorspray/lib/sprayers/owa.py", line 71, in create_request
r = super().create_request(username, password)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: BaseSprayModule.create_request() missing 1 required positional argument: 'proxythread'

When I do the following query, I see some SUCCESS messages when I know they are bogus. Here is my command I am running:

trevorspray -u emails.txt --passwords "test" --url https://login.microsoft.com/

I am trying to see which on my list of emails is an actual valid account and which is not through that URL. When I run it, I am seeing [SUCC] [email protected]:test

is this normal? Please guide me if I am doing something wrong.

Getting the following error when trying to run the trevorspray:

└─# trevorspray --recon example.com
Traceback (most recent call last):
File "/usr/local/bin/trevorspray", line 5, in
from trevorspray.cli import main
File "/usr/local/lib/python3.11/dist-packages/trevorspray/cli.py", line 24, in
from lib import logger
ImportError: cannot import name 'logger' from 'lib' (/usr/lib/python3/dist-packages/lib/init.py)

I have installed it using the following commands:
pip3 install git+https://github.com/blacklanternsecurity/trevorproxy
pip3 install git+https://github.com/blacklanternsecurity/trevorspray

When an operator makes a mistake and issues the incorrect parameters, Trevorspray errors out and doesn't prompt the user to fix their parameters.

E.g.,

trevorspray --users someuser --password somepassword

This will result in an error.

Should prompt the user to provide a domain, either in the --user parameter, or by providing the -r switch for a domain.

During a red team engagement I found out that Okta makes use of multiple domains for federation. My current target makes use of the okta-emea.com domain, but TREVORspray has okta.com hardcoded in in okta.py:

# default target URL
default_url = 'https://{subdomain}.okta.com/api/v1/authn'

Changing the URL allowed me to successfully spray a user account that I already knew the password for:

# default target URL
default_url = 'https://{subdomain}.okta-emea.com/api/v1/authn'

It might be possible to autodetect this with the recon module by inspecting the AuthURL parameter in the response for https://login.microsoftonline.com/getuserrealm.srf?login=test@[customer-domain]. Another way would be to add a specific argument or prompt in interactive mode.

I recently reinstalled the tool, but was not able to make it work.
I was getting a "No module named 'lib.util'" when trying to run it

I was able to fix it by changing the cli.py line 23 to from .lib import util, however I'm not sure if this is the correct way to go

When using the Okta module, Trevorspray returns a Response code 401 for every attempt, including for a correct set of credentials. The command being used is:
trevorspray -u test_emails.txt -m okta -p 'password' --delay 60 --jitter 10 --lockout-delay 30 -n --ssh ubuntu@ip_address --key ~/id
I know which username the password is valid for and have tested it by successfully logging in at "domain.okta.com," and have double checked that the username is included in the file test_emails.txt. I may be missing something in the command, but as far as I can tell from the github README my command is correct.

In Ubuntu 18.04, getting the following error. I have yet to be able to trace down the exact issue with trevorproxy dependencies that are missing in Bionic Beaver. Is Ubuntu 18.04 supported as an OS or are you just recommending we use Ubuntu 20.04 or later?

Exact error when running install:

ERROR: Could not find a version that satisfies the requirement trevorproxy<2.0.0,>=1.0.1 (from trevorspray)
ERROR: No matching distribution found for trevorproxy<2.0.0,>=1.0.1

Thanks. TrevorSpray is a very nice tool.
-Jason

Is there an option to send POST requests to an endpoint instead of GET request?
When i try to connect to the endpoint:
AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request.

here's the command i'm working with:

python3 cli.py -m okta -u usernames.txt -p Winter2021! --delay 10 --jitter 120 --ssh user@IPADDRESS user@IPADDRESS user@IPADDRESS -f

i've also tried using the -d and -j versions of the flag and got the same results. i've also tried putting the delay and jitter flags at the end of the command. regardless, it just sprays at max speed

Correct username and password results in a error code of:

HTTP 400: Got an error we haven't seen yet: {'error': 'interaction_required', 'error_description': 'AADSTS530031: Access policy does not allow token issuance.\r\nTrace ID: 408deb1e-a8e4-43c0-996b-18811b6cea01\r\nCorrelation ID: 4a3249c3-e753-4e0a-8c4c-19dc6cb75764\r\nTimestamp: 2022-12-05 16:23:50Z', 'error_codes': [530031], 'timestamp': '2022-12-05 16:23:50Z', 'trace_id': '408deb1e-a8e4-43c0-996b-18811b6cea01', 'correlation_id': '4a3249c3-e753-4e0a-8c4c-19dc6cb75764', 'error_uri': 'https://login.microsoft.com/error?code=530031', 'suberror': 'message_only'}

Probably need to add this as an 'user is correct and password is correct' to continue to the authentication bypasses.

Get the following error when trying to execute trevorspray
ModuleNotFoundError: No module named 'lib.trevor'

This check is unnecessary and creates an issue when the operator declares a URL as the discovery variable will not be defined.

I have a client who has a client-branded Duo Security AD FS login portal, with an AuthURL similar to the following:

https://sso-xxxxxxxx.sso.duosecurity.com/saml2/sp/XXXXXXXXXXXXXXXXXXXX/sso

I can also visit https://example.login.duosecurity.com/ (where "example" equals the client name), which then redirects to:

https://example.login.duosecurity.com/login/?authkey=XXXXXXXXXXXXXXXXXXXX&scid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The "Single Sign-On" page first accepts an "Email Address", and after entering the email address and clicking "Next" you are presented with a different screen prompting for the "Password", which after entering you would attempt to "Log in".

Would it be possible to create a TREVORspray "Duo Security" module for this?