A DOM-based G-Suite password sprayer and user enumerator

Related tags

Security related resourcesgsprayer
Overview
.d8888b.   .d8888b.  8888888b.  8888888b.         d8888 Y88b   d88P 8888888888 8888888b.
d88P  Y88b d88P  Y88b 888   Y88b 888   Y88b       d88888  Y88b d88P  888        888   Y88b
888    888 Y88b.      888    888 888    888      d88P888   Y88o88P   888        888    888
888         "Y888b.   888   d88P 888   d88P     d88P 888    Y888P    8888888    888   d88P
888  88888     "Y88b. 8888888P"  8888888P"     d88P  888     888     888        8888888P"
888    888       "888 888        888 T88b     d88P   888     888     888        888 T88b
Y88b  d88P Y88b  d88P 888        888  T88b   d8888888888     888     888        888  T88b
 "Y8888P88  "Y8888P"  888        888   T88b d88P     888     888     8888888888 888   T88b

A DOM-based G-Suite password sprayer and user enumerator

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.

Installing

First, clone the repository

git clone https://github.com/yok4i/gsprayer.git

Once inside it, run poetry to install the dependencies

poetry install

Alternatively, you can install them with pip

pip install -r requirements.txt

Help

Use -h to show the help menu

poetry run ./gsprayer.py -h

usage: gsprayer.py [-h] [-t TARGET] (-u USERNAME | -U FILE) [-o OUTPUT] [-r N] [--headless] [--proxy PROXY] [--wait WAIT] [-v]
                   {enum,spray} ...

G-Suite Password Sprayer.

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target URL (default: https://accounts.google.com/)
  -u USERNAME, --username USERNAME
                        Single username
  -U FILE, --usernames FILE
                        File containing usernames
  -o OUTPUT, --output OUTPUT
                        Output file (default depends on subcommand)
  -r N, --reset-after N
                        Reset browser after N attempts (default: 1)
  --headless            Run in headless mode
  --proxy PROXY         Proxy to pass traffic through: 
   
    
  --wait WAIT           Time to wait (in seconds) when looking for DOM elements (default: 3)
  -v, --verbose         Verbose output

subcommands:
  valid subcommands

  {enum,spray}          additional help
    enum                Perform user enumeration
    spray               Perform password spraying

There is also help menu for each subcommand:

poetry run ./gsprayer.py 
   
     -h

Examples

Enumerate valid accounts from a company using G-Suite, in headless mode

poetry run ./gsprayer.py -r 50 -U emails.txt --headless enum

Perform password spraying using a proxy and waiting 30 minutes between each password iteration

poetry run ./gsprayer.py -r 1 -U emails.txt -P passwords.txt --proxy 127.0.0.1:9050 spray --lockout 30

Note

If you are using a proxy with a protocol other than HTTP, you should specify the schema like socks5://127.0.0.1:9050.

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

License

This project is licensed under the MIT License - see the LICENSE file for details

Acknowledgments

Disclaimer

This tool is intended for educational purpose or for use in environments where you have been given explicit/legal authorization to do so.

You might also like...
This is simple python FTP password craker. To crack FTP login using wordlist based brute force attack
This is simple python FTP password craker. To crack FTP login using wordlist based brute force attack

This is simple python FTP password craker. To crack FTP login using wordlist based brute force attack

Varun Jagtap 5 Oct 8, 2022
Generates password lists/dictionaries based on keywords written in python3.

dicbyru Introduction Generates password lists/dictionaries based on keywords. It uses the keywords and adds capital letters, numbers and special chara

ru55o 2 Oct 31, 2022
A powerful password generator utility which utilizes the slot technique to generate strong passwords of required length having combinations of lower and upper characters, digits and symbols.

Bitpass Password Generator Installation Make sure Python 3+ is installed

Vaibhaw 6 Feb 2, 2022
This is a js front-end encryption blasting account and password tools

Author:0xAXSDD By Gamma安全实验室 version:1.0 explain:这是一款用户绕过前端js加密进行密码爆破的工具,你无需在意js加密的细节,只需要输入你想要爆破url,以及username输入框的classname,password输入框的clas

null 75 Nov 25, 2022
Fetch Chrome, Firefox, WiFi password and system info

DISCLAIMER : OUR TOOLS ARE FOR EDUCATIONAL PURPOSES ONLY. DON'T USE THEM FOR ILLEGAL ACTIVITIES. YOU ARE THE ONLY RESPONSABLE FOR YOUR ACTIONS! OUR TO

Genos 59 Nov 17, 2022
Password-Manager - This app can generate ,save , find and delete passwords.

Password-Manager This app can generate ,save , find and delete passwords. In the StartUp() Function , there are three buttons to choose from : Generat

null 1 Jan 1, 2022
You can crack any zip file and get the password.
You can crack any zip file and get the password.

Zip-Cracker Video Lesson : This is a Very powerfull Zip File Crack tool for termux users. Check 500 000 Passwords in 30 seconds Unique Performance Che

Razor Kenway 13 Oct 24, 2022
Pgen is the best brute force password generator and it is improved from the cupp.py
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

Matt Creel 27 Dec 20, 2022
Comments
  • Stacktrace after email input and before clicking next

    Stacktrace after email input and before clicking next

    Hi, I have try using with the firefox driver since my chromium isn't working properly and the following stack trace is return after entering the email in the identifierID field and just before clicking next.

    Stacktrace:
[email protected]://remote/content/shared/webdriver/Errors.jsm:181:5
[email protected]://remote/content/shared/webdriver/Errors.jsm:393:5
element.find/</<@chrome://remote/content/marionette/element.js:305:16

    Look like it has a hard time finding the element for next but the xpath seems good Any idea? Thanks for your help

    opened by Gimpy42 0
  • Bug:

    Bug:

    I would love to use this tool, but I can't figure out why this command is failing with a stack trace error. Also, verbose mode does not seem to provide any additional information.

    $ poetry run ./gsprayer.py -u '<known_valid_gmail_account>' -v --rua -o ./ -H enum

.d8888b.   .d8888b.  8888888b.  8888888b.         d8888 Y88b   d88P 8888888888 8888888b.  
d88P  Y88b d88P  Y88b 888   Y88b 888   Y88b       d88888  Y88b d88P  888        888   Y88b 
888    888 Y88b.      888    888 888    888      d88P888   Y88o88P   888        888    888 
888         "Y888b.   888   d88P 888   d88P     d88P 888    Y888P    8888888    888   d88P 
888  88888     "Y88b. 8888888P"  8888888P"     d88P  888     888     888        8888888P"  
888    888       "888 888        888 T88b     d88P   888     888     888        888 T88b   
Y88b  d88P Y88b  d88P 888        888  T88b   d8888888888     888     888        888  T88b  
 "Y8888P88  "Y8888P"  888        888   T88b d88P     888     888     8888888888 888   T88b 



   > target         :  https://accounts.google.com/
   > driver         :  chrome
   > username       :  <redacted>
   > output         :  valid_users.txt
   > reset_after    :  1
   > wait           :  3 seconds
   > captchatimeout :  30
   > headless       :  True
   > rua            :  True
   > verbose        :  True
   > cmd            :  enum

>----------------------------------------<

[*] Current username: <redacted>
[ERROR] Message: 
Stacktrace:
#0 0x55b01f87f693 <unknown>
#1 0x55b01f678b0a <unknown>
#2 0x55b01f6b15f7 <unknown>
#3 0x55b01f6b17c1 <unknown>
#4 0x55b01f6e4804 <unknown>
#5 0x55b01f6ce94d <unknown>
#6 0x55b01f6e24b0 <unknown>
#7 0x55b01f6ce743 <unknown>
#8 0x55b01f6a4533 <unknown>
#9 0x55b01f6a5715 <unknown>
#10 0x55b01f8cf7bd <unknown>
#11 0x55b01f8d2bf9 <unknown>
#12 0x55b01f8b4f2e <unknown>
#13 0x55b01f8d39b3 <unknown>
#14 0x55b01f8a8e4f <unknown>
#15 0x55b01f8f2ea8 <unknown>
#16 0x55b01f8f3052 <unknown>
#17 0x55b01f90d71f <unknown>
#18 0x7f95b6487b27 <unknown>


==============================
[*] Username Enumeration Stats
==============================
[*] Total Usernames Tested:  0
[*] Valid Usernames:         0
[*] Invalid Usernames:       0
    opened by nimmicus 1
Releases(v0.1.0)

  • v0.1.0(Feb 10, 2022)

    First working version. Main features:

    • proxy support;
    • usernames and passwords lists;
    • reset browser after n attempts;
    • enumerate g-suite users;
    • perform password spraying.
    Source code(tar.gz)
    Source code(zip)
Owner
Mayk
Mayk
GitHub Repository
A small Python Script To get all levels of subdomains from a list

getlevels A small Python Script To get all levels of subdomains Easily get 1st level, 2nd level, 3rd level, 4th level .... nth level subdomains Usag

9 Feb 15, 2022
Quickstart resources for the WiFi Nugget, a cat themed WiFi Security platform for beginners.

Quickstart resources for the WiFi Nugget, a cat themed WiFi Security platform for beginners.

HakCat 62 Jan 08, 2023
A Fast Broken Link Hijacker Tool written in Python

Broken Link Hijacker BrokenLinkHijacker(BLH) is a Fast Broken Link Hijacker Tool written in Python.

Mayank Pandey 70 Nov 30, 2022
Python library to remotely extract credentials on a set of hosts.

Python library to remotely extract credentials on a set of hosts.

Pixis 1.5k Dec 31, 2022
Fast Fb Cracking Tool

fb-brute Fast Fb Cracking Tool 🏆

Aryan 8 Jun 29, 2022
Mass scan for .git repository and .env file exposure

Mass .Git repository and .Env file Scan by Scarmandef Scanner to find .env file and .git repository exposure on multiple hosts Because of the response

8 Jun 23, 2022
A dynamic multi-STL, multi-process OpenSCAD build system with autoplating support

scad-build This is a multi-STL OpenSCAD build system based around GNU make. It supports dynamic build targets, intelligent previews with user-defined

Jordan Mulcahey 1 Dec 21, 2021
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

1 Jan 09, 2022
an impacket-dependent script exploiting CVE-2019-1040

dcpwn an impacket-dependent script exploiting CVE-2019-1040, with code partly borrowed from those security researchers that I'd like to say thanks to.

QAX A-Team 71 Nov 30, 2022
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Ryan 5 Sep 12, 2022
Detection And Breaking With Python

Detection And Breaking IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::::::::II::::::::I P:::::::

Baris Dincer 1 Dec 26, 2021
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF) 221 Jan 01, 2023
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 408 Jan 03, 2023
"Video Moment Retrieval from Text Queries via Single Frame Annotation" in SIGIR 2022.

ViGA: Video moment retrieval via Glance Annotation This is the official repository of the paper "Video Moment Retrieval from Text Queries via Single F

Ran Cui 38 Dec 31, 2022
Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source

Infoga - Email OSINT Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pg

m4ll0k (mallok) 1.8k Jan 04, 2023
Gmail Accounts Hacking

gmail-hack Gmail Accounts Hacking Gemail-Hack python script for Hack gmail account brute force What is brute force attack? In brute force attack,scrip

Aryan 25 Nov 10, 2022
Make files with as many random bytes as you want

Lots o' Bytes 🔣 Make files with as many random bytes as you want! Use case Can be used to package malware that is normally small by making the downlo

Addi 1 Jan 13, 2022
CVE-2022-22963 PoC

CVE-2022-22963 CVE-2022-22963 PoC Slight modified for English translation and detection of https://github.com/chaosec2021/Spring-cloud-function-SpEL-R

Nicolas Krassas 104 Dec 08, 2022
Obfuscate your python code into a string of integers. De-obfuscate also supported.

int-obfuscator Obfuscate your python code into a string of integers. De-obfuscate also supported. How it works: Each printable character gets replaced

6 Nov 13, 2022