/*
* Copyright 2023 Workday, Inc.
*
* This software is available under the MIT license.
* Please see the LICENSE.txt file in this project.
*/
A Workday-built tool which leverages AWS Lambdas to conduct password spray attacks. As most requests use a unique IP address, this can be used to bypass simple IP based detective controls.
This tool requires some setup in AWS (setting up Lambdas). To faciliate this, there is a terraform script which can be run to handle all configuration. Terraform only has to run once, after which, the client can be used freely.
If you have already run this, or set up your lambdas manually, you can skip this section.
- Clone this repository.
- Install latest version of requests in the
lambdadirectory
cd terraform/lambda/
pip install requests -t .
- Run the following commands to set up the terraform infrastructure:
cd terraform
terraform init
terraform plan -out sprayer
terraform apply sprayer
Once AWS has appropriate lambdas, such as those setup by terraform, this section includes client usage details
usage: lambda_sprayer.py [-h] (-r FILE | --get URL) (--upl FILE | --ul FILE | -u TARGET USER) [--pl FILE] [-p TARGET PASSWORD] [-v]
[--proxy IP:PORT] [--insecure] [-c COUNT] [--no-banner] [-t THROTTLE]
options:
-h, --help show this help message and exit
--upl FILE User password list
--get URL Simple GET request
--ul FILE User list
-u TARGET USER Target User
--pl FILE User list
-p TARGET PASSWORD Target Password
-r FILE Request file
-v, --verbose Print detailed messages to stdout
--proxy IP:PORT Proxy address for testing. Disables Lambda
--insecure Disable TLS
-c COUNT, --count COUNT
Number of lambdas to use
--no-banner Remove art from the output
-t THROTTLE Add minimum delay between requests
This tool takes in a request file. You can manually create one of these, or you can get one from a tool such as BurpSuite, by right clicking and saving a request. When parsing the request, certain keywords are searched for, these are PASSWORD and USERNAME by default (all caps). These indicate the points you want to inject into. You do not need both of these, but you probably want at least one present in your request file.
You can change these keywords in the client script if you'd like.
The tool takes in a list of usernames, passwords, or a colon-deliniated username/password list. It will create a unique request for each item in the list or combination of items if more than just a username or password are provided.
python3 lambda_sprayer.py -r test_lists/sample_POST --ul test_lists/user_list.txt --pl test_lists/password_list.txt
python3 lambda_sprayer.py -r test_lists/sample_POST --proxy 127.0.0.1:8080 --upl test_lists/user_pass_list.txt
python3 lambda_sprayer.py -r test_lists/sample_POST --upl test_lists/user_pass_list.txt -t 10
python3 lambda_sprayer.py -r test_lists/sample_POST --upl test_lists/user_pass_list.txt -t 10 -c 5
python3 lambda_sprayer.py --get "https://www.example.com:443/login/?username=USERNAME&password=PASSWORD" --upl test_lists/user_pass_list.txt
python3 lambda_sprayer.py -r test_lists/sample_POST --upl test_lists/user_pass_list.txt --no-banner
Make sure to use the --insecure flag to downgrade to a non-TLS connection
When testing this out, make sure that Lambda has the ability to access your test server. In some situations, Lambda may be blocked.
By default, the count variable is set to 1, you should always update this to match the number of lambdas you deployed
- Make sure that the USERNAME or PASSWORD identifiers have been input correctly
- Ensure that your config file matches your deployment region and profile
The current architecture for this project can be seen in the following image:
