VAPT Methodologies

External Testing
Domain Enumeration
Find DNS Host Records (Subdomains) Enumeration - DNS Enumeration
IP block search
Active IPV4 Addresses Identification
Certificate Fingerprinting
Websites Enumeration (Technology Stack Enumeration)
CMS & Framwork Identification
Pulling Headers
Web Application Vulnerability Scanner
Web Application Firewall identification
Web Crawlers & Directory Brute Force
EMAIL Ecosystem Enumeration
Spoofing Tests
Good Reads
Email Collection
Dark web Reconnaissance
Password Spraying Attacks
VPN detection
Mobile Application

Name Tags

Untitled
Untitled

Untitled

External Testing
Sites Used

hackthissite.org

zonetransfer.me

Domain Enumeration
Give the organization name, say, Hack this Site, the initial point is to get an idea of the domains associated with the
organization from google search engine or any other search engines. Its all about mapping the attack surface and this is a
starting point.

As a penetration tester you need to answer the following questions;

1. What is the attack surface ?

2. what is the domain ?

VAPT Methodologies 1
 3. what are the subdomains ?

4. what are the DNS records [ TXT, A, NS, MX, SRV] associated with the domain ?

5. Geolocation of the Domains and subdomains ?

6. What is historically available about the domains, subdomains and IPs For example, what was running on IP X last year ?

7. What is the Hosting History for the active IPs?

Find DNS Host Records (Subdomains) Enumeration - DNS Enumeration

Types of Information Records

SOA Records - Indicates the server that has authority for the domain.

MX Records - List of a host’s or domain’s mail exchanger server(s).

NS Records - List of a host’s or domain’s name server(s).

A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to
have this record for its IP address to be located via DNS.

PTR Records - Lists a host’s domain name, host identified by its IP address.

SRV Records - Service location record.

HINFO Records - Host information record with CPU type and operating system.

TXT Records - Generic text record.

CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

RP - Responsible person for the domain.

Once you have the domain, enumerate subdomains using the following websites, tools and scripts as you see fit;

Dnsdumpster - com - dns recon and research, find and lookup dns records

VAPT Methodologies 2
 Hacker Target - Find DNS Host Records | Subdomain Finder | HackerTarget.com

VirusTotal - VirusTotal - Home

VAPT Methodologies 3
 Host.io

Alternative to the website is its python implementation , vt-py . This is the official Python client library for VirusTotal. With
this library you can interact with the VirusTotal REST API v3 and automate your workflow quickly and efficiently.

Documentation - https://virustotal.github.io/vt-py/

VAPT Methodologies 4
 Dnsrecon - DNS Enumeration and Scanning Tool

dnsenum

Nmap
└─$ nmap --script dns-brute zonetransfer.me
└─$ nmap -T4 -p 53 --script dns-brute hackthissite.org

Phonebook.cz

Phonebook lists all domains, email addresses, or URLs for the given input domain.

VAPT Methodologies 5
 Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and
bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using
many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using
Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

Examples
To list all the basic options and switches use -h switch:
python sublist3r.py -h

To enumerate subdomains of specific domain:

python sublist3r.py -d example.com

To enumerate subdomains of specific domain and show only subdomains which have open ports 80 and 443 :
python sublist3r.py -d example.com -p 80,443

To enumerate subdomains of specific domain and show the results in realtime:

python sublist3r.py -v -d example.com

To enumerate subdomains and enable the bruteforce module:

VAPT Methodologies 6
 python sublist3r.py -b -d example.com

To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python sublist3r.py -e google,yahoo,virustotal -d example.co

Fierce is another great DNS reconnaissance tool. Written in Perl, Fierce offers numerous options for performing DNS
enumeration by scanning domains in just minutes. Its syntax is pretty easy, as you can see:

IP block search
Perform IP block search so as to discover the entirety of the attack surface.

As a penetration tester you need to answer the following questions;

1. Has the organization been assigned IP blocks ?

2. Whats the block range/size?

ipinfo.io - Comprehensive IP address data, IP geolocation API and database - IPinfo.io

Habu - GitHub - fportantier/habu: Hacking Toolkit

Usage: habu.ip.asn [OPTIONS] IP

$ habu.ip.asn 8.8.8.8
{
"asn": "15169",
"net": "8.8.8.0/24",
"cc": "US",
"rir": "ARIN",
"asname": "GOOGLE - Google LLC, US",
"country": "United States"
}

Options:
--help Show this message and exit.

Whois Lookup – whois linux command

ARIN Lookup - IP Lookup Tool - Check IP Block info at ARIN - MxToolbox

IP netblock lookup - IP Netblocks Owner Lookup | WhoisXML API

Active IPV4 Addresses Identification

As a penetration tester you need to answer the following questions;

VAPT Methodologies 7
 1. How Many IP are active?

2. What services, Protocols [SSH, SMTP, HTTPS, Telnet] are running?

3. What are the ASNs?

4. What Technologies [Nginx, Apache, Exchange] are running?

5. What was running when [Hosting History] ?

Censys

Censys is a public search engine that enables researchers to quickly ask questions about the hosts and networks that
compose the Internet.

Zoomeye

ZoomEye is the leader of global cyberspace mapping, China's first and world-renowned cyberspace search engine
driven by 404 Laboratory of Knownsec, and also a world-famous cyberspace search engine.

Through a large number of global surveying and mapping nodes, according to the global IPv4, IPv6 address and
website domain name databases it can continuously scan and identify multiple service port and protocols 24 hours a
day, and finally map the whole or local cyberspace.

VAPT Methodologies 8
 DNSdumpster

Certificate Fingerprinting
This is another effective way of enumerating subdomains. As long as a subdomain/domain has at one point in time have had
an SSL certificate its fingerprint is pubicly available

sh - crt.sh | Certificate Search

VAPT Methodologies 9
 Cenys Certificate Search- Censys

Websites Enumeration (Technology Stack Enumeration)

Given domains and subdomains, its important to analyze the technology stack (components) that make up the website,
application ..etc

As a penetration tester you need to answer the following questions;

1. What is the technology stack ?

2. What versions of the stack are being used ?

3. Is it virtually hosted [Determines whether the underlying Host is in scope or not] ?

4. Is the application Monolithic or microservices based ?

5. What is the CMS [Wordpress, Joomla] ?

6. Are there hidden directories ?

7. What security headers are present ?

8. Are there administrative interfaces visible ?

9. Are there API endpoints present ?

10. What HTTP methods are allowed ?

11. What are the Certificate Parameter ?

12. What are the vulnerabilities [OWASP Top Ten] ?

13. What is the layout of the application?

14. What are the entry points [Login, form search Form] ?

15. What is the source Code?

16. What are the server side technologies

17. What are the client side technologies [ @Javascript] and Client-Side Scripting Frameworks [Jquery, Bootsrap,] ?

Whatweb

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web
technologies including content management systems (CMS), blogging platforms, statistic/analytics packages,
JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise
something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework
modules, SQL errors, and more.

VAPT Methodologies 10
 Wappalyzer

Wappalyzer identifies technologies on websites, such as CMS, web frameworks, ecommerce platforms, JavaScript
libraries, analytics tools and more.

Nikto

CMS & Framwork Identification

WhatWeb - Next generation web scanner

Wappalyzer - Cross-platform utility that uncovers the technologies used on websites

WhatCMS - CMS Detection and Exploit Kit based on Whatcms.org API

CMSeeK - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs

WhatCMS online - CMS Detection and Exploit Kit website Whatcms.org

Pulling Headers
curl -v -I --user-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106

Safari/537.36" <domain/subdomain>

Web Application Vulnerability Scanner

Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for
multiple items

VAPT Methodologies 11
 W3af - Web application attack and audit framework, the open source web vulnerability scanner

w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit and attack that
communicate with each other for any vulnerabilities in site, for example a discovery plugin in w3af looks for different
url’s to test for vulnerabilities and forward it to the audit plugin which then uses these URL’s to search for vulnerabilities.

It can also be configured to run as a MITM proxy. The request intercepted could be sent to the request generator and
then manual web application testing can be performed using variable parameters. It also has features to exploit the
vulnerabilities that it finds.

W3af features

Proxy support

HTTP response cache

DNS cache

File uploading using multipart

Cookie handling

HTTP basic and digest authentication

User agent faking

Add custom headers to requests

Openvas - The world's most advanced Open Source vulnerability scanner and manager

Openvas Docker

Archery - Open Source Vulnerability Assessment and Management helps developers and pentesters to perform scans and
manage vulnerabilities

Arachni - Web Application Security Scanner Framework

wapiti - Wapiti allows you to audit the security of your websites or web applications. It performs "black-box" scans (it does
not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts
and forms where it can inject data. Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting
payloads to see if a script is vulnerable.

Good Reads

https://pentestit.medium.com/wapiti-free-web-application-vulnerability-scanner-ce7712adf644

https://github.com/wapiti-scanner/wapiti

https://owasp.org/www-community/Automated_Audit_using_WAPITI

OWASP ZAP

Burpsuite

Web Application Firewall identification

A WAF (Web application firewall) is a firewall which can be installed in front of (network topology speaking) a web application.
The WAF will analyze each request and look for common web attacks such as Cross Site Scripting and SQLinjection. Like
most AV scanners, a blacklisting mechanism is often used to find these potentially malicious HTTP requests (often regex).
Since these WAFs are using this blacklisting technique, multiple papers exist on bypassing these types of devices.

Web Crawlers & Directory Brute Force

Gobuster - Gobuster is a tool used to brute-force:

URIs (directories and files) in web sites.

DNS subdomains (with wildcard support).

Virtual Host names on target web servers.

Open Amazon S3 buckets

Examples

dir Mode

VAPT Methodologies 12
 Command line might look like this:

gobuster dir -u https://mysite.com/path/to/folder -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

dns Mode

Command line might look like this:

gobuster dns -d mysite.com -t 50 -w common-names.txt

vhost Mode

Command line might look like this:

gobuster vhost -u https://mysite.com -w common-vhosts.txt

s3 Mode

Command line might look like this:

gobuster s3 -w bucket-names.txt

fuzzing Mode

Command line might look like this:

gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt

Dirbrute - Multi-thread WEB directory blasting tool (with dics inside)

Dirbuster - DirBuster is a multi threaded java application designed to brute force directories and files names on
web/application servers

EMAIL Ecosystem Enumeration

As a penetration tester you need to answer the following questions;

1. What is the Mail server technology [Outlook, Google, Microsoft Exchange etc...] ?

2. What are the IPs [On premise, Oncloud] of the Mail servers?

3. What email gateways [Mimecast, Messagelabs etc...] are being used ?

4. Is the email Infrastructure a hybrid, on premise, or on cloud set up ?

5. What email gateways are being used ?

6. what kind of attacks [Email Spoofing, Open Relaying, Password spraying, phishing, Eicar Tests] can be done ?

MX Records - An MX (mail exchange) record is an entry in your DNS. zone file which specifies a mail server to handle a
domain's email.

C:\>nslookup -type=mx hackthissite.org

Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
hackthissite.org MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
hackthissite.org MX preference = 20, mail exchanger = alt2.aspmx.l.google.com
hackthissite.org MX preference = 10, mail exchanger = aspmx.l.google.com
hackthissite.org MX preference = 30, mail exchanger = aspmx2.googlemail.com
hackthissite.org MX preference = 30, mail exchanger = aspmx3.googlemail.com
hackthissite.org MX preference = 30, mail exchanger = aspmx4.googlemail.com
hackthissite.org MX preference = 30, mail exchanger = aspmx5.googlemail.com

The priority MX preference = 20 is used to determine which MX server to connect to first, in order to get to your inbox. If
there are multiple addresses with the same priority, it simply connects to one at random.

$ dig +short mx hackthissite.org

20 alt1.aspmx.l.google.com.
20 alt2.aspmx.l.google.com.
10 aspmx.l.google.com.
30 aspmx2.googlemail.com.
30 aspmx3.googlemail.com.
30 aspmx4.googlemail.com.
30 aspmx5.googlemail.com.

VAPT Methodologies 13
 SPF Records

What is SPF (Sender Policy Framework)?

SPF determines which email servers are allowed to send email on your behalf. In doing so, SPF prevents spoofing and
phishing attacks against the email domain. SPF is added as a TXT record used by DNS to determine which email servers
can send email on behalf of the custom domain. Recipient email systems consult the SPF TXT record to determine if a
message from the custom domain originated from an authorized message server.

Using the DMARC record checker

The SPF checker searches for an SPF record, displays the SPF record present, and validates the record, highlighting any
errors found within it.

SPF is integral to DMARC protection

DMARC only works if DKIM and SPF are set up correctly. Mimecast DMARC Analyzer can be used to generate DMARC
reports containing detailed information about who is sending email on your behalf.

C:\Users\HP 820>nslookup -type=txt hackthissite.org

Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
hackthissite.org text = "v=spf1 a mx ip4:137.74.187.96 ip4:137.74.187.97
ip4:137.74.187.98 a:hackthissite.org a:mail.hackthissite.org include:aspmx.googlemail.com ~all"

Good Reads
https://support.mailessentials.gfi.com/hc/en-us/articles/360015116520-How-to-check-and-read-a-Sender-Policy-
Framework-record-for-a-domain

Use DMARC Analyzer - https://www.dmarcanalyzer.com/

Use MXTool Box - https://mxtoolbox.com/

VAPT Methodologies 14
 DMARC Records

DMARC Records using MXToolBox -

VAPT Methodologies 15
 Using DIG

$ dig _dmarc.hackthissite.org txt | grep DMARC

_dmarc.hackthissite.org. 3401 IN TXT "v=DMARC1;p=quarantine;rua=mailto:8rbjyycl@ag.dmarcian.eu;pct=25;ruf=mailto:8rbjyycl@fr.d
marcian.eu;fo=0:d:s;aspf=r;adkim=r;"

DKIM Records

Spoofing Tests
Email spoofing is alive and well. Many organisations' SPF and DMARC records do not provide the necessary guidance for
recipients to validate the authenticity of emails bearing their domain names.

Email spoofing may be successful against recipients that manage their filtering themselves. Large email providers like GMail
have the big data and the heuristics to efficiently handle spam. For example, GMail will likely forward a spoofed email from a
common domain directly to the spam folder, even if the email doesn't fail validation due to lax policies.

To check for email spoofing vulnerabilities use the following tools

Swaks

Example

swaks --server smtp.gmail.com:465 \

--auth-user "user_alice@gmail.com" --auth-password "password" \
--to user_bob@outlook.com --from "user_alice@gmail.com" \
--h-from "User Alice<user_alice@gmail.com>"\
--h-subject "Need Urgent Help" \
--body "Stuck in airport. Lost my baggage. Need 2K urgently. Pls transfer to my a/c 12345"
--tlsc

Telnet

Let’s choose mx4.mailServer.com as our Relaying Mail server

VAPT Methodologies 16
 1. Open your command prompt and type: telnet mx4.mailServer.com 25 (if you don’t know what the ’25’ stands for,
you should definitely read this). Alternatively you can start by typing telnet, hit Enter, and then open
mx4.Server.com 25.

2. You should see output like:

a. Trying 65.54.188.126...Connected to mx4.hotmail.com.Escape character is '^]'.220 BAY0-MC4-

F1.Bay0.hotmail.com Sending unsolicited commercial or bulk e-
mailto Microsoft's computer network is prohibited. Other restrictions are found at
<http://privacy.microsoft.com/en-us/anti-spam.mspx.>

3. Type helo and hit Enter. You should see the following output:

a. 250 BAY0-MC3-F20.Bay0.hotmail.com (3.14.0.48) Hello [79.134.202.86]

4. Next type MAIL FROM: you@fakeemailaddress.com, hit Enter. You should get the message, ‘Sender ok’.

5. Next type RCPT TO: you@realemailaddress.com, hit Enter. You should get the message, ‘Recipient ok’.

6. You can optionally include an email subject with: SUBJECT: Testing spoofed email with telnet.

7. Now type DATA <email body contents>.

8. Lastly you type . (a single period) and then hit Enter. You should get the message, ‘250 Mail accepted’. Now
type QUIT and hit Enter.

9. Check your inbox for the spoofed email you just sent.

telnet MAIL.SERVER.COM 25
(mail server says hello)
HELO spoofingdomain.com
(mail server acknowledges)
MAIL FROM: <spoofed@spoofingdomain.com>
(server says OK)
RCPT TO: <victim@address.com>
(server says OK)
DATA
(server says go)
From: Display Name <spoofed@spoofingdomain.com>
To: Victim Name <victim@address.com>
Subject: Hacking you
Date: Wed, 26 Sep 2018 14:21:26 -0400
Hello,
This is the email body
.

Netcat

nc -C MAIL.SERVER.COM 25
(mail server says hello)
HELO spoofingdomain.com
(mail server acknowledges)
MAIL FROM: <spoofed@spoofingdomain.com>
(server says OK)
RCPT TO: <victim@address.com>
(server says OK)
DATA
(server says go)
From: Display Name <spoofed@spoofingdomain.com>
To: Victim Name <victim@address.com>
Subject: Hacking you
Date: Wed, 26 Sep 2018 14:21:26 -0400
Hello,
This is the email body.
Goodbye
.

mailspoof

Python package that scans SPF and DMARC records for issues that could allow email spoofing.

installation

pip3 install mailspoof

Example

VAPT Methodologies 17
 mailspoof -d github.com -d reddit.com -iL /tmp/list

Site without DMARC

C:\python -m mailspoof -d serianu.com

[
{
"domain": "serianu.com",
"issues": [
{
"code": 1,
"title": "No DMARC",
"detail": "There is no DMARC DNS record associated for the domain."
} ] } ]

Site with DMARC

C:\python -m mailspoof -d hackthissite.org

[
{
"domain": "hackthissite.org",
"issues": [
{
"code": 4,
"title": "'SoftFail' qualifer for 'all' mechanism",
"detail": "The 'all' mechanism uses the 'SoftFail' qualifer '~'. It should be possible to spoof the domain by only causing
a soft SPF failure. Most filters will let this through by only raising the total spam score."
},
{
"code": 1,
"title": "No DMARC",
"detail": "There is no DMARC DNS record associated for the domain."
}]}]

Good Reads

Spoof Me If You Can

Email Spoofing Some basic terms and concepts Understanding Email Message Flow Can SPF and DKIM alone prevent Email Spoofing ? Viewing the results of
SPF, DKIM and DMARC Conclusion Email could be considered as the first social media platform that gained widespread usage.
https://messagetobala.github.io/spoof-me-if-you-can.html

Email Spoofing With Netcat/Telnet

I have also written a follow up post about spoofing with powershell here. Recently, while having a discussion
with a security research team I'm on, we stumbled into discussion about email spoofing. This ultimately led
to all sorts of shenanigans including an email from the President himself!
https://medium.com/@the4rchangel/email-spoofing-with-netcat-telnet-e558e4a10c1

Email Spoofing and Prevention

TL;DR: No, Sender Policy Framework (SPF) won't fix all your spoofing problems and DKIM by itself will
prevent nothing. I am not able to explain email and SMTP in detail end-to-end in the time it would take for this
post but there are some core things that need to be understood before we can move on.
https://scripting.rocks/sysadmin/emailspoofing/

Email Collection
Harvest Email using the following sites;

Phonebook.cz- Phonebook.cz - Intelligence X

Phonebook.cz. Phonebook lists all domains, email addresses, or URLs for the given input domain.

VAPT Methodologies 18
 TheHarvester

theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and
employee names from different public sources (search engines, pgp key servers)

Dark web Reconnaissance

Use the tor net to explore the dark web for leaked information about the organization

Pawndb - pwndb

http://pwndb2am4tzkvold.onion/

Pawndb python script - GitHub - davidtavarez/pwndb: Search for leaked credentials

pwndb.py is a python command-line tool for searching leaked credentials using the Onion service with the same name.

usage: pwndb.py [-h] [--target TARGET] [--list LIST] [--output OUTPUT] [--proxy PROXY]

VAPT Methodologies 19
 optional arguments:
-h, --help show this help message and exit
--target TARGET Target email/domain to search for leaks.
--list LIST A list of emails in a file to search for leaks.
--output OUTPUT Return results as json/txt
--proxy PROXY Set Tor proxy (default: 127.0.0.1:9150)

Password Spraying Attacks

Description

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of
usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123)
against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a
single account with many passwords. This attack can be found commonly where the application or admin sets a default
password for the new users.

Attacking Outlook

CredMaster

Launch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP
address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password
sprays.

The following plugins are currently supported:

OWA - Outlook Web Access

EWS - Exchange Web Services

O365 - Office365

MSOL - Microsoft Online

Okta - Okta Authentication Portal

FortinetVPN - Fortinet VPN Client

HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)

ADFS - Active Directory Federation Services

AzureSSO - Azure AD Seamless SSO Endpoint

Examples
python3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a
useragentfile {otherargs}

Using Metasploit

OWA Exchange Web Services (EWS) Login Scanner

This module attempts to log in to the Exchange Web Services, often exposed at https://example.com/ews/,
using NTLM authentication. This method is faster and simpler than traditional form-based logins. In most
cases, all you need to set is RHOSTS and some combination of user/pass files; the autodiscovery should find
the location of the NTLM authentication point as well as the AD domain, and use them accordingly.

msf > use auxiliary/scanner/http/owa_ews_login

msf auxiliary(owa_ews_login) > show actions
...actions...
msf auxiliary(owa_ews_login) > set ACTION < action-name >
msf auxiliary(owa_ews_login) > show options
...show and set options...
msf auxiliary(owa_ews_login) > run

VAPT Methodologies 20
 Outlook Web App (OWA) Brute Force Utility

This module tests credentials on OWA 2003, 2007, 2010, 2013, and 2016 servers.

msf > use auxiliary/scanner/http/owa_login

msf auxiliary(owa_login) > show actions
...actions...
msf auxiliary(owa_login) > set ACTION < action-name >
msf auxiliary(owa_login) > show options
...show and set options...
msf auxiliary(owa_login) > run

Using Spraying Toolkit (atomizer) atomizer is a blazing fast password sprayer for Lync/Skype For Business and OWA,
built on Asyncio and Python 3.7

Usage:
atomizer (lync|owa|imap) <target> <password> <userfile> [--targetPort PORT] [--threads THREADS] [--debug]
atomizer (lync|owa|imap) <target> <passwordfile> <userfile> --interval <TIME> [--gchat <URL>] [--slack <URL>] [--target
Port PORT][--threads THREADS] [--debug]
atomizer (lync|owa|imap) <target> --csvfile CSVFILE [--user-row-name NAME] [--pass-row-name NAME] [--targetPort PORT]
[--threads THREADS] [--debug]
atomizer (lync|owa|imap) <target> --user-as-pass USERFILE [--targetPort PORT] [--threads THREADS] [--debug]
atomizer (lync|owa|imap) <target> --recon [--debug]
atomizer -h | --help
atomizer -v | --version

Arguments:
target target domain or url
password password to spray
userfile file containing usernames (one per line)
passwordfile file containing passwords (one per line)

Options:
-h, --help show this screen
-v, --version show version
-c, --csvfile CSVFILE csv file containing usernames and passwords
-i, --interval TIME spray at the specified interval [format: "H:M:S"]
-t, --threads THREADS number of concurrent threads to use [default: 3]
-d, --debug enable debug output
-p, --targetPort PORT target port of the IMAP server (IMAP only) [default: 993]
--recon only collect info, don't password spray
--gchat URL gchat webhook url for notification
--slack URL slack webhook url for notification
--user-row-name NAME username row title in CSV file [default: Email Address]
--pass-row-name NAME password row title in CSV file [default: Password]
--user-as-pass USERFILE use the usernames in the specified file as the password (one per line)

Using Mail sniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for
specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-
administrative user to search their own email or by an Exchange administrator to search the mailboxes of every
user in a domain.

MailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the
Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an
organization.

Invoke-PasswordSprayOWA will attempt to connect to an OWA portal and perform a password spraying attack
using a userlist and a single password.

Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -

OutFile owa-sprayed-creds.txt

VAPT Methodologies 21
 Invoke-PasswordSprayEWS will attempt to connect to an EWS portal and perform a password spraying attack
using a userlist and a single password.

Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15

Using Ruler

ruler -k --domain offense.local brute --users users --passwords passwords --verbose

Attacking Office365

o365spray - o365spray a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365).
This tool reimplements a collection of enumeration and spray techniques researched and identified by those mentioned
in Acknowledgments.

Validate a domain is using O365:

o365spray --validate --domain test.com

Perform username enumeration against a given domain:

o365spray --enum -U usernames.txt --domain test.com

Perform password spraying against a given domain:

o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com

usage: o365spray [-h] [-d DOMAIN] [--validate] [--enum] [--spray]

[-u USERNAME] [-p PASSWORD] [-U USERFILE] [-P PASSFILE]
[--paired PAIRED] [-c COUNT] [-l LOCKOUT]
[--enum-module {office,onedrive,oauth2}]
[--spray-module {oauth2,activesync,autodiscover,reporting,adfs}]
[--adfs-url ADFS_URL] [--rate RATE] [--safe SAFE]
[--timeout TIMEOUT] [--proxy PROXY] [--output OUTPUT]
[-v] [--debug]

Attacking GMail

Attacking other Platforms

Use Burpsuite

Mitigations

Brute force prevention should be on both field, i.e., Username and Password.

Set account lockout policies after a certain number of failed login attempts to prevent credentials from being guessed.
Implement CAPTCHA, if lockout is not a viable option.

The admin managed application should force users to change their password on first login with default password.

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Good Read

VAPT Methodologies 22
 Brute Force: Password Spraying
Adversaries may use a single or small list of commonly used passwords against many different accounts to
attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or
a small list of commonly used passwords, that may match the complexity policy of the domain.
https://attack.mitre.org/techniques/T1110/003/

Protecting your organization against password spray attacks

When hackers plan an attack, they often engage in a numbers game. They can invest significant time
pursing a single, high-value target-someone in the C-suite for example and do "spear phishing." Or if they
just need low-level access to gain a foothold in an organization or do reconnaissance, they target a huge
https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/

"Password Spraying"-What to Do and How to Avoid It

Cyber breaches aren't the only hot topic in the cyber media-sometimes the threat vectors themselves can
claim the limelight when a significant breach gains media attention. One attack vector getting some attention
in the news is "password spraying."
https://www.coalfire.com/the-coalfire-blog/march-2019/password-spraying-what-to-do-and-how-to-avoid-
it

GitHub - byt3bl33d3r/SprayingToolkit: Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and mo
Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient - GitHub - byt3bl33d3r/SprayingToolkit: Scripts
password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient

https://github.com/byt3bl33d3r/SprayingToolkit

GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific te
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architectur

https://github.com/dafthack/MailSniper

VPN detection
VPN Hunter (http://www.vpnhunter.com) discovers and classifies SSL VPNs from top vendors including Juniper, Cisco, Palo
Alto, Citrix, Fortinet, F5, SonicWALL, Barracuda, Microsoft, and Array. VPN Hunter will also attempt to detect whether two-
factor authentication is enabled on the target SSL VPNs.

.
Set a domain for your public links in

Mobile Application
Use Mobsf to perform both dynamic and static analysis of the application

Use Virus Total to scan the app.Virustotal allow uploading of APKs

VAPT Methodologies 23