GitHub – xFreed0m/RDPassSpray: Python3 tool to perform password spraying using RDP

Thanks for sharing your tool! Nice work.

If I may offer a bit of advice – there is one function I find lacking in most password spraying tools. This is the ability to configure a sleep not in between individual attempts, but in between batches of attempts.

For example, if your target has a lockout policy that looks like this…

Lockout threshold: 10
Lockout duration (minutes): 30
Lockout observation window (minutes): 30

…then an efficient way to spray would be to try 8 attempts right now, sleep 35 minutes, and then another batch of 8. This was you can set it and let it run over night, all weekend, whatever.

If the tool can only sleep between single attempts, you can only safely spray 1 password each round of ~ 30 minutes or you will lock accounts out after the 10th round of spraying. This is because you need to have NO attempts at all (or a successful login) during that observation window to reset the counter.

If anyone knows the above to be incorrect, please of course correct me. I’m not a Windows guru but have run into this in engagements where accounts started locking.


Leave a Reply