Closed msilvestre714 closed 1 week ago
dievus
commented
1 week ago Thanks for the reminder on this. I had added something with way too much logic, removed it because it was a pain, and never circled back around. I updated with something a bit simpler. If you have a chance, can you test it again and let me know what you think?
Thanks!
msilvestre714
commented
1 week ago Thanks! Will give this a try next time but will be a bit difficult to "test" since I am trying to avoid account lockouts. Essentially, it would be ideal if a "--safe" switch was implemented to the command, similar to what "kerbrute" has where if you add that switch, the tool stops as soon as an account lockout is detected.
dievus
commented
1 week ago Technically there is a —timeout function you can use, which uses the lockout timer policy and you should always use it when password spraying. This requires open communication with the client to ensure their account safety. This is the safety built into the tool from its inception.
The new logic built in prompts you on every three reported lockouts to either wait 10 minutes, or reset the timeout timer and stops and prompts again after the next three.
msilvestre714
commented
1 week ago Yep, I see the new logic built in and have been using the "--timeout" feature. So this should be sufficient! Thanks again!
Is there a way to add a "safe mode" for password spraying (ex: --safe)? As in, if a lock out is detected, the script will automatically stop the remaining password spray attempts?