5 Commits
Author SHA1 Message Date
ehosinski e15302e385 Update README.md 2026-07-16 22:02:07 -04:00
ehosinski e409a23eba Update LICENSE 2026-07-16 22:01:29 -04:00
ehosinski 2969362d83 Update README.md 2026-07-16 22:01:18 -04:00
ehosinski 8b697c4a77 Add LICENSE.md 2026-07-16 22:00:20 -04:00
ehosinski 05c9f6f56a Update README.md 2026-07-16 21:58:37 -04:00
2 changed files with 220 additions and 1 deletions
+123
View File
@@ -0,0 +1,123 @@
Spray 'N Pray Source-Available License v1.0
Copyright (c) 2026 KrakenTech. All rights reserved.
This license governs use of the software and associated documentation
files (the "Software") made available in this repository. By using,
copying, or modifying the Software, you agree to be bound by these
terms. If you do not agree to these terms, do not use the Software.
1. DEFINITIONS
1.1 "Licensor" means KrakenTech, the copyright holder of the Software.
1.2 "You" or "Licensee" means the individual or entity exercising the
rights granted under this license.
1.3 "Commercialize" means to sell, resell, sublicense, rent, lease, or
otherwise distribute the Software (in whole, in part, or as a
modified or derivative work) for a fee or other consideration, or
to offer the Software's functionality to third parties as a
hosted, managed, or "as-a-service" product, whether or not for
direct payment.
2. GRANT OF LICENSE
Subject to the restrictions in Section 3, Licensor grants You a
worldwide, royalty-free, non-exclusive, non-transferable license to:
(a) use and run the Software, including for the purpose of
performing authorized security testing, penetration testing,
or red-team engagements on behalf of yourself or a paid client;
and
(b) view, copy, and modify the Software's source code for your own
internal use, including creating internal patches or
modifications.
For the avoidance of doubt, using the Software as a tool in the
course of paid professional security consulting or engagement work is
permitted under this license and is not, by itself, Commercialization
of the Software.
3. RESTRICTIONS
3.1 No Commercialization. You may not Commercialize the Software.
This includes, without limitation: selling the Software or any
derivative of it; sublicensing or redistributing the Software,
modified or unmodified, to third parties for a fee; bundling the
Software into a commercial product or offering; or operating the
Software as a hosted or managed service for third parties. Any
commercial distribution or service arrangement requires a separate
written agreement with Licensor.
3.2 No Reverse Engineering. You may not reverse engineer, decompile,
disassemble, or otherwise attempt to derive the source code of any
compiled or binary distribution of the Software, except and only
to the extent that such restriction is expressly prohibited by
applicable law notwithstanding this limitation.
3.3 Authorized Use Only. The Software is designed to perform
credential-spraying and related activity against network services.
You may only use the Software against systems, accounts, and
networks for which you have obtained prior, explicit authorization
to test. You are solely responsible for ensuring your use of the
Software complies with all applicable laws and any engagement
authorization, scope, or rules of engagement governing your use.
3.4 Notices. You must retain this license file, and all copyright,
trademark, and attribution notices contained in the Software, in
any copy or modified copy you make.
4. OWNERSHIP
The Software is licensed, not sold. Licensor retains all right, title,
and interest in and to the Software, including all intellectual
property rights therein. No rights are granted to You other than as
expressly set forth in this license.
5. CONTRIBUTIONS
If You submit a contribution (code, documentation, or otherwise) to
Licensor for inclusion in the Software, You grant Licensor a
perpetual, worldwide, royalty-free, irrevocable license to use,
reproduce, modify, and distribute that contribution as part of the
Software, under this license or otherwise.
6. DISCLAIMER OF WARRANTY
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE
ERROR-FREE OR UNINTERRUPTED, OR THAT IT WILL DETECT, PREVENT, OR
OTHERWISE AVOID ANY ACCOUNT LOCKOUT, SERVICE DISRUPTION, OR OTHER
UNINTENDED EFFECT ON A TARGET SYSTEM.
7. LIMITATION OF LIABILITY
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL
LICENSOR BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, DATA, OR
GOODWILL, ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THIS
LICENSE, INCLUDING ANY DAMAGES ARISING FROM UNAUTHORIZED OR
OUT-OF-SCOPE USE OF THE SOFTWARE AGAINST A THIRD-PARTY SYSTEM, EVEN IF
LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
8. TERMINATION
This license terminates automatically if You breach any of its terms.
Upon termination, You must cease all use of the Software and destroy
all copies in your possession or control. Sections 4, 6, 7, 9, and 10
survive termination.
9. GOVERNING LAW
This license is governed by the laws of the jurisdiction in which
Licensor is organized, without regard to conflict-of-law principles.
10. ENTIRE AGREEMENT
This license constitutes the entire agreement between You and Licensor
regarding the Software and supersedes any prior agreements or
understandings, unless You have a separate written agreement with
Licensor that expressly states otherwise.
+97 -1
View File
@@ -1 +1,97 @@
Welcome to the README for Spray 'n Pray
# Spray 'N Pray
Spray 'N Pray is a self-hosted password spraying console for authorized security engagements. It's a Go-native single-page app (Fiber + vanilla JS + SQLite) that runs unattended, scheduled spraying against ADWS, FTP, HTTP/HTTPS, Kerberos, LDAP/LDAPS, MSSQL, OWA, RDP, RPC, SMB, and SSH either locally or tunneled out through a chain of SOCKS5 jump hosts. It includes account-lockout-aware Safe Mode, email/webhook notifications, and full activity logging.
> **Authorized use only.** Spray 'N Pray is built for penetration testers and red teamers operating under a signed engagement or explicit written authorization. Do not point it at systems you don't have permission to test.
## Platforms
Prebuilt binaries are published for:
- Linux (amd64, arm64)
- macOS (amd64, arm64)
- Windows (amd64)
## Getting Started
```
./spraynpray -iface 0.0.0.0 -port 1337
```
Must be run as root. Once it's running, open the console in a browser at the address it prints on startup.
## Reporting Issues
Becauase this is a private repo, issues must be submitted via email. **All bug reports, feature requests, and questions must go to [issues@krkn.tech](mailto:issues@krkn.tech)**.
A good report is one we can act on without a back-and-forth to get basic details. The template below covers what we need; the sections after it explain *why* each part matters and how to fill it in safely.
### Copy-paste template
````markdown
**Subject line:** [Spray 'N Pray] <short summary of the problem>
**Version:**
<from the app>
**Platform:**
<OS, version, architecture>
**Protocol & config at the time:**
- Protocol:
- Safe Mode: on / off
- SOCKS5 proxy: on / off
**Summary:**
<one or two sentences -what's wrong>
**Steps to reproduce:**
1.
2.
3.
**Expected behavior:**
<what you thought would happen>
**Actual behavior:**
<what actually happened - include exact error text if there was any>
**Screenshots / recordings:**
<attached, or "N/A" - see redaction note below before attaching>
**Activity log:**
<attached (exported via the download icon in the Activity pane), or "N/A" -see redaction note below>
**Additional context:**
<anything else worth knowing -recent changes, how often it happens, workarounds you've tried, etc.>
````
### Field-by-field notes
**Subject line** - Prefix it with `[Spray 'N Pray]` and keep the summary to one line. We triage by subject before opening the email, so a vague subject like "bug" or "help" gets picked up last.
**Version** - Shown in the console's top bar, immediately to the right of the "Spray 'N Pray" title, and also printed to the terminal when the binary starts. If you built from source yourself, say so and include the commit hash.
**Platform** - Full OS name/version and CPU architecture (e.g. "Ubuntu 22.04, amd64" or "macOS 14.5, arm64"). Cross-platform tools break differently on different platforms; this is often the first thing that narrows a bug down.
**Protocol & config** - Which protocol was selected (ADWS, FTP, HTTP, HTTPS, Kerberos, LDAP, LDAPS, MSSQL, OWA, RDP, RPC, SMB, SSH), and whether Safe Mode and SOCKS5 proxying were on. Most bugs in this app are protocol-specific or proxy-specific, so this narrows the search dramatically.
**Summary** - The elevator-pitch version of the bug. This is what we read first to decide severity and routing.
**Steps to reproduce** - Numbered, in the exact order you did them. "It doesn't work sometimes" is not reproducible; "1. Set protocol to LDAP, 2. Enable SOCKS5 proxy, 3. Click Spray" is. If you can't get it to reliably reproduce, say so explicitly and describe how often it happens instead (e.g. "roughly 1 in 5 runs").
**Expected vs. actual behavior** - Two separate, explicit statements, not one blended paragraph. This is the single biggest thing that speeds up triage: it tells us immediately whether this is a crash, a wrong-result bug, or a UX misunderstanding, without us having to infer it.
**Screenshots / recordings** - A screenshot of the console (or a short screen recording) is often faster than a paragraph of description, especially for UI bugs. Most email clients let you drag an image or video straight into the compose window as an attachment.
> **Redact before you attach.** This tool runs against real engagements. Before sending a screenshot or recording, check it for and blur/crop out: target hostnames and IP addresses, domain names, usernames, and - most importantly - any password or credential the tool found (they render in plain text in the Users panel and the Activity log). A UI bug report doesn't need real target data to be useful; a sanitized `corp.local` / `dc01.fake.local` stand-in reproduces the bug just as well.
**Activity log** - The Activity pane has a download icon next to "Clear" that exports the full session log - including timestamps - as a plain-text file. Attaching this (rather than copy-pasting a few lines) gives us the surrounding context: what ran before the bug, timing, and any other warnings or errors that fired around the same time.
> **Same redaction rule applies.** The activity log records valid credentials on a hit, and host/domain names throughout. Open the exported file and scrub anything engagement-sensitive before attaching - find/replace the real domain and any `VALID` lines' credentials with placeholders.
**Additional context** - Anything that doesn't fit the fields above: this is a regression from a version that worked, it only happens on your second run after a fresh install, you're behind a corporate proxy, etc. If you're not sure whether something is relevant, include it -extra context costs us nothing to skip; missing context costs a round-trip email.
## License
Spray 'N Pray is source-available under a custom license - see [LICENSE](LICENSE). In short: free to use, including on paid engagements; you may not sell, sublicense, or redistribute it (or a derivative) as a commercial product or service.