Compare commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
69faae42aa | ||
|
|
28a6c74ea5 | ||
|
|
e15302e385 | ||
|
|
e409a23eba | ||
|
|
2969362d83 | ||
|
|
8b697c4a77 | ||
|
|
05c9f6f56a |
@@ -0,0 +1,132 @@
|
||||
Spray 'N Pray Binary License v1.0
|
||||
Copyright (c) 2026 KrakenTech. All rights reserved.
|
||||
|
||||
This license governs use of the compiled, executable binary
|
||||
distribution of Spray 'N Pray (the "Software") published by Licensor.
|
||||
No source code is provided or licensed under this agreement. By
|
||||
installing or running the Software, you agree to be bound by these
|
||||
terms. If you do not agree to these terms, do not use the Software.
|
||||
|
||||
1. DEFINITIONS
|
||||
|
||||
1.1 "Licensor" means KrakenTech, the copyright holder of the Software.
|
||||
|
||||
1.2 "You" or "Licensee" means the individual or entity exercising the
|
||||
rights granted under this license.
|
||||
|
||||
1.3 "Software" means the compiled, executable binary of Spray 'N Pray
|
||||
as published by Licensor, and any associated documentation
|
||||
distributed alongside it. It does not include source code.
|
||||
|
||||
1.4 "Commercialize" means to sell, resell, sublicense, rent, lease, or
|
||||
otherwise distribute the Software for a fee or other
|
||||
consideration, or to offer the Software's functionality to third
|
||||
parties as a hosted, managed, or "as-a-service" product, whether
|
||||
or not for direct payment.
|
||||
|
||||
2. GRANT OF LICENSE
|
||||
|
||||
Subject to the restrictions in Section 3, Licensor grants You a
|
||||
worldwide, royalty-free, non-exclusive, non-transferable license to:
|
||||
|
||||
(a) install and run the Software, including for the purpose of
|
||||
performing authorized security testing, penetration testing,
|
||||
or red-team engagements on behalf of yourself or a paid client;
|
||||
and
|
||||
|
||||
(b) make copies of the Software solely for backup, archival, or
|
||||
internal deployment purposes.
|
||||
|
||||
For the avoidance of doubt, using the Software as a tool in the
|
||||
course of paid professional security consulting or engagement work is
|
||||
permitted under this license and is not, by itself, Commercialization
|
||||
of the Software.
|
||||
|
||||
No source code is made available to You under this license. Nothing
|
||||
in this license, and no act by Licensor, shall be construed as
|
||||
granting You any right to obtain, view, or use the Software's source
|
||||
code.
|
||||
|
||||
3. RESTRICTIONS
|
||||
|
||||
3.1 No Commercialization. You may not Commercialize the Software.
|
||||
This includes, without limitation: selling the Software or any
|
||||
derivative of it; sublicensing or redistributing the Software to
|
||||
third parties for a fee; bundling the Software into a commercial
|
||||
product or offering; or operating the Software as a hosted or
|
||||
managed service for third parties. Any commercial distribution or
|
||||
service arrangement requires a separate written agreement with
|
||||
Licensor.
|
||||
|
||||
3.2 No Reverse Engineering. You may not reverse engineer, decompile,
|
||||
disassemble, or otherwise attempt to derive the source code of the
|
||||
Software, except and only to the extent that such restriction is
|
||||
expressly prohibited by applicable law notwithstanding this
|
||||
limitation.
|
||||
|
||||
3.3 No Modification. You may not modify, patch, repackage, or create
|
||||
a derivative work of the Software, or attempt to bypass, alter, or
|
||||
disable any of its functionality.
|
||||
|
||||
3.4 No Redistribution of Source. You may not attempt to extract,
|
||||
reconstruct, publish, or otherwise distribute the Software's
|
||||
source code, whether obtained through reverse engineering or any
|
||||
other means.
|
||||
|
||||
3.5 Authorized Use Only. The Software is designed to perform
|
||||
credential-spraying and related activity against network services.
|
||||
You may only use the Software against systems, accounts, and
|
||||
networks for which you have obtained prior, explicit authorization
|
||||
to test. You are solely responsible for ensuring your use of the
|
||||
Software complies with all applicable laws and any engagement
|
||||
authorization, scope, or rules of engagement governing your use.
|
||||
|
||||
3.6 Notices. You must retain this license file, and all copyright,
|
||||
trademark, and attribution notices contained in the Software, in
|
||||
any copy you make.
|
||||
|
||||
4. OWNERSHIP
|
||||
|
||||
The Software is licensed, not sold. Licensor retains all right, title,
|
||||
and interest in and to the Software, including all intellectual
|
||||
property rights therein and its underlying source code. No rights are
|
||||
granted to You other than as expressly set forth in this license.
|
||||
|
||||
5. DISCLAIMER OF WARRANTY
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
|
||||
NONINFRINGEMENT. LICENSOR DOES NOT WARRANT THAT THE SOFTWARE WILL BE
|
||||
ERROR-FREE OR UNINTERRUPTED, OR THAT IT WILL DETECT, PREVENT, OR
|
||||
OTHERWISE AVOID ANY ACCOUNT LOCKOUT, SERVICE DISRUPTION, OR OTHER
|
||||
UNINTENDED EFFECT ON A TARGET SYSTEM.
|
||||
|
||||
6. LIMITATION OF LIABILITY
|
||||
|
||||
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL
|
||||
LICENSOR BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
|
||||
CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, DATA, OR
|
||||
GOODWILL, ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THIS
|
||||
LICENSE, INCLUDING ANY DAMAGES ARISING FROM UNAUTHORIZED OR
|
||||
OUT-OF-SCOPE USE OF THE SOFTWARE AGAINST A THIRD-PARTY SYSTEM, EVEN IF
|
||||
LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
7. TERMINATION
|
||||
|
||||
This license terminates automatically if You breach any of its terms.
|
||||
Upon termination, You must cease all use of the Software and destroy
|
||||
all copies in your possession or control. Sections 4, 5, 6, 8, and 9
|
||||
survive termination.
|
||||
|
||||
8. GOVERNING LAW
|
||||
|
||||
This license is governed by the laws of the jurisdiction in which
|
||||
Licensor is organized, without regard to conflict-of-law principles.
|
||||
|
||||
9. ENTIRE AGREEMENT
|
||||
|
||||
This license constitutes the entire agreement between You and Licensor
|
||||
regarding the Software and supersedes any prior agreements or
|
||||
understandings, unless You have a separate written agreement with
|
||||
Licensor that expressly states otherwise.
|
||||
@@ -1 +1,97 @@
|
||||
Welcome to the README for Spray 'n Pray
|
||||
# Spray 'N Pray
|
||||
|
||||
Spray 'N Pray is a self-hosted password spraying console for authorized security engagements. It's a Go-native single-page app (Fiber + vanilla JS + SQLite) that runs unattended, scheduled spraying against ADWS, FTP, HTTP/HTTPS, Kerberos, LDAP/LDAPS, MSSQL, OWA, RDP, RPC, SMB, and SSH either locally or tunneled out through a chain of SOCKS5 jump hosts. It includes account-lockout-aware Safe Mode, email/webhook notifications, and full activity logging.
|
||||
|
||||
> **Authorized use only.** Spray 'N Pray is built for penetration testers and red teamers operating under a signed engagement or explicit written authorization. Do not point it at systems you don't have permission to test.
|
||||
|
||||
## Platforms
|
||||
|
||||
Prebuilt binaries are published for:
|
||||
|
||||
- Linux (amd64, arm64)
|
||||
- macOS (amd64, arm64)
|
||||
- Windows (amd64)
|
||||
|
||||
## Getting Started
|
||||
|
||||
```
|
||||
./spraynpray -iface 0.0.0.0 -port 1337
|
||||
```
|
||||
|
||||
Must be run as root. Once it's running, open the console in a browser at the address it prints on startup.
|
||||
|
||||
## Reporting Issues
|
||||
|
||||
Becauase this is a private repo, issues must be submitted via email. **All bug reports, feature requests, and questions must go to [issues@krkn.tech](mailto:issues@krkn.tech)**.
|
||||
|
||||
A good report is one we can act on without a back-and-forth to get basic details. The template below covers what we need; the sections after it explain *why* each part matters and how to fill it in safely.
|
||||
|
||||
### Copy-paste template
|
||||
|
||||
````markdown
|
||||
**Subject line:** [Spray 'N Pray] <short summary of the problem>
|
||||
|
||||
**Version:**
|
||||
<from the app>
|
||||
|
||||
**Platform:**
|
||||
<OS, version, architecture>
|
||||
|
||||
**Protocol & config at the time:**
|
||||
- Protocol:
|
||||
- Safe Mode: on / off
|
||||
- SOCKS5 proxy: on / off
|
||||
|
||||
**Summary:**
|
||||
<one or two sentences -what's wrong>
|
||||
|
||||
**Steps to reproduce:**
|
||||
1.
|
||||
2.
|
||||
3.
|
||||
|
||||
**Expected behavior:**
|
||||
<what you thought would happen>
|
||||
|
||||
**Actual behavior:**
|
||||
<what actually happened - include exact error text if there was any>
|
||||
|
||||
**Screenshots / recordings:**
|
||||
<attached, or "N/A" - see redaction note below before attaching>
|
||||
|
||||
**Activity log:**
|
||||
<attached (exported via the download icon in the Activity pane), or "N/A" -see redaction note below>
|
||||
|
||||
**Additional context:**
|
||||
<anything else worth knowing -recent changes, how often it happens, workarounds you've tried, etc.>
|
||||
````
|
||||
|
||||
### Field-by-field notes
|
||||
|
||||
**Subject line** - Prefix it with `[Spray 'N Pray]` and keep the summary to one line. We triage by subject before opening the email, so a vague subject like "bug" or "help" gets picked up last.
|
||||
|
||||
**Version** - Shown in the console's top bar, immediately to the right of the "Spray 'N Pray" title, and also printed to the terminal when the binary starts. If you built from source yourself, say so and include the commit hash.
|
||||
|
||||
**Platform** - Full OS name/version and CPU architecture (e.g. "Ubuntu 22.04, amd64" or "macOS 14.5, arm64"). Cross-platform tools break differently on different platforms; this is often the first thing that narrows a bug down.
|
||||
|
||||
**Protocol & config** - Which protocol was selected (ADWS, FTP, HTTP, HTTPS, Kerberos, LDAP, LDAPS, MSSQL, OWA, RDP, RPC, SMB, SSH), and whether Safe Mode and SOCKS5 proxying were on. Most bugs in this app are protocol-specific or proxy-specific, so this narrows the search dramatically.
|
||||
|
||||
**Summary** - The elevator-pitch version of the bug. This is what we read first to decide severity and routing.
|
||||
|
||||
**Steps to reproduce** - Numbered, in the exact order you did them. "It doesn't work sometimes" is not reproducible; "1. Set protocol to LDAP, 2. Enable SOCKS5 proxy, 3. Click Spray" is. If you can't get it to reliably reproduce, say so explicitly and describe how often it happens instead (e.g. "roughly 1 in 5 runs").
|
||||
|
||||
**Expected vs. actual behavior** - Two separate, explicit statements, not one blended paragraph. This is the single biggest thing that speeds up triage: it tells us immediately whether this is a crash, a wrong-result bug, or a UX misunderstanding, without us having to infer it.
|
||||
|
||||
**Screenshots / recordings** - A screenshot of the console (or a short screen recording) is often faster than a paragraph of description, especially for UI bugs. Most email clients let you drag an image or video straight into the compose window as an attachment.
|
||||
|
||||
> **Redact before you attach.** This tool runs against real engagements. Before sending a screenshot or recording, check it for and blur/crop out: target hostnames and IP addresses, domain names, usernames, and - most importantly - any password or credential the tool found (they render in plain text in the Users panel and the Activity log). A UI bug report doesn't need real target data to be useful; a sanitized `corp.local` / `dc01.fake.local` stand-in reproduces the bug just as well.
|
||||
|
||||
**Activity log** - The Activity pane has a download icon next to "Clear" that exports the full session log - including timestamps - as a plain-text file. Attaching this (rather than copy-pasting a few lines) gives us the surrounding context: what ran before the bug, timing, and any other warnings or errors that fired around the same time.
|
||||
|
||||
> **Same redaction rule applies.** The activity log records valid credentials on a hit, and host/domain names throughout. Open the exported file and scrub anything engagement-sensitive before attaching - find/replace the real domain and any `VALID` lines' credentials with placeholders.
|
||||
|
||||
**Additional context** - Anything that doesn't fit the fields above: this is a regression from a version that worked, it only happens on your second run after a fresh install, you're behind a corporate proxy, etc. If you're not sure whether something is relevant, include it -extra context costs us nothing to skip; missing context costs a round-trip email.
|
||||
|
||||
## License
|
||||
|
||||
Spray 'N Pray is available under a custom license - see [LICENSE](LICENSE). In short: free to use, including on paid engagements; you may not sell, sublicense, or redistribute it (or a derivative) as a commercial product or service.
|
||||
Reference in New Issue
Block a user