Skip to content

Latest commit

 

History

History
49 lines (31 loc) · 1.66 KB

File metadata and controls

49 lines (31 loc) · 1.66 KB

ConPass

PyPI version PyPI Statistics Twitter

Python tool for continuous password spraying taking into account the password policy.

Associated Blogposts

Warning

Although this tool implements robust thread-safe anti-lockout protection, there can still be edge cases where accounts might be locked out. Always use with caution in production environments.

Installation

conpass works with python >= 3.10

From source

cd conpass
pipx install .

Usage

conpass will get all domain users and try a list of passwords provided in a password file. When a user can be locked out, the tool will wait for the lockout reset period before trying another password.

conpass -d domain.local -u pixis -p P4ssw0rd -P /tmp/passwords.txt

All passwords provided in /tmp/passwords.txt will be added to a testing Queue, and will be tested against all users, whenever it is possible without locking users out.

Security Threshold

The security threshold (-s, default: 2) provides a safety margin before the lockout threshold. For example:

  • Lockout threshold: 5
  • Security threshold: 2
  • Maximum tests per user: 3

This accounts for potential concurrent authentications from the user or other tools.

License

MIT