Password Spraying

Fireprox is a tool from Mike Feltch and Sponsored by Black Hills Information Security. The tool can be found on GitHub at https://github.com/ustayready/fireprox. The tool can create API Gateways from Amazon in whatever way you need it to happen. Fireprox can be pointed to whatever URL to wish to use and will create a corresponding API Gateway to this location. The tool can be more than just pointed at Entra ID. This tool is not as "flexible" as IP rotate, where you can right-click a URL and build an API Gateway, but it is a better alternative in that you can control the system's configuration. We will see this tool inserted into multiple other tools, such as TeamFiltration, which leverages FireProx to provide IP Rotation. In conversations with AWS they say that API gateways used in this configuration does not violate Terms of Service (ToS). Not as flexible as the IP Rotate Tool built into Burp Suite with the ability to automatically fill in the URL.

TeamFiltration

TeamFiltration has a password-spraying module that can be used to look for Valid Username/Password Combinations.

• It uses the same APIs as enumeration

• Leverages FireProx to evade smart lockout

• Spraying can be done with the minimum and maximum wait, including Jitter

• Can use pushover to push notifications for locked-out or valid accounts

• Can use time-based policies to only spray over a specific time