Safe/lockout is not used when using a paired list about o365spray HOT 7 CLOSED

That comment is specifically meant for that section in __main__.py as we will only cycle through the passed credentials a single time instead of looping like we do with a password set. The lockout handling is still observed and handled (when applicable) by the sprayer handler itself as you can see for example here:
https://github.com/0xZDH/o365spray/blob/master/o365spray/core/handlers/sprayer.py#L295

from o365spray.

Still, the count parameter is not used when the --paired option is used. The help text shows the following:

 -c COUNT, --count COUNT
                        Number of password attempts to run per user before resetting the lockout account
                        timer. Default: 1

I take this to mean that it will do one password per user and then wait for the lockout timer (15 min in my case). However, when I run the attack with --paired on a dataset like the above example. It will happily execute all the guesses for bob in a single run (verified using Burp suite proxy), thereby possibly locking out the account for bob. I've looked a bit in the code, but a fix for this is not trivial I think.

from o365spray.

Ah okay - I now understand what you are referring to. Yes, the way the code is built is if a --paired file is passed the tool is somewhat 'dumb' and assumes that it's a single password attempt for each user (when I originally wrote this handling I seem to have ignored the idea of duplicate users with different passwords...). I will look into a solution for handling this and try to get something pushed up to a dev-branch for testing.

from o365spray.

I have pushed some changes/fixes (v2.0.4) to the paired-updates branch that should resolve this issue. Once I stress test the updates a bit more I will get them merged into the master branch

from o365spray.

Thank you for working on this!

from o365spray.

Hello, anyway to get out the Account locked when we do the password spraying? I tried --safe 3 --sleep 30 with 1 password, but the accounts are still locked.

from o365spray.

Paired updates have been written into the dev branch with several other fixes/updates. Once things have been tested a bit more it will be merged into the master branch.

from o365spray.