Now, exit Recon-ng so we can use grep to extract the usernames from the email file we just created. The following command will cut the usernames from the email file and create a new user_list file that we will be using later in the tutorial.
“grep @ /tmp/emails | cut -d ” ” -f 4 | cut -d @ -f 1 | sort -u >> /tmp/user_list”
This command will also sort the file using the -u flag to ensure there are not duplicate usernames in the file, which is important in password spraying because it can cause unwanted account lockouts.
4.) Spray Payday
Now that we have a list of users, let’s use Burp Suite to conduct password spraying. Find a site for your targeted company that requires authentication; I will be using https://portal.hurricanelabs.com. Note that you should never conduct password spraying on a company unless you have explicit permission. Not only is this against the law, but many other issues can arise from a simple password spray if it’s not done properly. It should also be noted to limit spray attempts to a maximum of 1 per hour to ensure users are not locked out.
Fire up Burp Suite and ensure that you have one of your browsers proxied through it. For more information on this, please see PortSwigger’s article on configuring your browser to work with Burp.
Now that we have Burp Suite working with our proxy, open your browser and navigate to your targeted login site.
Once on the site, type in a fake username and the password you want to test with. For my example, I am using firstname.lastname@example.org and Hurricane123. Do not press “Login” at this point. There is still some configuring in Burp Suite to do first.