CredMaster is a Python-based password‐spraying (aka brute forcing) utility that proxies login attempts through dynamically generated Amazon API Gateway endpoints, stealthily rotating IP addresses to evade throttle and visibility controls. It targets high-value authentication endpoints, such as Office 365 and Okta.
Overview
CredMaster extends the concept of FireProx by automating proxy creation, spoofing headers, rotating user agents, and timing attempts across AWS regions. It is written in Python, supports a plugin architecture for services like Outlook Web Access, Azure SSO, ADFS, Fortinet VPN, and Okta, and includes evasion features such as jitter, delay, header spoofing, and weekly Office‐hour spraying. It earned over 1.2k GitHub stars.
Features
- Rotates the requesting IP address for every request
- Automatically generates APIs for proxy passthru
- Spoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers = fully anonymous
- Easy configuration via config file
- Multi-threaded processing
- Password delay counters & configuration for lockout policy evasion
- Easily add new plugins
- Colourised output
- Notification systems for Keybase, Slack, Discord, Teams & Pushover
- WeekdayWarrior setting for timed spraying and SOC evasion
Installation and Usage
Install with:
git clone https://github.com/knavesec/CredMaster.git
cd CredMaster
pip install -r requirements.txtThen configure AWS keys and run:
python3 credmaster.py --plugin OWA \
--access_key YOUR_KEY \
--secret_access_key YOUR_SECRET \
-u users.txt -p passwords.txt \
-a useragents.txt \
--jitter 20 --delay 30 \
--threads 5The tool supports full AWS region coverage, rotating proxies, and spoofed headers (“X-Forwarded-For”), while sending notifications to Slack, Discord, Teams, Keybase, and more.
Use Cases
This tool fits offensive operations, including:
- Red teams targeting Azure AD, Okta, ADFS, or on‑prem EMS/OWA portals.
- Testing password policies and lockout thresholds under stealth conditions.
- Simulating realistic attacker behaviour by timing sprays during business hours.
Defensive teams can use CredMaster results to validate detection thresholds and response coverage in observability platforms.
Red Team Relevance
CredMaster addresses two key TTPs (T1110.003 Password Spraying) and throttle evasion. AWS API exploitation enables proxying shifts, spraying sources with each request, thereby reducing detection via IP heuristics. Evasion tactics like jitter, header spoofing, threaded spraying, and Weekday Warrior scheduling add realism.
Detection, Avoidance & Defence
Detection teams should tune analytic rules for:
- Unusual authentication requests originating from AWS API Gateway IP ranges.
- Sporadic user‐agent header patterns are typical of spray tools.
- Temporal login clusters mimic human login hours.
- Attempts are made across multiple user accounts within short windows, originating from various sources.
Enterprises can block AWS API endpoints or disable access logs from those ranges. Deploy network and authentication analytics to flag spray patterns across header, IP, and timing anomalies.
Conclusion
CredMaster is a powerful red team asset capable of executing evasive, anonymised password spraying. Its proxy automation, header spoofing, and AWS‑based rotation align well with realistic threat models. Defensive teams benefit from simulating this tool to improve visibility and detect advanced evasion techniques.
You can read more or download CredMaster here: https://github.com/knavesec/CredMaster