credbaron

module

v0.1.1 Latest Latest Go to latest Published: May 8, 2026 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/dejisec/credbaron

Links

Open Source Insights

README ¶

CredBaron

CredBaron is a Go port of CredMaster that uses residential proxy rotation instead of AWS API Gateway / FireProx. Every auth attempt can ride a different source IP, either from a proxy list or from a single rotating-endpoint URL.

Install

# prebuilt release
https://github.com/dejisec/credbaron/releases

# or install
go install github.com/dejisec/credbaron/cmd/credbaron@latest

# or build from source
git clone https://github.com/dejisec/credbaron
cd credbaron && make build
./credbaron plugins list

Docker:

docker build -t credbaron .
docker run --rm -v "$PWD:/work" -w /work credbaron spray --config config.json

How it works

You hand CredBaron a plugin name, a user list, a password list, and a proxy source. It spins up a worker pool (default 10) where each worker picks a fresh proxy URL from your source for every request. Each attempt retries up to 3 times with 2s backoff on transport errors, and the plugin classifies the response as success, failure, or potential. Before the pool spawns, CredBaron fires one pre-flight request through the proxy to confirm the target is reachable, so a dead proxy source surfaces immediately.

Successes, valid usernames, and the full console transcript all land in timestamped files under --output-dir. If you pass --resume <state.jsonl>, already-classified (user, password) pairs are skipped on the next run.

Quickstart

Confirm that your proxy is working:

./credbaron proxy check \
  --proxy-endpoint 'http://user:pass@gate.provider.com:7777' 
# or
./credbaron proxy check --proxy-file proxies.txt --count 5

Spray Microsoft Online (msol plugin):

./credbaron spray \
  --plugin msol \
  -u users.txt -p passwords.txt \
  --proxy-endpoint 'https://user:pass@gate.provider.com:7777' \
  --threads 20 \
  --jitter 10 --jitter-min 3 \
  --passwords-per-delay 1 --delay 180 \
  --color

With a proxy list file instead:

./credbaron spray \
  --plugin msol \
  -u users.txt -p passwords.txt \
  --proxy-file proxies.txt \
  --proxy-strategy random

Plugins

14 plugins ship with the binary. Run credbaron plugins list to view the current set.

Microsoft / Azure AD: msol, msgraph, azvault, azuresso, o365enum
Federated / SSO: adfs, okta, pingfed
Exchange: owa, ews
VPN: fortinetvpn
Enumeration: gmailenum
Generic: httpbrute httppost

Proxy sources

Two mutually-exclusive modes: --proxy-file <path> for a newline-separated list, or --proxy-endpoint <url> + optional --proxy-session-var <token> for a single gateway that rotates IPs per session. NTLM and PingFed plugins pin one proxy per credential attempt because those handshakes can't rotate mid-flight. --insecure-tls skips cert verification end-to-end (for self-signed OWA/EWS). See docs/proxies.md.

Timing

Four independent timing knobs, all optional, all compose:

Jitter: random sleep before each attempt
Batch: sleep every N attempts per worker
Inter-password delay: sleep between password cycles
Weekday warrior: only spray during business hours Mon–Fri

See docs/config.md for the full flag reference, --randomize, --stop-on-success, timeouts, UA rotation, and custom headers.

Output

Every run writes timestamped files under --output-dir DIR (default .): a -success.txt of raw user:pass, a -validusers.txt of confirmed usernames, a .log transcript, and an optional .jsonl event stream with --json-output. See docs/config.md for filenames, and event kinds.

Resume

--resume <path> writes every classified attempt to a JSONL checkpoint. On re-run with the same path, already-tested pairs are skipped. See docs/resume.md.

Notifications

Seven webhook backends, fire-and-forget with a 5-second timeout. See docs/notifications.md.

Config file

Everything on the CLI is also settable via JSON. CLI flags override config values. See docs/config.md for the full reference and configs/config.example.json for the complete shape.

./credbaron spray --config config.json

Subcommands

credbaron spray: the main event. All flags: credbaron spray --help.
credbaron plugins list: view registered plugin names.
credbaron proxy check: fire N test requests through the configured proxy source and print the egress IP each returned. --count N (default 3), --target URL (default https://ipinfo.io/json).

Docs

docs/plugins.md: plugin reference, classification model, AADSTS codes, NTLM caveats
docs/proxies.md: proxy configuration and stateful-auth stickiness
docs/config.md: CLI flags, config file, timing, output, JSON events
docs/notifications.md: notifier backends, pairing rules, Teams/Ntfy/Pushover details
docs/resume.md: checkpoint / resume semantics

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
credbaron command
internal
checkpoint Package checkpoint provides a JSONL-backed (user, password) skip set for resumable spray runs.	Package checkpoint provides a JSONL-backed (user, password) skip set for resumable spray runs.
config Package config defines the unified Config struct, JSON loader, CLI merge, validation, and conversion to engine-ready types.	Package config defines the unified Config struct, JSON loader, CLI merge, validation, and conversion to engine-ready types.
creds Package creds loads username/password/useragent files in the same formats as CredMaster.	Package creds loads username/password/useragent files in the same formats as CredMaster.
engine Package engine orchestrates credential queuing, worker pools, per-attempt retry, timing hooks, and stop-on-success cancellation.	Package engine orchestrates credential queuing, worker pools, per-attempt retry, timing hooks, and stop-on-success cancellation.
httpclient Package httpclient builds *http.Client values that route each request through a proxy.Source, with keep-alive disabled so every request gets a fresh proxy.	Package httpclient builds *http.Client values that route each request through a proxy.Source, with keep-alive disabled so every request gets a fresh proxy.
notify Package notify sends events to external chat webhooks.	Package notify sends events to external chat webhooks.
ntlmdecode Package ntlmdecode parses NTLM Type 2 (Challenge) messages from a "WWW-Authenticate: NTLM <base64>" header.	Package ntlmdecode parses NTLM Type 2 (Challenge) messages from a "WWW-Authenticate: NTLM <base64>" header.
output Package output provides a thread-safe log sink that mirrors console output to an optional per-run console log file and appends successes / valid users to dedicated append-only files.	Package output provides a thread-safe log sink that mirrors console output to an optional per-run console log file and appends successes / valid users to dedicated append-only files.
plugins Package plugins defines the spray-plugin contract and a global registry.	Package plugins defines the spray-plugin contract and a global registry.
plugins/aadsts Package aadsts classifies Azure AD error codes (AADSTS*) into CredBaron plugin outcomes.	Package aadsts classifies Azure AD error codes (AADSTS*) into CredBaron plugin outcomes.
plugins/adfs Package adfs sprays AD Federation Services forms-auth endpoints.	Package adfs sprays AD Federation Services forms-auth endpoints.
plugins/azuresso Package azuresso sprays Azure AD Seamless SSO via the WS-Trust endpoint.	Package azuresso sprays Azure AD Seamless SSO via the WS-Trust endpoint.
plugins/azvault Package azvault sprays Microsoft Online targeting the Azure Key Vault resource.	Package azvault sprays Microsoft Online targeting the Azure Key Vault resource.
plugins/ews Package ews sprays Exchange Web Services (/ews/) via NTLM auth.	Package ews sprays Exchange Web Services (/ews/) via NTLM auth.
plugins/fortinetvpn Package fortinetvpn sprays a Fortinet/FortiGate VPN portal at /remote/logincheck.	Package fortinetvpn sprays a Fortinet/FortiGate VPN portal at /remote/logincheck.
plugins/gmailenum Package gmailenum performs Gmail/GSuite user enumeration via /mail/gxlu.	Package gmailenum performs Gmail/GSuite user enumeration via /mail/gxlu.
plugins/httpbrute Package httpbrute performs HTTP Basic / NTLM authentication against a target URL and classifies the result by status code.	Package httpbrute performs HTTP Basic / NTLM authentication against a target URL and classifies the result by status code.
plugins/httppost Package httppost is a generic POST spray plugin.	Package httppost is a generic POST spray plugin.
plugins/msgraph Package msgraph sprays Microsoft Online targeting the Graph API resource.	Package msgraph sprays Microsoft Online targeting the Graph API resource.
plugins/msol Package msol sprays Microsoft Online via the OAuth2 Resource Owner Password	Package msol sprays Microsoft Online via the OAuth2 Resource Owner Password
plugins/o365enum Package o365enum performs Office 365 user enumeration via GetCredentialType.	Package o365enum performs Office 365 user enumeration via GetCredentialType.
plugins/okta Package okta sprays the Okta primary auth endpoint.	Package okta sprays the Okta primary auth endpoint.
plugins/owa Package owa sprays Outlook Web Access via NTLM auth on the autodiscover endpoint.	Package owa sprays Outlook Web Access via NTLM auth on the autodiscover endpoint.
plugins/pingfed Package pingfed sprays a Ping Federate IdP via the two-step prp.wsf form flow.	Package pingfed sprays a Ping Federate IdP via the two-step prp.wsf form flow.
plugins/pluginutil
proxy Package proxy provides per-request proxy selection for CredBaron.	Package proxy provides per-request proxy selection for CredBaron.
timing Package timing encapsulates the four CredMaster evasion features: jitter, batch, inter-password delay, and weekday-warrior.	Package timing encapsulates the four CredMaster evasion features: jitter, batch, inter-password delay, and weekday-warrior.