Skip to content

feat: lockout protection with auto-delay from AD password policy#4

Open
alvinhayy wants to merge 1 commit into
NTHSec:mainfrom
alvinhayy:feat/lockout-protection
Open

feat: lockout protection with auto-delay from AD password policy#4
alvinhayy wants to merge 1 commit into
NTHSec:mainfrom
alvinhayy:feat/lockout-protection

Conversation

@alvinhayy

@alvinhayy alvinhayy commented May 6, 2026

Copy link
Copy Markdown

Summary

  • Add --dc IP flag to automatically query AD password policy via --pass-pol and calculate a safe spray interval based on lockout threshold and observation window (with +10% safety buffer and 15% jitter)
  • Add --delay N and --jitter N flags for manual override (takes precedence over --dc auto values)
  • Detect STATUS_ACCOUNT_LOCKED_OUT in real-time during spray and immediately abort all further attempts
  • Replace getopts with manual flag parsing to support --long style flags

How it works

delay = (observation_window_sec / (threshold - 1)) × 1.10
jitter = delay × 15%

Example with threshold=5, window=30min:

[+] Lockout Threshold : 5 attempts
[+] Observation Window: 30 minutes
[+] Auto delay set to : 396s
[+] Auto jitter set to: 59s

Usage

# Auto delay from DC policy
nxcspray all hosts.txt -u bob -p password --dc 10.10.10.10

# Manual override
nxcspray all hosts.txt -u bob -p password --dc 10.10.10.10 --delay 60 --jitter 10

Test plan

  • Verify --dc correctly parses threshold and observation window from --pass-pol output
  • Verify auto-calculated delay is applied between attempts
  • Verify --delay/--jitter manual flags override auto values
  • Verify spray aborts immediately on lockout detection

🤖 Generated with Claude Code

@hayyvin @claude
feat: add lockout protection with auto-delay from AD password policy
2c89741 
- Add --dc flag to query AD password policy (--pass-pol) and
  automatically calculate safe spray interval based on lockout
  threshold and observation window (+10% safety buffer, 15% jitter)
- Add --delay and --jitter flags for manual override
- Detect STATUS_ACCOUNT_LOCKED_OUT in real-time and abort spray
- Replace getopts with manual flag parsing to support --long flags

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alvinhayy @hayyvin