What are password spraying attacks?
Traditional password attacks focus on a single account with multiple password guesses. However, password spraying attacks flip this on its axis by attempting a small set of passwords against a large amount of accounts. This tactic seeks to avoid detection and lockouts, while remaining effective by using common or weak passwords. These attacks are favorable in organizations with large user bases but can go on for long periods of time.
How do they work?
Below we’ll show a typical password spraying attack, but keep in mind different scenarios call for different methods.
- Identify login portals – During a penetration test its trivial finding login portals but for a malicious actor it may take a little digging. Hackers use various intelligence techniques such as search engine discovery or simply navigating your website. Commonly adversaries will attempt these attacks on ADFS/O365 applications since they go against internal credentials and the configurations are widely publicized. As an example, if you want to check if an organization uses O365, it couldn’t be easier. Simply use the following URL and replace user@domain with that of your choosing. https://login.microsoftonline.com/getuserrealm.srf?login=user@domain.com&xml=1. If the “NameSpaceType” returns “Managed” then O365 is in use, if it’s “Federated” then it uses an ADFS, and if “Unknown” then it doesn’t exist.
- Generate potential usernames – Discovering employees of a company is usually a Google or LinkedIn search away. Organizations are proud of their employee’s and are intentionally not trying to hide this information. However, username format can vary between organization to organization. This is where a little research can go along way into the success or failure of password spraying attacks. There are multiple avenues for reconnaissance such as, utilizing search engines, navigating company website, reviewing metadata in documents, and many more but you get the idea. Another important note is that there are ways of determining a valid/non-valid user by response times in services such as O365, which unfortunately they fail to consider a vulnerability.
- Generate potential passwords – You would think that this would be difficult but its probably the easiest part. Almost all organizations fall victim to users that have a “relaxed” stance on password security. In other words, human nature suggests that they pick something easy for them to remember and to type. These passwords include things like “Spring2020” or “Password123!” or “<CompanyName>1”. Publicly disclosed breach data is also a wealth of password knowledge.
- Conduct password spray – Now it’s time to try all the combinations! There are multiple toolsets to choose from but an application testing tool such as BurpSuite works well. What these tools will do is automatically try multiple combinations as set forth by the attacker and return information back letting them know if the credential works or not.
Why are they so successful?
Password spraying attacks go up against the likelihood that users fail to choose strong passwords and a company’s reluctance to use multi-factor authentication. Additionally, this style of attack avoids many deterrence such as account lockouts, blacklisting, and alerting.
What you can do about it?
The good news is that you can help reduce your risk to this attack vector relatively easily.
- Utilize multi-factor authentication.
- Reduce external facing login portals by forcing users through a VPN first.
- Reduce the lockout threshold for login failures.
- Enforce a strong password policy by enforcing lengthy, complex, and unique passwords. Additionally, implement a password blacklist to avoid common and easily guessed passwords.
- Utilize security awareness training and password audits.
- Configure SIEM alerts to pick up login behavior anomalies and audit logs regularly.
