T1110.003 - Password Spraying

Practical Password Spraying for Everyone

Author

Scott Busby
September 26, 2023

Hey! Welcome to Attack Vector- The email that gives you your daily dose of offensive cyber info.

In Today’s Email:

  • 🎯 MITRE ATT&CK T1110.003 - Password Spraying

  • ⚔️ Practical Password Spray Execution

  • 🛡️ Defending Against Password Spray Attacks

🎯T1110.003 - Password Spraying

Password spraying is a type of cyber attack where an attacker attempts to access multiple accounts (usernames) with a few commonly used passwords, as opposed to a brute force attack where numerous passwords are tried against a single account. This technique is typically employed to avoid account lockouts that can arise from multiple incorrect password attempts on a single account.

In a password spraying attack, the attacker acquires a list of valid usernames for a given system and then tries a small number of commonly used passwords (like '123456', 'password', 'admin', etc.) against these usernames. The attacker often spaces out the login attempts to evade account lockout policies and avoid detection by security systems monitoring for multiple failed login attempts.

Organizations can defend against password spraying attacks by implementing multi-factor authentication (MFA), enforcing strong password policies, monitoring for and alerting on unusual login attempts (multiple failed user logins from the same source), and regularly educating users about the importance of using unique and complex passwords. Regularly auditing and reviewing account activity, especially for accounts with elevated privileges, can also help in identifying and mitigating such attacks.

⚔️ Practical Password Spray Execution

Executing a password spray attack is trivial in nature. It requires a couple of things; a list of usernames, an authentication portal (think OWA, SSH, RDP, etc.) and educated guessing for passwords.

An attacker will utilize public information to collect the required components to execute the attack. If I were to execute the attack I would check password dumps, this would give me an idea of what your company username structure looks like (eg. joe.smith, jsmith, smithj, etc.), and there may also be some indicators of password policies, or password patterns in the dumps. I’m looking for things like, companyName1!, Welcome1!, etc. I would also scrape LinkedIn, check the company website, and anything else that may have a list of employees.

After collecting password data and usernames, we are looking for authentication portals. These aren’t hard to find and businesses unusually have several of them. Think about your own company and anywhere you log in with your employee credentials. That should be treated as a potential target for password spraying and defended accordingly.

🛡️ Defending Against Password Spray Attacks

There are several different things that can be layered to create a strong defense against password spraying attacks, but we will only talk about a few of the most effective tactics.

  1. Multi-Factor Authentication: It’s nothing new at this point, but the problem is that there are still legacy authentication portals that aren’t using it. It has become a common practice to implement MFA on your email accounts, but technically it doesn’t stop password spraying attacks from providing successful results, it only stops an attacker from gaining access to the email account. The account can still be used in other authentication portals owned by the company.

  2. Proper Monitoring and Automated Prevention: In real time, its hard for an analyst to spot an attack like password spraying, there may be a 5-10 minute, even 1 hour or longer delay to the info they receive. Automated protections should be applied with strong rulesets to detect password spray attacks. This could look something like:

    1. IP Address X failed authentication 10 times in less than 15 minutes. (this could be difficult with shared IP addresses and would need tuning.)

    2. You would have to whitelist your own IP addresses and apply a different ruleset for them.

  3. Rate-Limiting: This can be defeated using proxies, but it’s an easy protection to implement and requires attackers to jump through another hoop, to bypass your protections. Every authentication portal or API should have rate-limiting enabled.

References:

/