We have all heard of the term “brute force attack,” which refers to an attack technique in which many passwords are attempted against a single username. This attack technique is the reason most accounts will lock-out after a few failed logon attempts.
Widespread use of effective lockout thresholds (e.g., allowing only three password attempts before locking the account) makes such brute force attacks virtually obsolete. However, by inverting this attack technique so that it attempts a single password against many usernames, guessing passwords remains effective to this day.
Password spraying is an inverted brute force attack technique that tries a single password against many usernames.
Using password spraying against an organization’s security, the attacker attempts to login via all available usernames with a single password, and so each account registers only one failed login attempt. Due to the fact that most login observation windows are relatively short (15 to 60 minutes), a new attempt can be made every hour or so without ever locking out an account. With enough usernames and a few good password guesses, this technique can be very effective. I have personally utilized this technique many times during penetration testing with significant success.
The first step to perform an effective password spray is to identify an external-facing login page, such as an OWA or an employee web portal. Any login page can be sprayed, but for this article, we will focus on login pages that leverage Active Directory authentication. The next step is to obtain a list of usernames
Hackers know who works for you. Obtaining usernames can be easily done through a number of Open Source Intelligence Gathering Techniques (OSINT) These techniques include LinkedIn scrapers, Google advanced searches and Metadata harvesters. It is unfeasible to prevent a dedicated attacker from being able to determine the names of everyone who works at a particular company.
The next thing needed to perform an effective password spray is a list of passwords to guess. The short list can be generic, with passwords such as “Spring2018!” or specific to a company, such as “Company123!”.
For truly effective password spraying, the hacker needs a tool to automate the spraying. There are a number of free tools that can accomplish this, including custom python scripts and software such as BurpSuite. The hacker puts it all together and sets the tool to spray at a rate of once per day and then waits for successful logins to exploit. The higher the volume of usernames, the faster the results.
I encourage every organization to ask themselves these key questions regarding password spraying:
- Can we detect a password spraying attack?
- How would we respond to a password spraying attack if we detected it?
- What mitigations are in place to prevent a password spraying attack?
The following is required to detect password spraying:
- Domain Controller logs
- Centralized logging with correlation capabilities (SIEM, ELK, etc.)
The key to detecting password spraying is to monitor Windows Event ID: 4625 “Failed Login Attempt”. If an attacker is password spraying, a high number of these event IDs will be generated within a small window of time. Understanding your organization’s typical volume of these event IDs is crucial in determining the threshold to qualify as an atypical amount of failed login attempts. In addition to the overall volume of event IDs, the source IP for each login attempt can be observed. In some environments, a single IP address is never used by more than one user. With that baseline of typical use, more than one user failing to login from a single IP address likely indicates a password spraying attack.
Once a password spraying attack has been identified, the first step should be to block the source IP via ACLs or via DDOS protection systems if the attack is sourced from outside the network. If sourced from inside the network, the server or host should be taken off the network and forensically examined in such a way to maintain volatile memory artifacts.
Once the attack has been stopped, it is crucial to determine if the password spray was successful. To do this, filter the event logs from that IP address to see if there were any authentication successes (Event ID ‘4624’) and then reset those users’ passwords immediately. Another indicator of a password spraying attack is a high number of successful authentications using multiple user credentials from the same IP address.
One method of general mitigation is Geo IP Filtering. This technique blocks all foreign IPs from accessing the login page. This method is only applicable if employees of your organization do not travel internationally. Although this is not a true mitigation, since an attacker can simply use a non-foreign IP, it will reduce the overall volume of attempts.
A very effective mitigation technique is a strong password policy. Specifically, a minimum length of at least 12 characters, and password blacklisting, will greatly reduce the success of password spraying. Blacklisting common passwords such as “Spring2018!” or “Company123!” prevents users from having guessable passwords. Leverage the information provided from your annual penetration testing services to continuously improve your blacklist dictionary.
The most effective mitigation technique is multi-factor authentication. When properly implemented and configured, multi-factor authentication prevents at attacker from leveraging any credentials that were successfully sprayed. We strongly recommend that multi-factor authentication be implemented on all external facing resources, especially OWA and VPN.
Another technique to mitigate password spraying is to configure the observation window for failed login attempts to only reset upon successful login, instead of an interval of time. This will likely result in more account lockouts, but will prevent attackers from being able to spray within the observation window without building up failed login counts.
Take-away — How to be protected.
Password Spraying is one of the most prevalent and successful attack techniques being used today. As penetration testers, we utilize this technique frequently and it often results in unauthorized remote access for small and large organizations. Many of the mitigation steps listed above would have prevented that high level of remote access and therefore, became part of our recommendations to clients.
Don’t wait for your organization to fall victim to a password spraying attack. Be proactive and develop detection and mitigation capabilities before it’s too late. As always, feel free to reach out to Schneider Downs Cybersecurity Team for any and all cybersecurity-related questions.