Penetration testers, or ethical hackers, use the same tactics, techniques and practices (TTPs) as cyber attackers, but on behalf of an organization to identify vulnerabilities to be remediated before the bad guy gets to them. A password spray attack is a common way our pen testers infiltrate networks; so much so that we feel it’s important to call attention to this technique.
In this Q&A session, Avertium’s Michael Berardi answers questions about password spraying and what can be done to protect against this type of cyberattack.
Question: What is a Password Spray?
Michael Berardi: A password spray attack is a method where a bad actor tries to gain account access by presenting one password – usually commonly used ones – against a large number of usernames. Spreading these attempts allows the attack to stay below the threshold that would trigger a security alert.
Password spraying is different from a typical brute force or dictionary attack. With those, an attacker presents a large number of passwords to one username in rapid succession.
An example of a password used in a spray attack is “Spring2020!”. This password meets most complexity requirements, is easy enough to remember, and is easily rotated by replacing the season every 90 days. The larger the organization the more likely it is that someone would use this password.
Question: I have multi-factor authentication in place. Why should I worry?
Michael Berardi: If a password spray is successful and multi-factor authentication is implemented, then a user may be prompted to enter a code or request a push. This is difficult to bypass outside of a hopeful push request, but second-factor “token” vendors such as Okta often provide the geographic location when a push request is presented.
Ideally the request for an additional authentication factor is made whether the entered password is correct or not. However, if that factor is only requested when the entered password is correct, the attacker has, by default, learned the password. Some call this form of authentication multi-step.
If an organization is using the texting services of a telecommunication carrier, i.e. SMS, it’s not that difficult to “clone” the target’s phone by SIM swapping. If the targeted account belongs to someone with elevated privileges or with access to valuable or critical assets, the effort to perform that cloning may be rewarded.
Related Reading: Social Engineering Q&A: How to Strengthen Your Weakest Link
Question: Who cares if a password is confirmed if multi-factor authentication in place?
Michael Berardi: If a user has a common password, it raises the likelihood that the user may be reusing the same password on other types of accounts such as email. Or if single sign on (SSO) is utilized, then that password can be “stuffed” or reused in other systems that might not have multi-factor in place. Open source intelligence (OSINT) can help discover additional or third-party systems where SSO is utilized.
The possibility of multifactor authentication either not being in place on a system or configured for all users could lead to the exposure of sensitive data or be the first step in compromising a system.
There are no gaps on the external network, so there is no concern?
Michael Berardi: Disgruntled insiders and the rogue devices placed on your network are still a potential risk. Industry leaders have blogged about external attacks against Exchange OWA portals with password spraying attacks. Unfortunately, the same attack can be performed against an exchange server on the internal network. Other systems that utilize LDAP, SSO, among others may still be a target.
Wait, doesn’t an attacker have to find numerous usernames and a domain name in order to perform a password spray attack?
Michael Berardi: Not necessarily. Email addresses can provide a template for the name of the domain and usernames. Getting access to a company directory allows the attacker to build a set of probable usernames.
There are lots of articles on how to enumerate usernames through open source intelligence. For example, a successful attack through a combination of vulnerabilities may lead to the exfiltration of usernames.
- An example is “MS Exchange Client Access Server Info Disclosure” which is a medium level vulnerability but provides an internal IP of the exchange server. This would help focus an attack if a rogue device was placed on the network or if remote access was obtained to a host within the network.
- The low-level vulnerability “Web Server HTTP Header Internal IP Disclosure” could also provide comparable information in an internal IP.
- If a null share can be established on port 445 then the tool Enum4linux may potentially extract all AD users and the password policy to further tune a password spray attack. This is dangerous since services accounts may also be enumerated and added to the password spray user list. An overworked or lazy administrator may utilize a common password such as Password1! to quickly set up and test a service account with little concern since it is an internal account. Here is an example of the discovery a password policy and service accounts from a group in active directory.
Learn how NIST password guidelines apply to better password management at your company. Download our executive brief.
Michael Berardi is an Avertium security analyst. As a member of the security assessments team, Michael performs penetration tests to help customers identify cybersecurity vulnerabilities. Michael has more than ten years’ experience in the technical field, and focuses on providing Avertium customers with clear and concise information to help them show no weakness.