09 Jul What is ‘Password Spraying’ and how to protect from it
Dictionary and Brute Force attacks have been out there for a long time. The first one consists in trying different passwords from a list and check if access is granted with a given username. The later one is trying as a password every possible combination from a given set of characters. Protecting about them is straight forward; three failed login attempts from a user in a given window time, and he will be blocked.
But now, there is a different approach to perform password attacks that circumvents the lockout functionality. Instead of iterating through a password list, a specific password is chosen and tested against a set of usernames. By trying only a few of the most common passwords against multiple user accounts, we can identify that one person who is using ‘Password1’ or ‘Summer2017’.
A large list of usernames can be gathered using a variety of different methods, such us Open Source Intelligence (OSINT) tools such as recon-ng, theharvester or SMB Null Sessions or with net user if it’s an internal assessment. Different tools are freely available to perform such attacks. Spray, a Password Spraying tool for Active Directory Credentials, Burp Intruder or even doing a loop with curl.
Now that we know what it is and what tools we can use to perform this attack, how do we detect and prevent it?
#1: Ban common passwords. Enforce better passwords for everyone.
Many organisations are indeed vulnerable to a password spray attack, because they either keep a weak password or use a password that can be easily guessed by attackers.
One of the most effective approaches to stopping these attacks is to prevent users from using common passwords in the first place. Check ‘Have I been Pwned‘ site. There is a dictionary of all passwords that have been present in a breach: https://haveibeenpwned.com/passwords. You should also check the API. You can use it, for example, to prevent a user to choose a password that has been already breached.
Just some tools that the community has already built
- https://jacksonvd.com/checking-for-breached-passwords-in-active-directory/
- https://github.com/Ne0nd0g/ADPasswordHealth
- https://github.com/eth0izzle/cracke-dit
You should also review your password policies and consider setting them to never expire so your users don’t use seasonal patterns to create their passwords.
#2: IP Lockout
You should implement an IP lockout. That means, log and monitor IP addresses that are trying to login into your system. If you detect IP addresses which are generating multiple failed authentication attempts, you should slow down responses.
#3: Use Two-Factor Authentication
You should enforce two-factor authentication everywhere where technically feasible. Two-factor authentication (2FA) is a multi-stage method of verifying that you are who you say you are. Typically, it’s a combination of something you know (a password), and something you have access to (a phone). The second factor could be an SMS, a code in an App or even an automated phone call.
Password-spraying attacks have become the favourite technique of attackers to get access to different systems and gain access into your company’s network. You should be aware of this technique and take actionable steps to prevent and detect it.
Side Note: The following guide from Trimar Security, can be used to configure AD Password Spraying for detection (https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing)
Written by Nicolas Brahim, Security Consultant, Solista