During a penetration test, login credentials are a highly sought-after item. While it is common to harvest that information via email scams (phishing attacks), it is not always the most practical or effective tactic to gain unauthorized access. That access, however, still requires a valid set of credentials. This poses a challenge. How does an attacker find valid accounts without social engineering? There are two main options: breached credentials and password spraying.
Breached Credentials (Credential Stuffing)
This option is easy, but it can be time-consuming and requires patience and the ability to tie accounts to a person.
A simple example:
A user uses their work email to sign up for LinkedIn. If LinkedIn were to be compromised and the emails and passwords were to be leaked, an attacker could use this email and password to log into the user's work VPN portal.
A more complicated example:
A user uses the same password for their Netflix and banking account but different emails. Suppose Netflix were to be breached and the email addresses and passwords or hashes are leaked online. In that case, someone could tie a corporate email to a personal email, try the same password, and gain access to organizational information.
Password Spraying
This attack involves finding valid account names or emails and guessing the password. Attackers use brute-force techniques to test a small number of common passwords against many usernames or test a larger number of passwords against fewer or even a single account.
Manual example:
An attacker found a valid account: user1@company.com
The attacker attempts to log into the email portal with a commonly used password, "Password."
If that fails, the attacker continues attempting to log in using "Password1," then "Password12," and finally "Password123," until they eventually gain access.
How do I pick what to guess?I have the best chance of success by using the most common passwords. These are some of the least secure passwords ever:
- 123456
- qwerty
- password
- 1q2w3e
- 1111111
These used to be much more common. However, many sites have adopted password policies that require 8 character minimums, capital and lowercase letters, a number, and possibly a symbol.
From there, we can adapt the above list using other common passwords:
- Fall2020!
- Pa$$w0rd
- IHatePasswords123 – yes, this is something I guess
- CompanyName21
- Vikings2021
Performing any of these attacks through the web portal is effective, but it won’t scale. Guessing more than 5 passwords can be too much for a manual login attempt. It is a mindless repetitive task that no one should do by hand… ever.
Automation!These attack techniques can be effective, especially if the target is not paying attention to their logs or does not have a SOC or SIEM. This access method does not require social engineering, so it can be performed with relative ease against most web services with little overhead infrastructure. All the attacker needs is a computer with an internet connection. Once a password returns as valid, the attacker may quit the attack and move to internal information gathering, internal network access, or potentially sending a phishing email from the compromised user's account.
Attackers have automated many of the processes necessary to perform this attack. There are quite a few open-source password spraying tools out there. However, none of them were as flexible as I wanted or as feature-rich. Few supported MFA detection capability, most supported only one service, and almost none supported password lists with a delay between attempts. Many open-source tools weren't templated, so they would be difficult to expand.
So I wrote a new tool based on the features I wanted, called…
Link: https://github.com/CausticKirbyZ/spraycannon
By templating a web request, I was able to create logic and a framework to build a very feature-rich spraying tool that includes capabilities for:
- Multithreaded
- 11 different services at the moment (office365,owa,adfs,cisco_vpn, infinitecampus…etc). With more being added where I can
- Back-end database so that previous sprayed credentials will not be resprayed
- Usernames/passwords from cli or file
- Lockout detection where possible
- MFA detection if possible (can set mfa off depending on the service type)
- Username:password combo – for those breached credentials lists
- Username as a password
- Delay between passwords
- Jitter between individual attempts
- Webhooks – so I get notifications when a valid credential is found
- More!
These features can be applied to any spray type I create. I also built a template for easy and on-the-fly template building. This method is an effective way to capture a login request, analyze it, and duplicate the request in 20-30 minutes. This way, I can find any login portal I want and start spraying very quickly.
As penetration testers, we use a lot of open-source (free) tools. Part of my goal in creating this tool is to give back to the security community and hopefully help others as they have helped me.
Defender Takeaways
Credential stuffing/spraying is a well-known and commonly used technique. However, logs can show all of the malicious attempts. If the target has configured good logging, monitoring, and alerts, they can possibly identify and prevent these attacks. Mass login attempts or a sudden influx of login failures are two easy items a Security Operations Center (SOC) can detect. Multifactor authentication (MFA), well-socialized password policies, and password vaults like 1Password and LastPass can help users protect their accounts.
References
https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
https://attack.mitre.org/techniques/T1110/003/