Dark Mode
Capec-565 Detail
Password Spraying
Detailed Software Likelihood: High Typical Severity: High
Parents: 49
Threats: T71 T263 T271 T279 T292 T307 T385 T398
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern. Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets.
Explore
-
Determine target's password policy: Determine the password policies of the target system/application.
-
Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
| Techniques |
|---|
| Select passwords based on common use or a particular user's additional details. |
| Select passwords based on the target's password complexity policies. |
Exploit
-
Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.
| Techniques |
|---|
| Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. |
| Iterate through the remaining passwords for each known user account. |
- The system/application uses one factor password based authentication.
- The system/application does not have a sound password policy that is being enforced.
- The system/application does not implement an effective password throttling mechanism.
- The adversary possesses a list of known user accounts on the target system/application.
- A machine with sufficient resources for the job (e.g. CPU, RAM, HD).
- Applicable password lists.
- A password cracking tool or a custom script that leverages the password list to launch the attack.
| Low |
|---|
| A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available. |
| Integrity | Authorization | Access Control | Authentication | Confidentiality |
|---|---|---|---|---|
| Modify Data | Read Data | Gain Privileges | Gain Privileges | Gain Privileges |
| Read Data |
- A user selects the phrase "Password123" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.
- The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment.