Password spraying: How hackers stealthily break through the doors to your kingdom
The general emphasis on passwords and password security has overshadowed an equally important aspect, that of usernames: The doors that lead to the kingdom in the first place.
Password-spraying is a highly effective hacking technique that cyber adversaries use to gain the initial foothold on their victim's digital infrastructure. Password spray attacks have become a preferred hacking technique because they are stealthy, they have a high rate of success and they circumvent many of the challenges associated with traditional brute-force methods. This blog post treats three essential questions: What differentiates password spraying from traditional brute-forcing? What, from an attacker's perspective are, the steps to a successful password spray attack? And finally, how can password spray attacks be defended against?
Password spray attacks versus traditional brute-force attacks
In traditional brute-force attacks against web applications such as mail or corporate VPNs, hackers submit thousands or sometimes even millions of passwords against one or more usernames with the hope of eventually guessing a correct combination. Despite leaving many digital footprints, triggering endpoint detection systems, logging victims out of their accounts and sometimes even breaking the targeted systems, brute-forcing is still a highly popular hacking techniqe. Brute force attacks stand for the opposite of a catchphrase often cited in hacker circles which states that 'the quieter you become, the more you are able to hear'.
Despite their crude nature and despite being as old as the internet, brute force attacks can still be extremely effective if the victim has poor access controls. For example, if systems targeted by brute-force attacks do not react to several million failed login attempts from the same IP address against multiple usernames and e-mail addresses, chances are that the hackers will guess a valid username and password combination eventually. To stop brute-force attacks (or at least to make them much less effective), implementation of proper access control management systems such as multi-factor authentication is vital. On top of this, employees should be reminded to follow sound password practices - passwords must be long, complex, hard to guess and they should never be reused. A good password manager can help with this.
Many modern technologies make brute-forcing much less effective but a new hacking technique is surfacing, one which circumvents many of the issues faced by traditional brute-forcing: Password spraying.
Brute force trivia: The legendary rockyou.txt
Rockyou.txt, a text file containing over 14 million unique passwords, has reached cult status in hacker communities. The file is the result of a breach in year 2009 of RockYou, a company that developed widgets for MySpace and implemented applications for Facebook and other social networks. The breach resulted in over 32 million users having their passwords compromised, all of which were stored in plain text without encryption or hashing. Despite its age, rockyou.txt continues to be a cornerstone in all types of brute force attacks.
Password spraying reverses the logic of brute-forcing. Instead of trying hundreds of thousands of passwords against 'random' usernames, password spraying is about trying ("spraying") few but very commonly used passwords against all users that can possible be enumerated on the victim. The ‘low and slow’ nature of password spray attacks means that they can fly undetected under the radar for extended periods of time (days, weeks, sometimes even years) just waiting for the day where a single unsuspecting victim uses a weak password; even if its just for a short period of time. Where brute-forcing logs users out of their accounts and trigger endpoint detection systems such as web application firewalls, password spraying can go by completely unnoticed as they blend in with the natural 'background noise' of the internet from scanners, crawlers, DDoS attacks and botnets.
Know the attacker: Four steps to a successful password spray attack
Let's turn to the offensive perspective - to effectively defend yourself, you must know your enemy and its tactics. What, from a hacker's point of view, are the steps to a successful password spray attack?
We have identified four key steps that cyber adversaries must go through to maximise their chances of success
- Acquire a list of usernames/email addresses
- Find login pages exposed to the internet
- Compile a list of plausible passwords
- Spray to gain access
Acquire a list of usernames. The first and most important step for the adversary is to compile a valid list of usernames and email addresses. These will be the 'victim accounts' of the password spray attack. Many organizations are predictable in the way they make usernames and email addresses. Common examples of this are when e-mail addresses are based on employees' full names ("[email protected]") or when they are based on employees' initials ("[email protected]"). While convenient for internal coordination and communication, predictable patterns make it easy for attackers to correctly guess legitimate users. A quick search for current and past employees on linkedin, for example, is often all attackers need to compile a very strong list of valid targets. From here, all the attackers need to compromise the target is just one weak password.
Find login pages exposed to the internet. The second step is to find internet-facing login systems associated with the victim's domain where the credentials found in step one will be inserted or 'sprayed'. There are many tools and techniques that can aid attackers here, some of which are explained in our previous blogpost "Understanding Attack Surface Management, cybersecurity's next Big Thing". Very often though, attackers can find interesting login pages exposed to the internet by simply typing mail.example.com or example.com/login in their browsers.
Compile a list of plausible passwords. The third step to a successful password spray attack is the easiest one: Collect a handfull of passwords that are likely used (or are likely to be used) by just a single victim from the list of usernames compiled in step one. Attackers do not need intimate knowledge of its victim to collect a very strong but short list of generic passwords. Even Wikipedia has a list of the top 10.000 most commonly used passwords. Another eerily effective tactic is to combine either a season or the victim organization with the current year, such as summer2021 or evilcorp2019.
Spray to gain access. Finally, attackers must combine step 1 through 3. This step is typically the most technical one since the must automate the login process: Each identified victim account should be tried against all identified internet-facing login systems with each identified password, over and over, day after day. Again, the key is to go 'low and slow'. If the attackers just hammer away with all usernames and passwords at once, the victims will be logged out and web application firewalls will be alerted. The proliferation of free and open source hacker tools and techniques make it easy, even trivial, to automate a password spray attack. This is even true for amateur hackers and 'script kiddies' with no real technical expertise.
Know yourself: Effectively protect yourself against password spray tools, techniques and tactics
The only reason why password spraying is proving to be so effective is because most organisations put little or no effort into strengthening their digital security posture. Even common security practices such as implementation of multi-factor authentication can dwarf the effectiveness of password spray attacks. As Tyson said, everybody has a plan until they get punched in the mouth, so why ask for a fight in the first place? Be smart and follow the basic security practices that work. This final section discusses the most important ones that protect against password spraying (and a myriad of other hacking techniques):
- Use strong muli-factor authentication
- Enforce a strict password policy
- Prevent password reuse
- Monitor leaked credentials
- Keep internet-facing systems patched
- Disable inactive users
- Don't assign weak one time passwords
- Educate employees and create awareness
Use strong muli-factor authentication on all internet-facing systems. This includes (but is not limited to) corporate VPN login portal, mail services, databases and HR portals. Avoid SMS-based tokens and roll the token frequently.
Enforce a strict password policy that only permits passwords over a certain length. In password security, length beats complexity. This doesn't mean that passwords with special characters, numbers and different letter casing should be avoided, but length should be prioritized over complexity.
Prevent password reuse. One of the most common causes of account takeover is password reuse. It doesn't matter how strict your organization's password policy is if users just go home and reuse their corporate passwords on vulnerable sites and services. Additionally, it is a good idea to prevent employees from using previously leaked passwords.
Monitor leaked credentials. Every day new websites, companies, services and databases are hacked. This leads to credential leaks and dumps which cyber adversaries are quikck to pick up and try in brute force attacks against your organization. Be actively monitoring leaked credentials that are directly associated with your domain, you can be one step of hackers and significantly lower the risk of account takeover. Webscout offers a cheap leak monitoring service.
Keep internet-facing systems patched. Good patch management is key for an organization's digital security posture. While it is true that even the best patch management cannot prevent the 99,9th percentile of cyber attacks that rely on zero day exploits, even mediocre patch management can protect you from almost all cyberattacks that involve known exploits. The moment a new exploit is made public, cyber adversaries of all kind flock to re-implement the exploit in their own tools and techniques. For this reason, simply not being among the lowest hanging fruit can be extremely valuable from a security perspective.
Disable inactive users. Members of an organizations come and go, and so should their digital accounts. 'Ghost' accounts of former employees are sitting ducks for attackers because, everything else being equal, more accounts equals higher chance of successful account takeover.
Don't assign weak one time passwords. Often when people are locked out of their accounts, either because of scheduled password changes or because they forgot their password, they will reach out to IT to have their password reset. Since all good IT departments know that passwords should be kept private (and since they are often busy with other stuff), for convenience,they generate a generic password such as "Summer2020" or "Password". However, this presents hackers with a small window of opportunity where accounts can be hijacked using simple password spraying.
Educate employees and create awareness. Everyone who has attented a form of awareness training will be familiar the phrase that security is never stronger than the weakest link. Despite that this horse has been beaten to death there is still some truth to it because no matter how secure we design our digital systems, if they are operated (or interacted with) by a human, that human presents a vector of attack. For this reason, proper awareness traning should not be neglected.
This blog post has covered password spraying, one of the most effective tools in the hacker's toolbox. The main difference between password spraying and traditional brute-forcing is that where the latter is noisy and crude, the former is stealthy and a silent killer. Traditional brute-forcing hammers away at all possible username and password combinations. Password spraying quietly searches for just a single weak password without raising suspicion. We believe that password spraying will continue to be a massive cause for concern for all organisations with internet-facing login systems unprotected by firewall and/or VPNs.
Thank you for reading. Stay safe!
About the author
Jonathan A. (@deadsyn_), founder of webscout.io.