Threat (Privilege Escalation)
Password Spraying is a technique attackers leverage to guess the password of an account. By trying a small number of highly common passwords against large numbers of accounts while also staying below an organization’s defined lockout threshold, the attacker can compromise accounts without any elevated privileges and likely without detection.
How Password Spraying Works
The following is a summarization of how the attack works:
- An attacker compromises a standard domain user (e.g. phishing, social engineering, etc.)
- Using tools like CrackMapExec (CME), the attacker enumerates Active Directory’s password and lockout policies
- Using an LDAP query, the attacker compiles a list of users to attack
- Again using CrackMapExec, the attacker runs commands against the Domain Controller and cycles through the list of passwords for every user account until a hit is found
Important Notes about Password Spraying:
- The lockout policy information collected by CrackMapExec is used to determine how many bad passwords the attacker can guess per account to avoid a lockout
- The password policy information collected by CrackMapExec is used to help the attacker craft a custom dictionary of potential passwords to guess against all accounts based on what’s actually possible in the target Active Directory environment
- There are existing password lists from real-world and well-known data breaches that can be obtained from sites like GitHub, making this even easier for the attacker
Watch this brief video of a Password Spraying attack in action:
Potential Solutions and Mitigating Controls for Password Spraying
Strong, unique passwords are your best defense against Password Spraying attacks. DSInternals provides a command (Test-PasswordQuality) which can be used to determine the strength of existing passwords in your environment. Using DSInternals, you can extract all password hashes and then provide a dictionary of “weak” passwords which it will hash and compare to your account hashes. It then provides very useful output to identify the biggest weaknesses. Once weak passwords have been eradicated from your environment, it’s also possible to prevent the use of easily guessed passwords using various software solutions.
Addtional Resources Password Spraying Resources: Related Attacks & Concepts: Solutions: