Password spraying is an attack technique in which an adversary attempts to compromise user accounts by attempting to authenticate with a curated list of passwords that are either frequently used or likely to be used by their target. Password spraying can be conducted by an external adversary against any internet-facing system or SaaS application, or by an adversary that has gained a foothold within the network and is seeking to widen their access.
Frequent targets for password spraying include VPN servers, web-based email applications, and single sign-on providers. Unlike credential stuffing where an adversary is targeting specific users with previously compromised passwords, password spraying is about trying common or likely passwords against as many users as possible. Thus, many adversaries structure their attacks to avoid detection, perhaps only trying one password for each user account at a time or waiting some time between each attempt.
How Password Spraying Works
Hover to see each step
Step 1: Before conducting the password spray attack itself, an adversary must conduct reconnaissance to generate a list of usernames (or email addresses for targets using email as username) that are likely to correspond to active users. An adversary may use open-source intelligence (OSINT) sources (Google search, LinkedIn, Facebook) to find the names of employees, or if they have the funding may purchase a business directory. They may be able to discover email addresses and username formats this way too, or may need to socially engineer an employee to reveal the format.
In this example, the adversary is attempting to password spray Office 365 email and has gathered the names and email addresses of employees to target.
PS> cat userlist.txt Harry.Potter@stealthbitslab.com Hermione.Granger@stealthbitslab.com Ron.Weasley@stealthbitslab.com PS>
Step 2: With the list of likely valid usernames, the adversary next attempts their password spray. Adversaries may conduct password sprays slowly to reduce the risk of detection. Tools such as the Spraying Toolkit can automate the process of conducting the attack. In this example, the adversary attempts to authenticate to Office 365 hosted email with a weak (but common!) password.
Python> atomizer.py owa stealthbitslab.com 'Spring2020' userlist.txt �[34m[*]�[0m Trying to find autodiscover URL �[32m[+]�[0m Using OWA autodiscover URL: http://autodiscover.stealthbitslab.com/autodiscover/autodiscover.xml �[34m[*]�[0m OWA domain appears to be hosted on Office365 �[34m[*]�[0m Using Office 365 autodiscover URL: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml �[31m[-]�[0m Authentication failed: Harry.Potter@stealthbitslab.com:Spring2020 (Invalid credentials) �[31m[-]�[0m Authentication failed: Hermione.Granger@stealthbitslab.com:Spring2020 (Invalid credentials) �[32m[+]�[0m Found credentials: Ron.Weasley@stealthbitslab.com:Spring2020 �[32m[+]�[0m Dumped 1 valid accounts to owa_valid_accounts.txt
Step 3: Having compromised a credential, the adversary can use it to further their objectives. For example, a successful compromise of an email account can allow the adversary to conduct phishing under the guise of a real account. Furthermore, they can study the messages in the mailbox to craft a strong pretext thereby increasing their chances of success.
In the example below, the adversary uses Microsoft Teams (another Office 365 service) to chat with a coworker who readily opens the file they send. Opening the attachment results in malware running on the coworker’s machine, enabling the adversary to pivot from a cloud to on-premises compromise.
Detect, Mitigate, and Respond
Detection of password spraying is relatively difficult: the volume of authentications and a large number of services requiring monitoring lead to large data sets requiring complex analysis. Some providers may offer password spray detection and prevention in their own security controls, but aggregating all applications and analyzing authentication events for the signs and symptoms of password spraying (such as failed authentication attempts from the same source against multiple users) is important.
Password spraying can be mitigated by adopting healthy authentication practices (good passwords and multi-factor authentication) and ensuring that applications you build or consume offer defenses against brute force password attacks. NIST Special Publication 800-63B provides current guidance for strong authentication approaches and brute force defenses.
When a suspected password spray attack is detected, actions can be taken to block continued activity and remediate any compromised accounts.
- Activate the incident response process and alert the incident response team
- Block the source of the password spray at the network and/or application-level to prevent future authentication attempts. If the password spray is from an internal machine, then it should be quarantined for investigation, as well as eradication and recovery activities
- Reset the password for any user whose password was compromised in the attack