Password spraying is one of the most common – and high-risk forms – of cyberattacks hitting organizations. Whether or not these attacks are successful depends on which authentication technologies your organization leaves exposed.

And while it may not seem like the end of the world if an attacker manages to access just ONE of your employee’s email accounts, think again. The reality is this: one slip-up can snowball into a massive network compromise. With access to a single email account an attacker can:

Given how often we see this tactic used, we’re going to break down the basics. We want to help you understand how password spraying works, along with some effective steps you can take to prevent it from being used against your organization.

What is password spraying?

Let’s start with the essentials: The password-spraying process begins when attackers uncover a public authentication endpoint, which is any point where users have to log in. Some common examples:

  • Citrix NetScaler
  • OWA (Outlook Web Access)
  • Office 365
  • VPN (virtual private network)
  • RDP, SSH, and other management protocols

Once they uncover the endpoint, attackers deduce the username format. An example of this could be the format of first initial + last name + @acme.com. Let’s say you have an employee named, John Smith and your organization uses the domain, acme.com. John’s email address would therefore be jsmith@acme.com

This can be easily done using tools such as hunter.io. With this information, attackers scrape the web for employee names and use them to generate large lists of usernames.

Using that insight, attackers additionally generate a list of common or relevant passwords. To do this, an attacker creates a list of easy to guess or common passwords. An example of common passwords are listed below:

  • Welcome1
  • Winter2021!
  • changeme  

Next, the attacker attempts to “spray” these passwords against the discovered login endpoint, with the hope that some user is using these weak or easily discoverable credentials. A successful guess will enable attackers to log in to the authentication endpoint -- and that’s where the trouble begins.

Example: A common password-spraying attack The easiest way to bring this to life is through a scenario we commonly see play out.

  1. First, an attacker finds a company with a publicly exposed on prem OWA login page like the one shown below.

    Outlook 365 Login

    In addition, this Outlook login page also exposes Exchange Admin center at the directory /ecp/default.aspx.

    Outlook 365 Exchange Admin Center

    IMPORTANT: This endpoint is vulnerable to the high-risk, CVE-2020-0688. With this vulnerability, attackers can use low-privileged credentials to gain remote code execution on the Exchange server.

  2. An attacker then searches for your company on hunter.io and finds your username format.

    Hunter.io user domain search

  3. A list of usernames is created and used to spray the password “Winter2020!” against user accounts.

    use auxiliary/scanner/http/owa_login
set rhost owa.acme.com
set domain ACME
set username user1
set password password
exploit
[*] owa.acme.com:443 OWA - Trying user1 : password
[+] server type: MX01
[*] owa.acme.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.224583728 'ACME\\user1' : 'password': SAVING TO CREDS
[*] Auxiliary module execution completed


    With this, attackers are not only able to guess user credentials but also enumerate valid usernames.

  4. The attacker successfully guesses a user’s password. This password is used to exploit CVE-2020-0688. They then get remote code execution on your company’s exchange server.

  5. The attacker can now propagate around your network and do all sorts of nefarious stuff due to a simple weak user password and common misconfiguration.

Prevention Methods

First and foremost, organizations need to make it difficult for attackers to password spray authentication endpoints. This is an ongoing conversation and should be a primary focus when deploying company technology. Once that’s established, take the following steps to defend against password spraying:

  1. Review all external authorization endpoints
    • Reflect on what your organization can take off of the internet to reduce company attack surface.
    • Lock authorization endpoints, such as OWA, behind a VPN connection, leaving nothing exposed to the web.
    • Perform continuous testing to identify risks associated with public-facing authorization endpoints.

  2. Restrict password spraying efforts
    • Look to introduce dynamic IP restrictions. Make it so that a single IP address cannot make multiple login attempts. Then, block those IP addresses if multiple logins are attempted.
    • Introduce a Google reCAPTCHA. This makes reissuing requests over and over again very difficult, if not impossible and subsequently mitigates common password spraying techniques.
    • Migrate to more secure authentication solutions, such as Office 365 or Amazon Cognito, to make brute forcing more difficult.

  3. Adjust internal policy to reduce risk
    • Institute a strong password policy that forces users to create hard-to-guess passwords.
    • Implement multi-factor authentication to prevent account use even if an attacker were to guess a user’s password.
    • Institute a policy of least privilege to make it difficult for attackers to use stolen credentials in a way that leads to business compromise.

If password spraying has led to successful network breaches, give us a call or email us at contact@sprocketsecurity.com. We can help you discover and resolve potential vulnerabilities.