Have you heard of Continuous Penetration Testing?
The most common – and high-risk forms – of cyberattacks hitting organizations.
Password spraying is one of the most common – and high-risk forms – of cyberattacks hitting organizations. Whether or not these attacks are successful depends on which authentication technologies your organization leaves exposed.
And while it may not seem like the end of the world if an attacker manages to access just ONE of your employee’s email accounts, think again. The reality is this: one slip-up can snowball into a massive network compromise. With access to a single email account an attacker can:
Given how often we see this tactic used, we’re going to break down the basics. We want to help you understand how password spraying works, along with some effective steps you can take to prevent it from being used against your organization.
Let’s start with the essentials: The password-spraying process begins when attackers uncover a public authentication endpoint, which is any point where users have to log in. Some common examples:
Once they uncover the endpoint, attackers deduce the username format. An example of this could be the format of first initial + last name + @acme.com. Let’s say you have an employee named, John Smith and your organization uses the domain, acme.com. John’s email address would therefore be email@example.com
This can be easily done using tools such as hunter.io. With this information, attackers scrape the web for employee names and use them to generate large lists of usernames.
Using that insight, attackers additionally generate a list of common or relevant passwords. To do this, an attacker creates a list of easy to guess or common passwords. An example of common passwords are listed below:
Next, the attacker attempts to “spray” these passwords against the discovered login endpoint, with the hope that some user is using these weak or easily discoverable credentials. A successful guess will enable attackers to log in to the authentication endpoint -- and that’s where the trouble begins.
Example: A common password-spraying attack The easiest way to bring this to life is through a scenario we commonly see play out.
First, an attacker finds a company with a publicly exposed on prem OWA login page like the one shown below.
In addition, this Outlook login page also exposes Exchange Admin center at the directory /ecp/default.aspx.
IMPORTANT: This endpoint is vulnerable to the high-risk, CVE-2020-0688. With this vulnerability, attackers can use low-privileged credentials to gain remote code execution on the Exchange server.
An attacker then searches for your company on hunter.io and finds your username format.
A list of usernames is created and used to spray the password “Winter2020!” against user accounts.
use auxiliary/scanner/http/owa_login set rhost owa.acme.com set domain ACME set username user1 set password password exploit [*] owa.acme.com:443 OWA - Trying user1 : password [+] server type: MX01 [*] owa.acme.com:443 OWA - FAILED LOGIN, BUT USERNAME IS VALID. 0.224583728 'ACME\\user1' : 'password': SAVING TO CREDS [*] Auxiliary module execution completed
With this, attackers are not only able to guess user credentials but also enumerate valid usernames.
The attacker successfully guesses a user’s password. This password is used to exploit CVE-2020-0688. They then get remote code execution on your company’s exchange server.
The attacker can now propagate around your network and do all sorts of nefarious stuff due to a simple weak user password and common misconfiguration.
First and foremost, organizations need to make it difficult for attackers to password spray authentication endpoints. This is an ongoing conversation and should be a primary focus when deploying company technology. Once that’s established, take the following steps to defend against password spraying:
If password spraying has led to successful network breaches, give us a call or email us at firstname.lastname@example.org. We can help you discover and resolve potential vulnerabilities.
Protect your company with Sprocket
When your environment changes, or new threats affect your attack surface, we perform security testing. There is a lot more value from this modern approach to testing.