Welcome back, my aspiring cyberwarriors!
At the dawn of the Information Age, passwords emerged as the preeminent method for verifying identity. Over half a century later, the password persists as the most common form of digital authentication, securing everything from computers and bank accounts to social media and mobile devices. As cyberattacks grow more sophisticated, security administrators have countered by requiring longer and more complex passwords. However, as the latest attack on Microsoft demonstrated, passwords remain a vulnerable vector to attack. In this article, we will examine a popular password cracking technique used by even the most sophisticated hacker groups - password spraying.
What is a password spraying attack
Password spraying is a cyber attack in which the attacker attempts to gain access to user accounts by using a of list commonly used passwords. It distinguishes itself from its better-known brethren, the brute force attack, by distributing the attack across multiple usernames rather than targeting a specific user. The premise behind this attack is the understanding that, typically, at least one person in the organization will be using a weak password. The hacker then systematically tests each password across a list of accounts.
Many organizations still rely on traditional lockout mechanisms designed to be triggered by the signs of a brute force attack: multiple failed attempts on a single account. Password spraying bypasses these lockouts by testing a single password across multiple accounts.
To combat password spraying some organizations have implemented IP address monitoring as an additional layer of security control. To bypass this control, hackers distribute the login attempts across a network of botnets. These infected devices disperse the attack across several IP addresses, making the spray look like authentic failed logins.
How password spraying attack works
Password spraying attacks typically involve these stages:
1. Get a List of Usernames
The first step of a password spraying attack typically begins when the hacker buys a list of usernames off the dark web, but they also may use a list of statistically likely usernames. Alternatively, they may create their own list using social network OSINT. Most companies have standardized naming conventions that double as account usernames, for example, firstname.lastname@company.com.
2. Obtain a list of common passwords
To the everlasting chagrin of security administrators, there will always be a swath of humanity that fails The Lovelace Test. Consequently, with a quick internet search, you can obtain a list of the most common passwords. If this list does not prove fruitful, the hacker may create a custom wordlist based on the industry, business or personal interests of the targets using tools like CeWL. Organization may have tailored complexity requirements, but the minimum password length for many environments is 7-8 characters.
3. Try out different username and password combinations
After obtaining a list of usernames and passwords, hackers will attempt to identify a functional combination between the two. Hackers will test one password for numerous usernames and then repeat the process with the next password on the list. Often, the process is automated with password spraying tools.
Nowadays, there are a lot of programs for performing password spraying, such as: TREVORspray, CredMaster, Kerbrute, Spray, Crackmapexec and others.
Crackmapexec (CME) stands as one of the most reliable tools, so we’ll use it.
Password Spraying with Crackmapexec
The tool is great for testing authentication methods across many network protocols. It supports SSH testing for remote access using both passwords and keys. RDP features let you test Windows Remote Desktop connections and even manage sessions. SMB support helps assess Windows networking, including credential checks and relay attacks. The HTTP/HTTPS module makes it easy to test web application credentials and session security. Plus, it also works with LDAP, FTP, WinRM, and MySQL, giving you plenty of options for authentication testing.
The tool can be installed directly on security-focused distributions through apt:
kali> sudo apt install crackmapexec
For other systems, pip installation provides a reliable alternative:
ubuntu> python3 -m pip install crackmapexec
Firstly, let’s discover SSH servers across subnet:
kali> crackmapexec ssh 192.168.1.0/24 --port 22
Test common credentials against a single host
kali> crackmapexec ssh 192.168.1.10 -u root -p 'password123'
Basic password spray:
kali> crackmapexec ssh 192.168.1.0/24 -u userfile.txt -p 'password'
Restrict the number of failed login attempts per host:
kali> crackmapexec ssh 192.168.1.0/24 -u userfile.txt -p 'password' --fail-limit 3
Verify access with command:
kali> crackmapexec ssh 192.168.1.0/24 -u users.txt -p 'admin123' -x 'id'
After reviewing the SSH help page, you can see that the possibilities for advancing the attack are quite large.
Password spraying history
Password spraying, while not a brand new attack tactic, has evolved over time to become a significant threat in the modern cybersecurity landscape.
• Early days (pre-2010s):
Early password spraying attacks were often manual and targeted specific organizations or individuals, relying heavily on guessable credentials like employee names, birthdays, and common dictionary words.
• Evolution in the 2010s:
Automation became a key element, with attackers utilizing scripts and bots to spray hundreds or even thousands of usernames and passwords across large sets of targets.
The rise of data breaches and the dark web made readily available lists of stolen usernames and passwords, fueling the effectiveness of spraying attacks.
• 2020s and beyond:
Sophistication continues to increase, with attackers leveraging machine learning and artificial intelligence to analyze leaked data and identify patterns in weak passwords.
In response, organizations are fighting back with stronger password policies, multi-factor authentication, and improved detection and prevention systems.
Password spraying vs other password attacks
Attack Type | Description | Strengths | Weaknesses |
Brute Force | Repeated password guesses, often using automated tools to try many variations on one account | High chance of success if password is weak Effective on accounts without lockout policies | Easily detected by account lockouts Slow against strong passwords |
Password Spraying | Tries a single, common password across multiple accounts, then moves to another common password | Avoids triggering lockouts Efficient on large user bases Effective against common passwords | Depends on weak passwords Less effective with MFA |
Phishing | Tricks users into entering passwords | High success rate on unsuspecting users Low-cost Works across many platforms and user types | Relies on human error May be blocked by awareness training |
Traffic Interception | Uses packet sniffing, man-in-the-middle attacks, or Wi-Fi spoofing to intercept unencrypted communications | Can access unencrypted or poorly secured data Works without user interaction | Requires access to network Can be blocked by encryption and secure protocols |
Summary
Password cracking can often be the quickest and most effective way to take control of a target system. As we have seen in recent days, this continues to be an effective strategy for attacking passwords as an authentication mechanism. Remember, the attacker only needs to gain access to one account to gain access to the entire network. So, if one person on the network has a weak password, the entire organization is at risk