Brute Force: Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. [1]

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

Angreifer können ein einziges oder eine kleine Liste häufig verwendeter Kennwörter für viele verschiedene Konten verwenden, um zu versuchen, an gültige Zugangsdaten zu gelangen. Password-Spraying verwendet ein einziges Passwort (z.B. 'Password01') oder eine kleine Liste häufig verwendeter Passwörter, die der Komplexitätsrichtlinie der Domäne entsprechen können. Mit diesem Kennwort wird versucht, sich bei vielen verschiedenen Konten in einem Netzwerk anzumelden, um Kontosperrungen zu vermeiden, die normalerweise beim Brute-Forcing eines einzelnen Kontos mit vielen Kennwörtern auftreten würden. (Zitat: BlackHillsInfosec Password Spraying)

In der Regel werden beim Password Spraying Verwaltungsdienste über häufig verwendete Ports verwendet. Zu den häufig angegriffenen Diensten gehören die folgenden:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminaldienste (3389/TCP)
  • HTTP/HTTP-Verwaltungsdienste (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

Zusätzlich zu den Verwaltungsdiensten können Angreifer "auf Single Sign-On (SSO) und Cloud-basierte Anwendungen abzielen, die föderierte Authentifizierungsprotokolle verwenden", sowie auf nach aussen gerichtete E-Mail-Anwendungen wie Office 365.(Zitat: US-CERT TA18-068A 2018)

In Standardumgebungen ist es weniger wahrscheinlich, dass LDAP- und Kerberos-Verbindungsversuche über SMB Ereignisse auslösen, wodurch die Windows-Ereignis-ID 4625 "Anmeldefehler" entsteht.

Les adversaires peuvent utiliser un seul mot de passe ou une petite liste de mots de passe couramment utilisés contre de nombreux comptes différents pour tenter d'acquérir des informations d'identification de compte valides. La pulvérisation de mots de passe utilise un mot de passe (par exemple "Mot de passe 01") ou une petite liste de mots de passe couramment utilisés, qui peuvent correspondre à la politique de complexité du domaine. Les connexions sont tentées avec ce mot de passe sur de nombreux comptes différents sur un réseau afin d'éviter les blocages de comptes qui se produiraient normalement lors du forçage brutal d'un seul compte avec de nombreux mots de passe. (Citation : BlackHillsInfosec Password Spraying)

En général, les services de gestion sur les ports couramment utilisés sont utilisés lors de la pulvérisation de mots de passe. Les services couramment ciblés sont les suivants :

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP et 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • Services de gestion HTTP/HTTP (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

Outre les services de gestion, les adversaires peuvent " cibler les applications d'authentification unique (SSO) et les applications basées sur le cloud utilisant des protocoles d'authentification fédérés ", ainsi que les applications de messagerie orientées vers l'extérieur, comme Office 365.(Citation : US-CERT TA18-068A 2018)

Dans les environnements par défaut, les tentatives de connexion LDAP et Kerberos sont moins susceptibles de déclencher des événements sur SMB, ce qui crée l'événement Windows "logon failure" ID 4625.

Gli avversari possono usare una singola o una piccola lista di password comunemente usate contro molti account diversi per tentare di acquisire credenziali di account valide. La spruzzatura di password usa una password (ad esempio 'Password01'), o un piccolo elenco di password di uso comune, che può corrispondere alla politica di complessità del dominio. I login vengono tentati con quella password contro molti account diversi su una rete per evitare il blocco dell'account che normalmente si verificherebbe quando si fa brute forcing su un singolo account con molte password. (Citazione: BlackHillsInfosec Password Spraying)

Di solito si usano servizi di gestione su porte comunemente usate quando si fa password spraying. I servizi comunemente presi di mira sono i seguenti:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Servizi Terminali (3389/TCP)
  • Servizi di gestione HTTP/HTTP (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

Oltre ai servizi di gestione, gli avversari possono "prendere di mira single sign-on (SSO) e applicazioni basate su cloud che utilizzano protocolli di autenticazione federata", così come applicazioni email rivolte all'esterno, come Office 365.(Citazione: US-CERT TA18-068A 2018)

In ambienti predefiniti, i tentativi di connessione LDAP e Kerberos hanno meno probabilità di innescare eventi su SMB, il che crea l'evento ID 4625 di Windows "logon failure".

Login
ID: T1110.003
Sub-technique of:  T1110
Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Permissions Required: User
CAPEC ID: CAPEC-565
Contributors: John Strand; Microsoft Threat Intelligence Center (MSTIC)
Version: 1.2
Created: 11 February 2020
Last Modified: 06 April 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[3][4] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.[5]

G0016 APT29

APT29 has conducted brute force password spray attacks.[6]

G0064 APT33

APT33 has used password spraying to gain access to target systems.[7][8]

S0606 Bad Rabbit

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.[9]

G0114 Chimera

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.[10]

S0488 CrackMapExec

CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[11]

G0032 Lazarus Group

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[12][13]

G0077 Leafminer

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[14]

S0362 Linux Rabbit

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. [15]

S0413 MailSniper

MailSniper can be used for password spraying against Exchange and Office 365.[16]

G0034 Sandworm Team

Sandworm Team has used a script to attempt RPC authentication against a number of hosts.[17]

G0122 Silent Librarian

Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.[18]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.

M1032 Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

M1027 Password Policies

Refer to NIST guidelines when creating password policies. [19]

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0002 User Account User Account Authentication

Monitor authentication logs for system and application login failures of Valid Accounts. Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.

Consider the following event IDs:[20]

  • Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.
  • Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.
  • All systems: "Audit Logon" (Success & Failure) for event ID 4648.

Überwachen Sie die Authentifizierungsprotokolle auf fehlgeschlagene System- und Anwendungsanmeldungen von gültigen Konten. Überwachen Sie insbesondere die vielen fehlgeschlagenen Authentifizierungsversuche für verschiedene Konten, die möglicherweise auf Passwort-Spraying-Versuche zurückzuführen sind.

Betrachten Sie die folgenden Ereignis-IDs:(Zitat: Trimarc Detecting Password Spraying)

  • Domänencontroller: "Audit Logon" (Erfolg & Misserfolg) für Ereignis-ID 4625.
  • Domänencontroller: "Audit Kerberos Authentication Service" (Erfolg & Misserfolg) für die Ereignis-ID 4771.
  • Alle Systeme: "Audit Logon" (Erfolg & Misserfolg) für die Ereignis-ID 4648.

Surveillez les journaux d'authentification pour détecter les échecs de connexion au système et aux applications des [Comptes valides] (/techniques/T1078). Plus précisément, surveillez les nombreuses tentatives d'authentification échouées sur divers comptes qui peuvent résulter de tentatives de pulvérisation de mots de passe.

Considérez les ID d'événements suivants :(Citation : Trimarc Detecting Password Spraying)

  • Contrôleurs de domaine : "Audit Logon" (Succès & Échec) pour l'ID d'événement 4625.
  • Contrôleurs de domaine : "Audit Kerberos Authentication Service" (Success & Failure) pour l'événement ID 4771.
  • Tous les systèmes : "Audit Logon" (succès et échec) pour l'événement ID 4648.

Monitorare i log di autenticazione per i fallimenti di accesso al sistema e alle applicazioni di Valid Accounts. In particolare, monitorizzi i molti tentativi di autenticazione falliti tra vari account che possono risultare da tentativi di spruzzatura di password.

Consideri i seguenti ID evento:(Citazione: Trimarc Detecting Password Spraying)

  • Controller di dominio: "Audit Logon" (Success & Failure) per ID evento 4625.
  • Controllori di dominio: "Audit Kerberos Authentication Service" (Success & Failure) per ID evento 4771.
  • Tutti i sistemi: "Audit Logon" (Success & Failure) per ID evento 4648.

References