Brute-force attacks will try multiple attempts at a password against a single user. In the Windows environment, a lockout functionality can be deployed after a set number of login attempts. A password spray, also known as a reverse brute force, will circumvent the lockout policy by trying only a few of the most common passwords against multiple accounts. Spraying tries each user one or two times in 30 minutes, then repeats with another round of password tries outside of the 30-minute lockout time frame.
First, a large list of usernames is collected by using various methods. By connecting through an already compromised device on the domain, there are net user commands to collect a valid list of users from the domain controller. The attacker may also use open source intelligence tools that take known email formats and collect the employee lists on sites such as LinkedIn.
Common passwords that attackers will try include:
- SeasonYear (Spring2018)
There are tools that can be invoked to gather this information. It can be set to look for specific passwords and avoid accounts that have already been locked out.
The password spray has become a favorite technique of the attackers. It has proven to be effective, and once an elevated account is compromised it can be used to pivot and advance throughout the network.
So what is the best defense against a password spraying attack? Of course, strong and long passwords that are not easy to guess. Here are some other suggestions:
- Use cloud authentication
- Use multi-factor authentication