Password Spraying

Password spraying is a password-guessing attack where an attacker gathers a list of email addresses and tries common passwords such as SeasonYear or CompanyYear (e.g., Summer2023 or Weelee2023) against all of them, typically using an automated tool.

SprayCannon

There are many tools out there for password spraying, but SprayCannon is a good one to check out!

LogoGitHub - CausticKirbyZ/SprayCannon: Fast multithreaded multiplatform password spraying tool designed for easy use. Supports webhooks, jitter, delay, files, rotation, backend databaseGitHub

Here is a basic example, where we spray against Office365 using a user list and the password Weelee2023! with a roughly 20-second delay between authentication attempts:

Linux
spraycannon -s o365 -u users.txt -p Weelee2023! -j 2000

While password spraying is easy enough, many service providers, such as Microsoft, have built-in controls to try to stop password spraying attempts against their login portals. If Microsoft detects (due to specific parameters that aren't fully public) that you are password spraying, they will give you false positives and may even temporarily denylist your IP.

One of the parameters is likely the number of login attempts against x number of accounts within x minutes from a single IP address.

In legitimate cases, the number of logins would be relatively low, but during a penetration test, you have to password spray at a fast rate, but not too fast as to hit the organization's account lockout counter password policy and lock their users out.

One way to combat IP restrictions is Fireprox.

Fireprox

LogoGitHub - ustayready/fireprox: AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotationGitHub

Fireprox is a tool a Black Hills Information Security employee created that leverages the AWS API Gateway to create pass-through proxies that rotate the source IP address with every request sent to a specified URL.

Check out their demo below:

PreviousGoWitnessNextPhishing

Last updated