CAPEC-565: Password Spraying

Description
<p>In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.<p>
Extended Description

Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern.

Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets.

Severity :

High

Possibility :

High

Type :

Detailed
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The system/application uses one factor password based authentication.
  • The system/application does not have a sound password policy that is being enforced.
  • The system/application does not implement an effective password throttling mechanism.
  • The adversary possesses a list of known user accounts on the target system/application.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A machine with sufficient resources for the job (e.g. CPU, RAM, HD).

Applicable password lists.

A password cracking tool or a custom script that leverages the password list to launch the attack.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 24, 2024 4:57