Password Spraying: Are You Vulnerable?

September 11, 2017 | Views: 17826

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Password Spraying…Are You Vulnerable?

Most cyber security professionals know and understand the traditional attacks on passwords (i.e. brute force, dictionary, keylogger, etc.). But for the most part, those of us outside of the pen-testing community think of password attacks as taking one user id and brute-forcing it with thousands of passwords. The problem with this particular attack method is that this would quickly lock out accounts and almost certainly set off a bunch of bells and whistles to the security team alerting them to an attacker’s presence on their network. Well, it seems that the bad guys (and the pen-testing community as well) figured this out a long time ago and they now have a new favorite attack on passwords. Instead of brute-forcing passwords they now prefer to execute what is called a password spray attack.
One scenario where an organization may be vulnerable to password spraying is when an attacker (or pen tester), after successfully enumerating a list of valid users from the domain controllers, utilize their knowledge of common password use and tries ONE carefully crafted password against ALL of the known user accounts (one password too many accounts). If the attack is not successful at first they will try again utilizing a different carefully crafted password, usually waiting about 30 minutes or so in between attempts so as to not trigger any time-based account lockout thresholds. The password spray attack has quickly become a favorite technique of attackers and pen testers alike as it has proven to be very effective as they look to pivot and advance through a network after having established a foothold inside.
As the old saying goes “You are only as strong as your weakest link” and because people will always be the uncontrollable variable, continuing to use weak, easy to remember passwords, I would hazard a guess that most organizations are indeed vulnerable to a password spray attack.
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Back to the Old days banking account hack. This technique was useful when attack online bank on the past you choose a 4 pin code and bruteforce the number account. With the number of account you have a lot of chance to fond one account with that pin.
    Good article you won your cybytes :p

  2. Well said. Thank you for your article.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?