Password Guessing and Spray Attacks

Password Guessing and Spray Attacks: A Comprehensive Guide for GIAC GCIH

Why Password Guessing and Spray Attacks Matter

Password guessing and spray attacks remain among the most common and effective techniques used by adversaries to gain initial access to systems, networks, and applications. Understanding these attacks is critical for incident handlers because they represent a significant portion of real-world breaches. For the GIAC GCIH certification, this topic falls under the broader domain of Password Attacks and Exploitation Frameworks, and questions frequently test your ability to distinguish between attack types, recognize indicators of compromise (IOCs), and recommend appropriate countermeasures.

What Are Password Guessing and Spray Attacks?

Password guessing and spray attacks are both forms of online password attacks, meaning they attempt authentication against live services. However, they differ significantly in their approach and stealth.

1. Password Guessing (Brute Force)
Password guessing, often referred to as traditional brute force, involves an attacker trying many passwords against a single account (or a small number of accounts). The attacker typically uses wordlists, dictionaries, or algorithmically generated password combinations to repeatedly attempt login on one target account until the correct password is found or the account is locked out.

Key characteristics:
- Many passwords tried against one (or few) accounts
- High volume of failed login attempts per account
- Likely to trigger account lockout policies
- Easier to detect due to concentrated activity on individual accounts
- Tools: Hydra, Medusa, Ncrack, Burp Suite Intruder

2. Password Spraying
Password spraying is a more sophisticated variation that inverts the traditional brute force approach. Instead of trying many passwords against one account, the attacker tries one (or a very small number of) commonly used passwords against many accounts simultaneously. After cycling through all target accounts with one password, the attacker waits and then tries the next password.

Key characteristics:
- One or few passwords tried against many accounts
- Low volume of failed login attempts per account
- Designed to evade account lockout thresholds
- Harder to detect with traditional per-account monitoring
- Exploits the statistical likelihood that at least some users have weak or common passwords
- Tools: Spray, Ruler, MailSniper, CrackMapExec, SprayingToolkit

How These Attacks Work

Password Guessing – Step by Step:
1. Reconnaissance: The attacker identifies valid usernames through OSINT, email harvesting, LDAP enumeration, or error messages that reveal valid accounts.
2. Target Selection: A specific account (often an admin or high-privilege account) is selected.
3. Wordlist Preparation: The attacker prepares a wordlist of potential passwords, often customized based on the organization's password policy, industry, or publicly leaked credentials.
4. Attack Execution: Using tools like Hydra or Medusa, the attacker automates login attempts against the target service (SSH, RDP, HTTP, SMB, etc.).
5. Result: If the password is found, the attacker gains access. If the account locks out, the attack may be detected.

Password Spraying – Step by Step:
1. Reconnaissance: The attacker gathers a large list of valid usernames (e.g., through email enumeration, LinkedIn scraping, or Azure AD enumeration).
2. Password Selection: The attacker selects one or two highly common passwords (e.g., "Spring2024!", "Company123!", "Welcome1!", "Password1"). These are chosen to meet typical complexity requirements.
3. Attack Execution: The attacker attempts to authenticate with the chosen password against every username in the list. This is done slowly and deliberately.
4. Timing and Evasion: The attacker waits between rounds (often 30-60 minutes or more) to stay below lockout thresholds (e.g., if lockout is set at 5 attempts in 30 minutes, the attacker only tries once per account per round).
5. Result: Even a small success rate (1-2%) across thousands of accounts can yield multiple compromised credentials.

Common Targets for Spray Attacks:
- Microsoft 365 / Azure AD (extremely common target)
- VPN portals
- Citrix gateways
- OWA (Outlook Web Access)
- Single Sign-On (SSO) portals
- Any externally facing authentication endpoint

Detection Strategies

Detecting Password Guessing:
- Monitor for multiple failed login attempts from a single source IP to a single account
- Account lockout alerts
- Windows Event IDs: 4625 (failed logon), 4740 (account lockout)
- Rate-based alerting in SIEM

Detecting Password Spraying:
- Monitor for a single source IP (or distributed IPs) generating failed logins across many different accounts in a short time window
- Look for patterns where many accounts experience exactly one failed login within the same time frame
- Azure AD Sign-In logs and Conditional Access policies can help
- Windows Event ID 4625 with Logon Type 3 (Network) across many accounts
- Correlate authentication logs across multiple services
- Anomaly-based detection (e.g., unusual login times, geolocations)

Prevention and Mitigation

- Multi-Factor Authentication (MFA): The single most effective countermeasure against both attack types
- Account Lockout Policies: Effective against brute force but less effective against spraying (since spraying is designed to stay under the threshold)
- Smart Lockout (Azure AD): Uses heuristics to distinguish legitimate vs. malicious login attempts
- Strong Password Policies: Enforce length over complexity; ban commonly used passwords
- Password Banned Lists: Block known-compromised and commonly used passwords
- CAPTCHA / Rate Limiting: Slow down automated attacks
- Monitoring and Alerting: SIEM rules to detect distributed failed login patterns
- Conditional Access Policies: Block logins from untrusted locations, require compliant devices
- Reducing Attack Surface: Minimize externally facing authentication portals; use VPNs or Zero Trust architectures

Key Differences Summary Table

Password Guessing (Brute Force): Many passwords → One account. High noise. Triggers lockouts. Easier to detect.
Password Spraying: One password → Many accounts. Low noise. Evades lockouts. Harder to detect.

Exam Tips: Answering Questions on Password Guessing and Spray Attacks

1. Know the distinction: The most commonly tested concept is the difference between traditional brute force (many passwords against one account) and password spraying (one password against many accounts). If a question describes an attacker trying a single common password across hundreds of accounts, the answer is password spraying.

2. Understand evasion of lockout policies: Spray attacks are specifically designed to stay under account lockout thresholds. If a question asks why an attacker uses spraying instead of brute force, the answer relates to avoiding lockout detection.

3. MFA is the top countermeasure: When a question asks for the best defense against password spraying, MFA is almost always the correct answer. Account lockout alone is insufficient because spraying stays under the threshold.

4. Know the tools: Be familiar with common tools associated with each attack type. Hydra, Medusa, and Ncrack are associated with brute force guessing. CrackMapExec, Spray, and Ruler are associated with password spraying. The exam may describe tool behavior and ask you to identify the attack type.

5. Recognize log indicators: Questions may present log snippets. If you see many 4625 events (failed logons) against one account from one IP, think brute force. If you see 4625 events spread across many accounts with only one or two failures per account, think spraying.

6. Differentiate from offline attacks: Remember that guessing and spraying are online attacks (against live services). They are different from offline attacks like cracking password hashes with John the Ripper or Hashcat. The exam may test this distinction.

7. Understand the attacker's prerequisites: Both attacks benefit from having a valid list of usernames. Spraying especially requires a large list of valid accounts. Questions about what makes spraying more effective often relate to the quality and size of the username list.

8. Pay attention to timing: If a question mentions an attacker waiting 30-60 minutes between attempts, this is a telltale sign of password spraying designed to evade time-based lockout windows.

9. Cloud environments: Be aware that password spraying is especially prevalent against cloud services like Microsoft 365 and Azure AD. The exam may reference cloud-specific detection mechanisms like Azure AD Smart Lockout or Conditional Access.

10. Scenario-based questions: Read carefully. The GCIH exam often presents realistic scenarios. Focus on identifying the attack pattern described (distributed failures across accounts = spray; concentrated failures on one account = brute force) before selecting your answer.

By mastering the mechanics, detection methods, and countermeasures for password guessing and spray attacks, you will be well-prepared to handle related questions on the GCIH exam and in real-world incident handling scenarios.