Password Spraying is a technique attackers leverage to guess the passwords of accounts by trying a small number of highly common passwords against a large number of accounts while also staying below an organization’s defined lockout threshold. This allows an attacker to compromise accounts without any elevated privileges and masking themselves from detection by blending in with “normal” authentication activity.
This article demonstrates the password spraying attack against Microsoft Exchange accounts.
MS Exchange Password Spraying
The tool I will use is available at the GitHub repository URL:
Before starting the attack, we need first a list of possible usernames and passwords.
Building a list of possible usernames
We can do OSINT to find a list of email addresses. One way is to explorer the company’s LinkedIn profile and build a list based on first and last name, Ex,
Service accounts also can be taken into considerations, you may build your own list.
bkb, sql_svc, backup, temp, helpdesk, crm, test…etc
Building a list of possible passwords
Building the password list is an important part and needs to be built carefully for a higher chance of success.
- Using common passwords, complexity.
- Including company name in the password
Executing the attack
- Download or clone the PyExchangePasswordSpray tool
git clone https://github.com/iomoath/PyExchangePasswordSpray
- Install tool dependent libraries:
pip3 install -r requirements.txt
- Put your username & password lists into text files.
Example Exchange AUTH URLs:
https://webmail.example.org/mapi/ https://webmail.example.org/EWS/Exchange.asmx https://mail.example.org/autodiscover/autodiscover.xml
$ python3 exchange_password_spray.py -U userlist.txt -P password.txt --url https://webmail.example.org/EWS/Exchange.asmx --delay 62 -T 1 -ua "Microsoft Office/16.0 (Windows NT 10.0; MAPI 16.0.9001; Pro)" -O result.txt -v
The command above uses one thread and 62 minutes of delay between each password spraying attempt.
Few things to take into considerations:
- It’s important to obtain explicit permissions from the company before executing the attack.
- Obtain password lockout policy if the assessment conditions apply, ex: white-box or grey-box assessment.
- The delay between each password spray attempt should be configured wisely. It’s recommended to use a high delay to avoid account lockouts.
- Use ONE thread unless you know what you’re doing; therefore, accounts may be locked out.
To increase the likelihood of detecting password spray attacks, Implement use-cases into company Security Information and Event Management (SIEM) or similar solutions for the following circumstances:
- Large number of failure authentication attempts using accounts does not exists.
- Large number of failure authentication attempts from a single IP address.
- High number of account lockout over a defined period of time.
- Enforce complex passwords as well as a strong password reset policy.
- Implement multi-factor authentication (MFA) on all external access systems including VPN accounts.
- Limiting access to external services from specific countries can reduce password attacks.