Skip to main content

Password Spraying (Don't get sprayed)

dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments

Almost the end of the weekend; no better time than to discuss Password Spraying attacks. So what is it?

Well, as the name implies, it is a type of Cyberattack where an attacker tries commonly used passwords against many different accounts rather than target an individual account too many times. This helps to stay under the radar as well as avoiding the triggering of attack lockouts. 

The passwords can be come from publicly available 'wordlists', public credential dumps of compromised sites, or target the environment and use specific keywords. 

Additionally, to minimise attempts and detection, a list of usernames will be targeted and an attempt made to authenticate to each one using just a single password. If an organisation reuses passwords or has weak passwords in use, this can be a really effective method to break into an account and gain the privileges of the user. This access can then be used to move laterally across the environment or performing Kerberoasting attacks.

Multi-factor authentication (MFA) can prevent against this attack up to a point. There have been instances of MFA fatigue where the user accidentally approves a MFA request. This can be prevented by forcing the user to enter a number, for example before the request can be approved.

However, if initial access has already been gained, if NTLM is enabled in the environment, it does not support MFA, and the malicious actor can attempt to authenticate as any user object in the domain. NTLM should be disabled in the environment as it is inherently insecure. 

Mitigating against Password Spraying

- Consider using LAPS for Windows - https://learn.microsoft.com/en-au/windows-server/identity/laps/laps-overview
- Configure the built-in ‘Administrator’ domain account as sensitive to ensure it cannot be delegated
- Passwords for local administrator accounts, service accounts, and break glass accounts should be at the very least a minimum of 30 characters and unique. 
- Disable NTLM
- Run vulnerability scans against the network to identify if any credentials are stored in plain text, and if they are easily cracked.
 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader

13 comments

lukas.k
Forum|alt.badge.img+10
  • lukas.k
  • Veeam Vanguard
  • 198 comments
  • October 20, 2024

Thank you once again for the insights!

Do you recommend a certain interval to change PWs for service accounts, break glass accounts and / or local accounts?

Would every 6 months work with 30 characters?

LK | Veeam Vanguard | VUG Leader - Cyber Security Space | Security Specialist
Chris.Childerhose
dips
dloseke
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • dloseke
    dloseke
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8485 comments
  • October 20, 2024

Some great feedback here.  We change our passwords every 90 days at work and complex.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dips
vAdmin
Iams3le
5 people like this
  • dips
    dips
  • vAdmin
    vAdmin
  • Iams3le
    Iams3le
  • dloseke
    dloseke
  • lukas.k
    lukas.k
lukas.k
Forum|alt.badge.img+10
  • lukas.k
  • Veeam Vanguard
  • 198 comments
  • October 20, 2024
Chris.Childerhose wrote:

Some great feedback here.  We change our passwords every 90 days at work and complex.

Do you do that manually or by using tools? In case yes - which tools?

LK | Veeam Vanguard | VUG Leader - Cyber Security Space | Security Specialist
Chris.Childerhose
dloseke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dloseke
    dloseke
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8485 comments
  • October 20, 2024
lukas.k wrote:
Chris.Childerhose wrote:

Some great feedback here.  We change our passwords every 90 days at work and complex.

Do you do that manually or by using tools? In case yes - which tools?

Manual no tools unless someone wants to use a password generator.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
vAdmin
dloseke
lukas.k
3 people like this
  • vAdmin
    vAdmin
  • dloseke
    dloseke
  • lukas.k
    lukas.k
coolsport00
Forum|alt.badge.img+20
  • coolsport00
  • Veeam Legend
  • 4133 comments
  • October 20, 2024

Thanks for the info Dipen! 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
dips
dloseke
2 people like this
  • dips
    dips
  • dloseke
    dloseke
Iams3le
Forum|alt.badge.img+11
  • Iams3le
  • Veeam Legend
  • 1392 comments
  • October 20, 2024
lukas.k wrote:
Chris.Childerhose wrote:

Some great feedback here.  We change our passwords every 90 days at work and complex.

Do you do that manually or by using tools? In case yes - which tools?

In the context of this piece, GPO is what you need to automate /force passwd change. 

[Microsoft MVP | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]
Chris.Childerhose
dips
dloseke
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • dloseke
    dloseke
RonV
Forum|alt.badge.img
  • RonV
  • Comes here often
  • 40 comments
  • October 21, 2024
lukas.k wrote:
Chris.Childerhose wrote:

Some great feedback here.  We change our passwords every 90 days at work and complex.

Do you do that manually or by using tools? In case yes - which tools?

Not OP but we use cyberark to auto rotate admin credentials every 30 days. There’s a minimum number of these type of credentials. We have  ‘special’ credentials that can be checked-out and checked-in as appropriate if someone needs elevated rights for changes, problem solving, etc. You can force users to connect through cyberark, which will then record the session so one can verify afterwards what was done.

Chris.Childerhose
dips
dloseke
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • dloseke
    dloseke
  • lukas.k
    lukas.k
dloseke
Forum|alt.badge.img+8
  • dloseke
  • Veeam Vanguard
  • 1447 comments
  • October 21, 2024
dips wrote:

Multi-factor authentication (MFA) can prevent against this attack up to a point. There have been instances of MFA fatigue where the user accidentally approves a MFA request. This can be prevented by forcing the user to enter a number, for example before the request can be approved.

 

Number matching is probably one of the greatest advances in MFA.  That said, I like that MS makes you enter the number, whereas Google gives you an option of 3 choices so you have a 33% chance of getting the right one by randomly guessing.  Not a fan of that one.

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2024 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
Chris.Childerhose
dips
lukas.k
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • lukas.k
    lukas.k
dloseke
Forum|alt.badge.img+8
  • dloseke
  • Veeam Vanguard
  • 1447 comments
  • October 21, 2024
lukas.k wrote:
Chris.Childerhose wrote:

Some great feedback here.  We change our passwords every 90 days at work and complex.

Do you do that manually or by using tools? In case yes - which tools?

 

We’re rolling out SpecOps Password Policy as a management tool for a client to manage end users passwords.  We were pretty impressed with the demo and have heard good things.

https://specopssoft.com/product/specops-password-policy/

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2024 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
Chris.Childerhose
dips
vAdmin
5 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • vAdmin
    vAdmin
  • Iams3le
    Iams3le
  • lukas.k
    lukas.k
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • October 27, 2024
lukas.k wrote:

Thank you once again for the insights!

Do you recommend a certain interval to change PWs for service accounts, break glass accounts and / or local accounts?

Would every 6 months work with 30 characters?

For normal user accounts, it depends on how much friction you get back from your user base. 6 months is reasonable. There is also the push towards password less logins as well but that is a topic for another day. 

Service accounts and break glass accounts. Use gMSA for service accounts. If its not possible, use a unique long password and monitor their usage. 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
vAdmin
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • vAdmin
    vAdmin
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • October 27, 2024
coolsport00 wrote:

Thanks for the info Dipen! 

Welcome Shane :)

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • October 27, 2024
dloseke wrote:
dips wrote:

Multi-factor authentication (MFA) can prevent against this attack up to a point. There have been instances of MFA fatigue where the user accidentally approves a MFA request. This can be prevented by forcing the user to enter a number, for example before the request can be approved.

 

Number matching is probably one of the greatest advances in MFA.  That said, I like that MS makes you enter the number, whereas Google gives you an option of 3 choices so you have a 33% chance of getting the right one by randomly guessing.  Not a fan of that one.

Likewise, it tends to lead to MFA fatigue where end users will just keep trying to dismiss the prompt and accidentally approve it without realising it.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
vAdmin
lukas.k
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • vAdmin
    vAdmin
  • lukas.k
    lukas.k
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • October 27, 2024
dloseke wrote:
lukas.k wrote:
Chris.Childerhose wrote:

Some great feedback here.  We change our passwords every 90 days at work and complex.

Do you do that manually or by using tools? In case yes - which tools?

 

We’re rolling out SpecOps Password Policy as a management tool for a client to manage end users passwords.  We were pretty impressed with the demo and have heard good things.

https://specopssoft.com/product/specops-password-policy/

Agree, that is a great tool to help manage passwords in the environment. They also have a free tool which is very useful:

https://specopssoft.com/product/specops-password-auditor/

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
vAdmin
lukas.k
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • vAdmin
    vAdmin
  • lukas.k
    lukas.k

Comment


Terms & Conditions