Password Sprays: Still a Concern?

so my name is Mike Ferrari I'm coming to you all the way from Scott's lair of zona where it's gonna be hundred five degrees today I would have loved to have been in Greenville but big thanks to be sized for putting together this virtual conference to allow me to refine myself as a speaker and provide some information on a practical topic such as a password spray to anyone who is attending but I'm new to the realm of virtual physical conferences but I've done a lot of presentations in the past clients in regards to penetration test reports but my goal today is to provide some clear and concise information to everyone to be able to digest it ranging

from say a student all the way up to management but it could be a bit of a review for red teamers of pen testers where pasture sprayers are typically a normal tool the toolbox but they might be able to get two takeaways in regards to specific tools that I use or specific angles of approach that I would utilize but overall pasture spray is a good tool by testers or attackers to get initial foothold in an environment which could range from a low level privilege level user to obtain a password or in the case of a privilege user but a couple quick things about myself go ahead and hit the next slide I'm a pen tester with rhenium

I work out of the Phoenix Arizona office we do have offices in Knoxville Tennessee as well and we have users spread across to me and we have employees spread across the whole country but before I became the pen tester I had a lot of admin engineer experience and a security focused rule working in both traditional and cloud related infrastructure I have grave sales management experience nothing too high up the ladder but it is safe enough to mention um second bio a little bit out of the norm but I used to be a professional MMA fighter professional musician bodyguard security guard chauffeur all separate times owned to small businesses and I love to play poker now I just second week and we can see

you but we can't see your slides so you might want to share your slide show your screen that way let's let me try a different ramp apologize I know worries [Music]

let me try the application-specific you guys see PowerPoint right now no sir we still just see your smiling face okay how about now oh yeah and can you still see it it is presenter view now so it's not the full slide switch how about now perfect all right I apologize for the couple hiccups there rookie presenter a lot of client presentations I appreciate your patience with me but in short I've had these positions in the past and they typically say two things about me one is I love security in all shapes and forms into these specific specific positions I've allowed me to perform better in my penetration tests in regards to social engineering so it is a little bit of a

different aspect 2% about myself but enough about me don't be against the agenda we're going to go over a handful of topics we're going to talk about a pastor spraying what the definition is and what it is and what it isn't what are some of the misconceptions associated we're gonna go into the impact and we're gonna go into the offensive tactics on how to actually do the pastor spray at a high level or a relatively high level but I'm gonna focus more on building the attack and targeting the attack which is probably one of the bigger takeaways um visit defensive techniques on what to look for how to defend yourself against passwords frames and then ultimately answer the

question are what is the pastor sprays are still concerned but additional incentives that are going to provide again practical information I'm gonna learn to defend your infrastructure implement change of policy procedure if needed and ultimately the largest takeaway would be to have the proof be in the pudding and me of a pastor spray yourself as a different method of defense and I'll have some key questions for gift cards and attempt to buy your patience and stay engaged for working presentable but what is not a password spray some of the misconceptions and comparisons that I've run into while going through presenting this the reports and so forth to clients and the results I guess you could say is

a lot of time people perceive it as a brute-force attack where a brute-force attack I like to analogize as a hammer you'll have a singer single user and you'll be trying multiple multiple variations are very possible password as time goes on you'll eventually hammer through that wall where that's not the case for the password spray dictionary attack in my opinion is more of a giant keyring you have a whole bunch of possibilities but not every possibility in the world a little bit more of a refined attack where a pass for spring the best analogy that I like to use is that it's like a rekey block you have the same key that can open up multiple

locks it's not a perfect analogy or a comparison but I will expand on it as we get deeper into the talk so what is the password spring my definition of it is attempting to authenticate against all users using a common password that still meets complexity requirements some of these examples are winter 2020 and most commonly those seasonal year combinations typically have degree of success we also see a lot of company name one two three one two three exclamation point or password one exclamation point where the big thing to take out of these examples that they have they meet the complexity requirements of after directory often if it's the decent level of complexity and they're relatively long so that's why

people think they can utilize them and that's how we take advantage of those passwords but as far as impact is concerned two notable examples would be a Citrix breach reported by Forbes in 2018 number christmastime where six terabytes of data was obtained I like to reference that was around the holidays and in turn how it was tied to the Forbes article but a lot of the time even on physical pen tests the holidays come people don't pay as much attention to the logs or security in general because everybody's kind of checked out and ready for the holidays I've had success even on physical pen tests where I need to bypass a block it's 3 p.m.

traffic before the holiday slowed-down and that's typically a more advantageous approach so that does apply to password sprays as well the second example would be political attacks reported by Wired Iran and us controversy controversy in recent history resulted in a bt 33 doing some attacks with pastors praised concern us electrical grid but outside of these major news articles are relatively major news articles I've had a lot of success with pastors phrase against clients and doing pen tests typically in four different options one being no credentials required I don't get it happens number two we initial foothold into an environment low level using third would get lucky get a user of say mid-level maybe in health care offensive nurse and

then that nurse views as those credentials were used through Active Directory then I might be able to reach an EMR for the example typically be somebody with privileged access or an executive that doesn't have good security hygiene in general and can further exploit the situation so those are some good examples of overall impact tied to a password spray so all know it sounds kind of easy well it kind of is in kind of business so there are a few things that you need to create a password spray one thing about target to a list of users and three lists of passwords so if I can get back to my screen properly let's see if I jumped

out of my my smoothness here is lacking from this slide um but if I could get some assistance but I'd like to call out to Polly settings swamp all right so can you see my powerpoint again that sound good I was trying to get my chat window good it was proposed to the group to shoot out an answer in the chat as a valid example of a passwords target for a password spray so let's see just want to kind of get to my chat let's see I'm typically a chat man OWA bogey give me a favor and shoot your email address to the champ and then I'll be able to send you $25 Amazon gift card

two more after that that's probably the easiest and simplest question let's see alright and can everybody still see my slides make sure I'm not messing anything up yep you're good cool so Boies the the winner on that one I appreciate everybody's patience so moving on valid target would be OWA portal typical concept and hence the next slide Lana companies still have an exchange server externally facing and have an O W a portal even if they've migrated office 365 a lot of the time I'll run to a scenario where I can still test against this webpage and even if it doesn't get me direct access to their email account it'll confirm the credentials was some type of response or cueing me or it had

me click a link to visit office 365 so it's a good manner to at least confirm that their credentials are successful or not another good example would be cisco VPN portal sometimes you can get remote access or obtain the client to install on your desktop and then get access from there but the big difference between these two is that typically all users in the company have access to email so the success of your password spray is gonna be much better against OWA portal where up until coated most users didn't have remote access or not as many had remote access where it's much more refined as we get into the Cisco VPN portal Vietnam or refine but a lesser pool of success

so as a factor to keep in mind now in order to build the list as I mentioned of your users there's a number of open source tools that you can utilize these are some examples that I ins and I'll go into each on a high level but there are many other session to use online but this is really where a big takeaway is building the user list that you can use for pasture spray is really indicative of your success so as an example the harvester old old tool in my mind but I don't have too much success with it I do get a handful the users get my list started was too pretty solid in the sense of deducing

the formatting or the nomenclature of an email address which can in turn lead to user where W a portal sometimes it can be domain name backslash user name first is a full email address so we need to make those differentiation as far as how to apply your list to a password spread but the harvester will get you started it's saved me a few occasions as well simply email or I've run into scenarios where user names our first initial or the first initial then the initial of the middle name and then the last name which is much harder to deduce off of other methods but another potential option is hundred i/o it's a website that you plug in a domain name and it'll

give you a bunch of information and email addresses associated to users within that company um great tool it's free and paid but it limits a you know a request if I recall correctly the next option would be simply email a more success with simply email than I do the harvester but you can also get the API key from one hundred I'll plug it into simply you know get all the results in one place you can do an HTML report you can give it to you on text that's the pretty much my favorite option of the simply email where you get most reliable results in my baby now linked into username is really when I started

scraping LinkedIn is where I really got a lot more results and success out of password spread where the LinkedIn to username allows you to scrape all those options associated into every user tied to a company and then so you can get the whole list of your company five hundred people in the company you get every user name percentage of various outputs with a be first initial last name first name dot last name and so forth but for another Amazon giftcard what would be a common defense that people use the lines from all levels to prevent their information for being scraped off

- if they wouldn't be applicable more about tied to the username think you usernames going once going twice what I'm looking for at least in this example would be nicknames will roll of that for rich go ahead and throw your information and their BMI LinkedIn I had Michael B as the example so if I scraped LinkedIn with my kidneys I use LinkedIn username to scrape against the company and it's Michael B it doesn't correlate to a username itself there is the rare instance that Michael B would be the users Michael dot B would be the username utilized within an organization but that would be rare in comparison so rich go ahead and shoot your email

address in there and I will send you an $25 gift card as well for Amazon but a little bit of a plug my team mate coworker Bryce crumb he's doing a presentation on the other track a little bit later today about open source intelligence all the way to pointing a target he goes in better depth in detail about open source tools so he's an excellent reference to go and check out over all but the last name the last tool that I like to utilize his power made of inputting generally speaking input your domain name it'll pull documents throughout the internet and then you can search them for open source intelligence in the sense of getting onboarding

documents or anything public that they have as far as documents but it'll pull the through the metadata will pull the authors and expand your list as far as the pastor spray list that you trying to generate and then from there in the rare case that they use ID number or something like that that can be potentially discovered through those documents and it turned help you determine the nomenclature of those usernames as ID numbers in comparison to email addresses or derived versions so even forward pass for a tool so you have your target you have your list of usernames and now you need a tool you the attack of course in theory you could create - but these are some tools that will

perform the same type of attack but to rewind a little bit the big comparison has been just to compare - against a brute force attack brute force attack is one specific user up against every possible password where a pastor spray is the flip side of the coin and the sense that you're using all the users that you've discovered about a company and then trying against one specific password that's common amis that complexity so if you can find a tool that performs that function of testing all users it's still gonna fit the same need so these are some potential options burp suite pros my favourite doing pen tests it's a paid version in the sense I

believe is five hundred dollars a year approximately but the community version is Fried's already on Kali you can saw Windows desktop Cedric said you can get the feel of how to do a pastor spray at least we're gonna do on snap free tool perform the same function domain pastor spray by Jack great tool when you're actually on a Windows machine and that's tied to a domain name it pretty much automates the majority of the process there's a lot of options but high level speaking that's a great tool and even a good old Metasploit has an OWA login tool where you can just select one specific password and input a list of users but again that's all tied to the

ultimate need of doing the long list of user names all tied to one specific password and then rotating that in theory a little bit further so a brief high-level example of doing a password spray burp suite as other tools do they acts as a they can act as a proxy to intercept a request so you're logging into Cisco VPN page as we can see here I redacted supposed to information a little bit sloppily apologize but this is the push request meaning you log in with your username and password press go burp suite intercepts it you can forward that to the intruder module within burp suite and then you see this screen here we're gonna go ahead and look at the user name

and the password field passive one two three and as the password I'm selecting this instance you just mainly change that every time that you're going to do a test utilizing the intruder module you'll select the username field so that way you can as the position for your payload and then you'll go to the next screen which is your payloads tab from here you'll input your list of usernames that we gathered through open source intelligence for me I didn't want to redact pretty much the domain name and the username for every single possible user so I just put in a quick simplest of derp derp derp derp bistec Cedric Cedric and but you could just press the

load button here and upload the list that you acquired through open source intelligence and potentially we're fine depending on the nomenclature formatting of the username that you're suspecting is correct now from here there's some some more depth as far as filling the options tab redirecting with cookies and so forth but I would recommend going and finding a good password it's very article that's gonna go more detailed in step but this is overall pretty high level after that after that excuse me apologize you would press the attack button and then you would see a list of results I can I have redact some information it is hard to create a whole entire environment whole entire another

company to actually provide a sample or do like a live demo but you'll see one through X depending on how many users you acquired through the password spread but the thing to identify is the length column here so you'll see your status 200 and then you'll see the length and the majority of time you'll get the credentials won't authenticate so after they don't know indicate they'll see a comparable response throughout the list but if you're successful you'll get a variation in that length so once the attacks complete you can circle back clink on the link column and then it will be sort and then potentially based on that variation and their spots and lengths you'll be able

to determine what credentials or what username were successful against the credentials that you provided in the test so overall that is the best that is how you indicate whether or not the password spray was successful and confirming you're getting those credentials so brief recap for this phase of the talk would be that with Pastor spray you need a valid target typically anything that involves authentication ideally tied to say Active Directory or some type of governing system list of user names through open source intelligence and then you need to create a creative common password lists typically I like to say should have mentioned it earlier but I like to aim for 24 passwords that are creative and similar to the examples

of seasonal year combinations company name 1 2 3 etc now the reason why I say 24 is that you need to execute the attack every 30 minutes or so is that's the most common lock out time period if you were gonna do X amount of attempts say I was as soon as three so three failed attempts you locked out for 30 minutes is typically what I was you not always the case but it's a good safe way to do it so if you're going to do your attack you want to scheduled every 30 minutes okay if you have 24 passwords that means that the attack could take 12 hours overall to attempt all of those

passwords and that's assuming that you're getting the username and the username nomenclature correct which is also unless you need to determine it through additional open source intelligence it's a bit of a guessing game but you have to err on the side of caution and use your best possible deduction but overall still contain 12 hours to execute so you need to start this attack early in order to get it done within the realm with a pen test which is typically a limited time period where a PT or an attacker wouldn't have as much to refine timeframe they can attempt as much as they would need to over X amount of time but besides that come a word list you need the tools to

fit that need of said of a single password and every single user every potential password you just need the reverse in the sense of a to of execute all user names tied to one single password and then the ability to attack so that's a brief recap of what we've talked about so far but tied to the theme of past espresso they're still concerned you know like okay we have anything or - if a shooting that Showdown sure in most cases it does but there's always exceptions where not all users necessarily have it enabled so and this could be for a handful of reasons that I've seen in the past one could be a new user they don't have it

they don't have it implemented in heaven in place or IT doesn't on it against it could be a sweetheart type of situation where you might have an executive of a specific department where they have an exception that this user doesn't he doesn't want to deal with OMF it into effect so forth and so on but most come they're not my opinion credential reuse this is an issue in the sense of it's not tied to every application I've seen in my experience a lot of the time doing that Cisco VPN portal of being a valid test I did success with a with a pastor spray get credentials but I've run into two FA or anything but I find another target from

a different portion of their environment than be able to access that because they don't have MFA in place in that specific location now there's some argument between two FA and MFA Jacque Lucas is a co-worker of mine I believe he was one of the first if not the first to do a swim since swapping study in regards to cell phones and the legitimacy of using to of favors as MFA well that's something to check out a diverting blog if you have a chance but besides not having enabled and be able to get into other applications that don't have MFA in place the other factor that is often than not looked at as service accounts and people too often think okay service

accounts are an external if you're an external issue it's not really a factor okay well what about internal attacks which brings up to the next slide which is internal attacks rogue insiders most popular ever debatable use Edward Snowden rogue hosts on the network could be have a lot of experience to in physical pentester have had experience in physical pin tests or tailgating in the door and not having proper security controls doesn't prevent you from plugging in too long getting an IP address in an initial photo but it's still a valid concern it's had to not happen not disregarding the factor of an internal attack of being an issue and then of course but compounding on to

that internal pentest you run into guys like myself that are gonna be inside network and we're gonna test hopefully it'll be more white boxer awareness on it but that's typically a different conversation but so internal pasture sprays what's this what's the difference between an external well it's the same but it's different eternal pasture spray still need a valid target you can use you the list that you've already enumerated online for users and you can essentially use the same tools but some additional factors is that the the excuse me the targets can be a little bit different you can still hit an SSO page you can still hit an OWI page and depending on the context

a domain controller typically no VPN works out in that type of a situation you still can enumerate additional users and service accounts through various methods through SMB ports net command cetera and then there's additional details that I'll go over but for the final question that I have for Amazon giftcard and this is relatively based on my mind there's three possible things but why would an organization if they've already migrated office 365 still have an OWA serval OWA server or OWA portal tied to an exchange server still within their environment so again that's what basically why would you have an exchange server still in your environment if it's passed up to office 365 already so mobile mobile client not exactly what

I'm looking for but go ahead and give it one another shot I'm thinking from an internal reference but your bed isn't necessarily wrong but authentication for ports and services well what I'll do let me give it to the first two I'll do two gift cards to jail ooh 1979 and the Jo et I'll give a gift card to each just for participation well I'm kind of looking for because you're not necessarily wrong but I'm looking for one they forgot about it total possibility not necessarily two hybrid configuration from internal the office 365 and three and often in my experience they're still relaying off of it for alerts or other purposes so mobile could be legitimate but it's

not necessary what I had in mind but that's what I'm going with the first two responses so Timmy I do apologize but uh Jay Lou and the the Jo VT if you guys could give your email address in the chat I'll go ahead and shoot you both a $25 gift card from him so again apologize rookie speaker appreciate you dealing with me and engaging on the presentation overall so building onto the details as far as user enumeration one of the tools I've had the most success with as simple as it is is a neutral Linux I originally came across this tool going through the pen testing with Kali training offered by offensive security so plug to a sponsor if I

recall correctly but if they have an open port that can receive no connection you can utilize in for Linux typically this is only real successful in a couple situation I've seen but it saved me and a handful of contexts so right now if you'd ran it against Windows 10 by default no session is not enabled we're over infrastructure say Server 2008 r2 and below or Windows 7 by default that normal session the ability to connect that in that manner is available so okay so that I hid a workstation with it I might get some information I might not get much but within engagements I've had a lot of success with seeing all the domain controllers me as r2 was still in

support up until I believe January December from we're calling correctly so we'll start to see less of those because they won't necessarily be supported but those older domain controllers would still have that share that port and that configuration vulnerability is still in place so I'm able to connect to that port and they'll dump everything in AD it'll dump user names groups and from that information and pass the policy most of all and I can gather my pastor spray attack from that manner so that's a large take away in my opinion and to kind of seal that off say that you have a relatively mature security plan or security program you're running necess checking here infrastructure for vulnerabilities no

mediums I mean no critical czar hi sweet has some mediums and lows okay but sometimes in my experience working on infrastructure and being a pen tester that specific vulnerability allowing no connection is often not reported on necess cans as an example or it's not overlooked as a concern we're on a domain controller utilizing this tool it is a concern because an influencer essentially it's just an SMB enumeration tool or numerous SMB enumeration tools are wrapped into one so I've had a lot of success in the realm of hey we don't have any vulnerabilities to accessing this information and building a password spray which is based on passwords that meet complexity but still can be guessed

or are common enough that we have successful guessing them so you don't think you have any vulnerabilities but I just password sprayed and hold on the a server that you have on your old exchange server throw W a that you have internally why not access your email but it'll confirm that I have those credentials in the sense I get my foothold further into the environment hope that made sense but that's how I'd like to change the tax together or discover an avenue of approach for when there isn't necessarily vulnerability is provided by a scanner but moving forward net commands if you actually on a box you can use commands net user net accounts to acquire the password policy

or a list of users again there's a referenced earlier domain pass this very tool by GAF hack does do a lot of these functions automatically if you're any in a machine but the reason this you I believe like so folks started flagging it more than the past a certain maybe is kind of catching on more than based on my experience could be wrong could be right but that is an awesome tool if you can get it to work or get past a B so traditional defenses strong passwords the longer the better you get if you have eight characters you're typically going to run into some issues where you have users that are gonna have those

common passwords and typically a good rule of thumb for pass or spray in general is that hey 100 users it's going to be close to really have any success on that organization doing this type of tests is your small dev shop 20 people five people perhaps and spray per typically isn't going to have much success but small meeting business other people I typically have seen a little bit of success 500 people typically hit even more and then you know it steals that from there so it all depends on how strong your password is to prevent the possibility of having those common but still meaning the question quirements passwords so traditional defense increase your the length of your

password not even necessarily complexity but the length that's why they blood people said use those passwords freeze versus a password but refined password policy in actual paper so that way people need to adhere to in that manner in actually enforce it with in Active Directory so it forces you to actually adhere to it versus assuming that she some of your combinations of clever and easy to remember but having mfa everywhere also is a good traditional defense and of course security awareness training making users aware that hey these common passwords aren't the best route to go into even more of a passphrase and in addition some members and characters and so forth but those are your traditional defenses

some alternative defenses would be don't rely on lockout detection now using an applicative specific application of mine a specific application but applications in mind you're not going to get locked out if you're doing a pastor spray because you're doing it every 30 minutes you're boarding that lock out attempts so it's harder than fact if you focus more on IP address you're gonna see multiple attempts for me from 9 P address so I'm speaking at a high level but that's a good alternative defense to detect an attack in comparison say brute force where they're gonna get locked down and you're gonna see the IP address requests coming from that same ip let's see pass for spray yourself it's simply

the best proof and the proof in the pudding and the biggest takeaway I'd like to push from this talk take the information I provided and if of course approved upon your organization and so forth do a patch a sprain find those users that have those common passwords and have them change it and educate them so that way they don't do in the future so ultimately that's big proof from the pudding takeaway offensive countermeasures this is kind of a large rabbit-hole but is typically more of an advanced or alternative defense sense of honey users generally speaking open source intelligence having girardeau typically not in that name create a system administrator for that user and if you can track the authentication

temps against various sources for that specific user tying that to a honeypot a lot of time if you want to get a little bit more risky and if you have more of a sophisticated security program okay require that those chandos credentials from a password spray you get initial remote access and then they use bloodhound to determine that they have remote access on this specific host and they have local administrator privileges but that happens so you can chain that together speaking very high level but that is typically the most more alternative defenses in comparison to your standards of strengthening your passwords and having anything in place because MFA isn't a place for service accounts as an example it's just

impossible but moving forward in conclusion appreciate your time rookie speaker pastor's phrase we're still concerned based on financial reuse not having a fan place one percent on all areas there are a lot of internal variations of the attack that people don't look for or they assume they don't have any vulnerabilities and you can chain that information together and then again go spray yourself so open it up for questions overall if I don't have the answer I'll go ahead and get back to you or if it's something topic time not necessarily specialized in I'll reach out to my team great team and Verdean I love my job and learn something new every day great team members such as

Bryce chrome who was doing this presentation a little bit I suggest you check it out open its open source intelligence to pony believe that's the title give or take but thank you for taking the time for watching my talk and I'll get those Amazon gift cards out too yeah forgot those emails I'll send him over to you here in just a few minutes Mike so thanks for your talk about it was really good we certainly appreciate it you mentioned you've got a few minutes here for questions so we'll watch the chat see if folks have any questions well intro now we're usually a technique how often our clients able to catch the spray and their lungs honestly

I don't want to say I've never been caught but I very rarely get a report back we do a lot of white box or gray box testing but I never get reports back in that hey this users locked out is this you I don't get that type of a scenario popping up but I do stay straight to that 30 minute period and I paste everything out from the beginning of the engagement or the second I get a photo network I'll try to find that pass or sprain target is though there's a handful of ways not a handful of ways but there's some common ways to get initial foothold default credentials paternal blue using responder password

sprays so I typically plan in advance so that way within the time frames I'm being most as advantageous as possible managing my time but where are your favorite password hacking tools plastic burp suite is is the favorite across the board and then excellent formation late experience for me Dan shout out to my coworker Dan thanks for attending do use Metasploit odor way login module during pasture spray resort - burp suite I would use burp suite typically all the time but the Metasploit rotary login is legitimate I've had co-workers that have used it as well by typically overstated sweeter that back to when I should get on a box that works out real beneficial or default credential into a normal box

utilize credentials and then to show them access to domain and so forth sorry if I go a little bit rapid-fire a lot of feedback is to slow down but again I appreciate your patience being a rookie presenter at least in this type of format and now I think you did a great job and kind of brought to light some things that we think about and things that we need to do better at our own environments or our clients environments are you seeing more folks use honey users over the past year so I've only run into a honeypot on a handful occasions typically whenever there's a box that's assessing like I didn't see the phone ability and for her forever

yeah and then that's the scenarios in which it typically occurs I'm not saying forefront expert on the area but I always do recommend the concept of home users gotcha cool any other questions from Mike all right great job Mike I'll we'll get these email addresses over to you for the gift cards we really appreciate it man thanks so much for yourself thanks again appreciate the experience