{'xhtml:p': 'In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.'}
Description
Attack Execution Flow
3
1
Step 1
Explore[Determine target's password policy] Determine the password policies of the target system/application.
Determine minimum and maximum allowed password lengths.
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
AI Translation
[Determina la policy delle password del target] Determina le policy delle password del sistema/applicazione target.
Determina le lunghezze minime e massime consentite per le password.
Determina il formato delle password consentite (se devono contenere numeri, caratteri speciali, ecc., o se è consentito l'uso di parole dal dizionario).
Determina la policy di blocco dell'account (una policy di blocco dell'account rigorosa impedirà attacchi di forza bruta).
Attack Techniques
-
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
-
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).IT: Determina la policy di blocco dell'account (una policy di blocco dell'account rigorosa impedirà gli attacchi brute force).
-
Determine minimum and maximum allowed password lengths.IT: Determina la policy di blocco dell'account (una policy di blocco dell'account rigorosa impedirà gli attacchi brute force).
2
Step 2
Explore[Select passwords] Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)
Select passwords based on common use or a particular user's additional details.
Select passwords based on the target's password complexity policies.
AI Translation
[Seleziona password] Scegli le password da utilizzare nell'attacco (ad esempio password comunemente usate, password personalizzate per singoli utenti, ecc.)
Seleziona le password in base all'uso comune o ai dettagli aggiuntivi di un utente specifico.
Seleziona le password in base alle politiche di complessità delle password del target.
Attack Techniques
-
Select passwords based on common use or a particular user's additional details.
-
Select passwords based on the target's password complexity policies.IT: Seleziona password basate sull'uso comune o su dettagli aggiuntivi di un utente specifico.
3
Step 3
Exploit[Brute force password] Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.
Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
Iterate through the remaining passwords for each known user account.
AI Translation
[Brute force password] Data la quantità finita di possibili password determinata dalle informazioni acquisite nelle fasi precedenti, provare ogni password per tutti gli account utente noti fino a ottenere l'accesso al target.
Inserire manualmente o automaticamente la prima password per ogni account utente noto tramite l'interfaccia del target. Nella maggior parte dei sistemi, iniziare con le password più corte e semplici, poiché la maggior parte degli utenti tende a sceglierle se consentito.
Iterare tra le password rimanenti per ogni account utente noto.
Attack Techniques
-
Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
-
Iterate through the remaining passwords for each known user account.IT: Inserire manualmente o automaticamente la prima password per ogni account utente conosciuto tramite l'interfaccia del target. Nella maggior parte dei sistemi, iniziare con le password più brevi e semplici possibili, poiché la maggior parte degli utenti tende a scegliere password di questo tipo se viene loro consentito di farlo.
Mitigations
3
Create A Strong Password Policy And Ensure That Your System Enforces This Policy.
Implement An Intelligent Password Throttling Mechanism. Care Must Be Taken To Assure That These Mechanisms Do Not Excessively Enable Account Lockout Attacks Such As Capec-2.
Leverage Multi-Factor Authentication For All Authentication Services And Prior To Granting An Entity Access To The Domain Network.
Consequences
Security Scopes Affected
Access Control
Authentication
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Indicators
3
Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.
Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.
The login attempts use passwords that have been used previously by the user account in question.
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1110.003
Password Spraying
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire …
Resources Required
3
A machine with sufficient resources for the job (e.g. CPU, RAM, HD).
A password cracking tool or a custom script that leverages the password list to launch the attack.
Applicable password lists.