Password Spraying 101

The weakest link in cybersecurity is most often the individual user. It’s common for busy employees to be negligent about best security practices. Frequent issues include employees clicking on a phishing email link, leaving unattended laptops unlocked, and using weak passwords on corporate assets–which increases a business’ vulnerability for attack. For many attackers, using this knowledge allows them to gain an initial foothold in an environment by conducting an attack known as password spraying–a technique where a very small number of common passwords (e.g., “Welcome1” or “Summer2020”) are tried against a large set of user IDs.

In this tutorial, I’m going to explain how to collect username/emails that are freely available on the Internet and how to use them in a password spraying attack.

1.) Getting Started

Both of the necessary tools for this process are already available on the latest version of Kali Linux. However, if you prefer another operating system, you can feel free to check out the following tools:

• Burp Suite
• Recon-ng

Additionally, a Bing Search API key is needed. First, go to the Microsoft Azure Bing Web Search page and create a Bing Search API. There’s a 7-day free guest trial version that you can use for the purpose of this tutorial.

Once you create your Bing Search API account, you will be presented with your API key. Select either Key 1 or Key 2 and start up Recon-ng.

2.) Enumerating username format

When beginning an assessment, we are often asked to act as if we are an outside attacker with very little knowledge of a company. For instance, a blanket subnet might be given with no other information.

Initial steps after enumerating open ports will often include username enumeration so we can attempt password sprays on the targeted company’s assets.

First, we will use Google Dorks to help us discover the format of the targeted company’s email addresses. Google Dorks involves using advanced search operators in the Google search engine to locate specific strings of text within search results.

In this example, we will use quotation to require the text to be in the results.

With this technique, we can see an email address that looks to be just the first name of the user. Let’s continue with additional searches to further verify our results.

For this next one we will use the search operator filetype. Filetype will look specifically for whatever type of extension you add in. Oftentimes, lists of emails can be found online in PDF, XLS, PPT, and DOC files.

Using filetype, we can see that it also appears that the email format includes first initial and last name. Let’s stop there and assume for the purposes of this tutorial that the email format is first initial followed by last name.

3.) Discovering Valid Users

For this next portion we will use a tool called Recon-ng to help us collect employees for the targeted company. Recon-ng is a reconnaissance framework designed to conduct open source web-based reconnaissance quickly and thoroughly. It is a default installed tool on Kali Linux, but can be used on other distributions as well. We will be using a Recon-ng module that uses the Bing Search API to collect users from LinkedIn.

With Recon-ng started, we will first need to add the Bing Search API type in the command “Keys add bing_api add_bing_search_api_here” to load the key, replacing add_bing_search_api_here with your actual Bing Search API:

Verify that the key loaded properly by typing “show keys”. This should display your API keys with the recently added Bing Search API key at the top of the results.

This is an image caption. 

Next, we will need to add in our target company. For me, I will be using Hurricane Labs. Type the command “add companies” and press enter. Under company (TEXT) add the name of the company. Description is optional, so simply press enter to bypass it. Multiple companies can be added here, so add all that are needed by repeating this process.

Now we are going to load up the LinkedIn Cache module by typing the command “use recon/companies-contacts/bing_linkedin_cahce”, then enter and followed by the command “run”.

This will start running the module and, depending on your company size, could take a few seconds to several minutes. After running, you can run the command “show contacts” to display what users were discovered.

Next, we need to transform this data into usernames. For the purposes of this demonstration, I am going to use first initial followed by last name format. Recon-ng has a module for this called recon/contacts-contacts/mangle. Type the command “use recon/contacts-contacts/mangle”. Next, set the pattern by typing “set PATTERN <fi><ln>”. Other patterns can be used as well; for example, for the full first name, use <fn>. Periods or dashes can also be used between the first and last names, such as <fn>.<ln>.

Set the domain to the domain of your target company by running the command “set DOMAIN company.com”, replacing company.com with your target company. Use the “run” command to execute the module. You can see an example in the following photo.

Now you will need to get the results to a file. We will spool the results to a file in a temporary directory. Type the command “spool start /tmp/emails”.

Next run a query on the database by typing “query SELECT email FROM contacts WHERE email IS NOT NULL”. Now stop spooling by simply typing “spool stop”. This will give you a table with all of your results.

Now, exit Recon-ng so we can use grep to extract the usernames from the email file we just created. The following command will cut the usernames from the email file and create a new user_list file that we will be using later in the tutorial.

“grep @ /tmp/emails | cut -d ” ” -f 4 | cut -d @ -f 1 | sort -u >> /tmp/user_list”

This command will also sort the file using the -u flag to ensure there are not duplicate usernames in the file, which is important in password spraying because it can cause unwanted account lockouts.

4.) Spray Payday

Now that we have a list of users, let’s use Burp Suite to conduct password spraying. Find a site for your targeted company that requires authentication; I will be using https://portal.hurricanelabs.com. Note that you should never conduct password spraying on a company unless you have explicit permission. Not only is this against the law, but many other issues can arise from a simple password spray if it’s not done properly. It should also be noted to limit spray attempts to a maximum of 1 per hour to ensure users are not locked out.

Fire up Burp Suite and ensure that you have one of your browsers proxied through it. For more information on this, please see PortSwigger’s article on configuring your browser to work with Burp.

Now that we have Burp Suite working with our proxy, open your browser and navigate to your targeted login site.

Once on the site, type in a fake username and the password you want to test with. For my example, I am using fakeuser@hurricanelabs.com and Hurricane123. Do not press “Login” at this point. There is still some configuring in Burp Suite to do first.

Some suggestions of passwords to try would include:

• Welcome1
• Companyname123
• Summer2020
• Password1
• Etc

Ensure that Intercept is turned on under the Proxy tab and select the login button on the browser. We can see the request is captured by Burp Suite. From here, we will use the Intruder tool within Burp Suite. To do this, right click on the captured request and select “Send to Intruder”. This will send the request to the Intruder tab.

Go to the Intruder tab and select the Position subtab. From here, we will see the captured request with several fields highlighted as variables.

Select “Clear” on the right side of Burp Suite to remove all these variables.

Search for fakeemail (or whatever fake email you used) in the request, clicking the “Add” button over just the username portion of the email. Ensure that the attack type is set to Sniper.

Select the Payloads subtab on Intruder and you will see a section called Payload Options. For this we will want to load our user_list file we created from Recon-ng.

Finally, select the Options subtab and scroll to the Redirections section at the bottom of the page. We will want to change Follow redirections to On-Site Only and check the box that says Process cookies in redirections.

At this point we are ready to start the password spray. Select the “Start attack” box near the top of Burp Suite and watch it go!

The results will pop up in a new box with request length. We will be evaluating these response lengths to determine if a username password is successful. More than likely, if there are a lot of response lengths that are the same, then that was a failed authentication attempt. Look for abnormally long or short requests; you can sort the results by the length by the drop down at the top.

Don’t worry, my password really isn’t Hurricane123–but if you do find a result, attempt to verify the result by logging into the site. If the site is protected by multi-factor authentication, attempt to use the same credentials on other company assets to find sites that might not be protected by MFA. While these other sites may not be mission critical, they could still contain sensitive information or a more exact username list. Something you should also take note of is sites that require multi-factor authentication may have users that are not completely set up. These users can be discovered through the same process by identifying extremely long responses on Burp Suite.

Conclusion

While password spraying is becoming less successful due to multi-factor authentication and strong passwords, it is still a valid attack that can shine light on a very common and easily exploited attack path that many hackers conduct. Adding password sprays to your password audits will help give you a bigger picture of what type of external footprint your company has and just how vulnerable you really are.