This Technique Tries The Same Common Password Across Many Usernames
Karina Edling
A password can refer to any string of characters or secret used to authenticate an authorized user to a resource. Passwords are typically paired with a username or other mechanism to provide proof of identity. This combination is referred to as credentials.
When a compromised account has privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and compromise other passwords. This is why highly privileged credentials are the most important of all credentials to protect. With that said, almost any identity today will have some path to privilege via various SaaS accounts, blurring the definition of what a privileged identity means today.
While passwordless approaches are gaining momentum, they remain niche for modern systems, have difficulty being adapted to legacy technology, and often possess password characteristics themselves. However, one welcome shift is that, today, a password is less likely to be used as the sole security mechanism due to technology like biometrics and multifactor authentication (MFA).
Often, a threat actor will first target a systems administrator since their credentials may have privileges to directly access sensitive data and systems. Such privileged credentials enable the cybercriminal to move laterally, while arousing little or no suspicion, and even compromise other accounts to maintain persistence. Once a threat actor has compromised credentials, everything privileged to that account is now fair game for the attacker.
Attackers seek to learn basic information about password complexity, such as minimum and maximum password length, as well as password complexity. For example, does the password have upper-case and lower-case letters, numbers, symbols, or a combination? Attackers are also interested in learning about restrictions on the passwords. These parameters could be:
In this section, we will look at common password cracking techniques. Some of these techniques may overlap in tools and methodologies. Attackers often blend multiple, complimentary tactics to improve their chances of success.
If the threat actor knows the targeted account's password length and complexity requirements, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.
A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack.
Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more.
If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.
With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in based on serial or multithreaded requests.
Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools, typically with passwords obtained from the dark web from previous third-party breaches. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application.
Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.
Over the past year, password sprays have regained prominence. Midnight Blizzard breached Microsoft by compromising a legacy, non-production test environment with an unsophisticated password spray attack. Cisco and Okta are also warning of large-scale password spray attacks leveraging a range of residential proxies to evade detection.
The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.
With poor password hygiene by any one user or on any single account, the threat actor will likely succeed in infiltrating the resource. This technique was recently used in the Microsoft Midnight Blizzard attack.
Names of pets, children, spouse, addresses, birthdays, hobbies, friends are the most valuable information available to the threat actors. Factor in favorite movies, TV shows, authors, bands, actors, and more, and most social media accounts become an information gold-mine.
Phishing and vishing (voice calls) are often leveraged for information gathering for other attacks, as well as to plant malicious software (via attachments or links) on an endpoint. This malware could be used to siphon off passwords.
Unfortunately, there is a common risk in resetting passwords that makes even automated password resets targets for threat actors. Resetting a password is the act of a forced password change by someone else, such as from the service desk or an application owner. This change is not initiated by an end user.
Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to change. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password poses a risk until the password is changed by the end user. Of course, sometimes the end user neglects to change the password at all.
Changing passwords frequently is a security best practice for privileged accounts (as opposed to personal or consumer accounts). However, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor owning your account and a legitimate password request.
Password eavesdropping refers to a password being overheard verbally by a threat actor. Password eavesdropping may be either inadvertent or intentional and can encompass both voice-based and digital eavesdropping to capture the audible disclosure.
In the early days of computing, you needed to physically connect to the machine you were accessing. The systems you were authenticating to were also running locally. Now, we regularly authenticate into systems on the other side of the world, and increasingly, that are not even our systems. Our passwords are transmitted electronically through many systems to reach their destination, and absent proper encryption and other protections, may be vulnerable to eavesdropping through wiretapping or wireless packet capture
Shoulder surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are entered, or even a pen scribbling a password on a sticky note.
The concept is simple. A threat actor physically observes or uses an electronic device like a camera to collect passwords and use them for an attack. This is why, when using an ATM, it's recommended to shield the entry of your PIN on a keypad. This prevents a nearby threat actor from shoulder surfing your PIN.
The most effective way to address the risk of privileged credential compromise is to remove direct access and implement privileged access management (PAM) to safeguard the most sensitive accounts. All sessions relating to highly privileged accounts should be routed through a system that facilitates access, but without revealing actual credentials.
When an attacker manages to gain access to a system or website, they often aspire to steal the database containing the usernames and passwords for everyone who accesses the application. Even if the credentials are not humanly readable, they are stored as hashes. Stealing a password database provides at least three big benefits regarding password stealing:
A PtH attack exploits an implementation weakness in the authentication protocol. The password hash remains static for every session until the password itself changes. PtH can be performed against almost any server or service accepting LM or NTLM authentication, including Windows, Unix, Linux, or another operating system.
Malware may scrape memory for password hashes, making any active running user, application, service, or process a potential target. Once obtained, it uses command and control or other automation for additional lateral movement or data exfiltration.
While PtH attacks are more common on Windows systems, they can also exploit Unix and Linux endpoints. Modern systems can defend against PtH attacks in a variety of ways. However, changing the password frequently or using one-time passwords (OTPs) is a good defense to keep the hash different between the sessions. Password management solutions that can rotate passwords frequently or customize the security token are an effective defense against this technique.
In a Pass-the-Ticket attack, a threat actor steals a Kerberos ticket-granting ticket (TGT) to impersonate a user on a network. When successful, this attack method bypasses authentication mechanisms, giving the attacker unauthorized access to resources.
c80f0f1006