Skip to content

Password Spraying

Introduction

Are you familiar with brute-forcing? Well, password spraying takes the opposite route. With a list of usernames and 1-2 weak/common passwords you spray all of them with a wait time in between rounds. This technique is particularly common due to the fact it can go under the radar and you do not trigger an account lockout.

Example:

Let's say you have gathered through OSINT or any other means a list of usernames, you can spray these against web portals, internal protocols and so on. Go 1 round wait 30-60 minutes go another round.

The Discovery

Password spraying gained significant attraction around 2016-2017 when researches showed how powerful it can be against organizations with weak password policies. At the same time threat actors were using it to gain access in the networks.

Is Password Spraying still usable?

Of course it is! Password spraying attacks actually exploit the human psychology, which prefer to have easy memorable passwords instead of secure ones.

Other factors:

  1. Simple password templates (predictable).
  2. Inconsistent password policy
  3. Legacy applications with weak authentication mechanism.
  4. Human nature (mentioned above).

Summing it all up:

Password spraying exploits human psychology and organizational password policies by testing common passwords against a large number of usernames, staying below lockout thresholds, therefore going under the radar.

Password Spraying Architecture: The Attack Flow

Traditional Brute Force vs Password Spraying:

Traditional Brute Force (High Risk):

  1. Target: Single user account
  2. Method: Many passwords rapidly
  3. Result: Account lockout triggered
  4. Detection: High - generates obvious failed login patterns

Password Spraying Flow (Low Risk):

  1. Reconnaissance: Gather potential usernames
  2. Password Selection: Choose 1-3 common passwords
  3. Systematic Testing: Try Password1 against all users
  4. Wait Period: Delay between password attempts (lockout window)
  5. Repeat: Try Password2 against all users
  6. Analysis: Identify successful authentications

The Timing Strategy:

Most lockout policies reset after 15-30 minutes. A typical password spray cycle:

  • Try "Password123!" against 1000 users
  • Wait 30 minutes (lockout window reset)
  • Try "Company2024!" against same 1000 users
  • Repeat with seasonal variations

Password Spraying Requirements and Pre-Requisites

Technical Requirements:

  • Network access to authentication services (AD, OWA, VPN, etc.)
  • List of potential usernames
  • Understanding of target's lockout policy
  • Patience for low-and-slow approach

Information Gathering Prerequisites:

  • Username enumeration from:
    • LDAP queries
    • Email format patterns ([email protected])
    • Social media (LinkedIn, company websites)
    • Previous breaches or data leaks
    • OSINT gathering

Target Services:

  • Active Directory (SMB, LDAP, Kerberos)
  • Web Applications (OWA, SharePoint, custom portals)
  • VPN Endpoints (Cisco AnyConnect, Pulse Secure)
  • Cloud Services (Office 365, Azure AD)
  • Remote Access (RDP, SSH)

Tools and Capabilities:

Windows/Active Directory:

  • CrackMapExec: Multi-protocol password spraying
  • Rubeus: Kerberos-based authentication testing
  • DomainPasswordSpray: PowerShell-based spraying
  • Spray: Lightweight password spraying tool

Web Applications:

  • Burp Suite: Manual and automated web-based spraying
  • Hydra: Multi-service brute forcing
  • Patator: Modular brute-force tool
  • Custom Scripts: Python/PowerShell for specific applications

Cloud Services:

  • MSOLSpray: Office 365 password spraying
  • o365spray: Python-based O365 spraying
  • TreeDeeper: Azure AD enumeration and spraying

When to Use Password Spraying

Ideal Scenarios:

1. Initial External Reconnaissance:

  • You have identified potential usernames but no credentials
  • Perfect for external penetration tests against web portals
  • Combines well with OSINT and social engineering
  • Testing VPN endpoints and webmail portals

2. Internal Network Enumeration:

  • You've gained network access but need valid domain credentials
  • Testing local accounts across multiple systems
  • Identifying service accounts with weak passwords
  • Lateral movement within network segments

3. Cloud Environment Assessment:

  • Testing Office 365 or Azure AD implementations
  • Identifying users with weak cloud passwords
  • Multi-factor authentication bypass attempts (if MFA not enforced)

4. Compliance and Security Auditing:

  • Validating password policy effectiveness
  • Identifying accounts that violate security standards
  • Testing account lockout policy configurations
  • Demonstrating risk to management

Tool Usage Examples

CrackMapExec (SMB Password Spraying):

# Basic password spray against domain
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

# With delay to avoid lockouts
crackmapexec smb 192.168.1.0/24 -u users.txt -p passwords.txt --continue-on-success --delay 30

# Target specific DC
crackmapexec smb dc.domain.com -u users.txt -p 'Company2024!' --continue-on-success

Hydra (Multi-Protocol Spraying):

# RDP password spraying
hydra -L users.txt -p 'Password123!' rdp://192.168.1.100

# HTTP form-based spraying
hydra -L users.txt -P passwords.txt 192.168.1.100 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

# SSH spraying with delays
hydra -L users.txt -p 'Admin123!' -t 4 -w 30 ssh://192.168.1.100

PowerShell DomainPasswordSpray:

# Import and execute domain password spray
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password "Password123!" -OutFile results.txt

# With custom user list
Invoke-DomainPasswordSpray -UserList users.txt -Password "Company2024!" -Delay 30