The Undeniable Effectiveness of Password Spray

by | Oct 20, 2022 | Blogs

One of the most effective techniques NodeZero employs for initial access is password spray. It’s a primitive technique, basically guessing passwords, and when it works it feels like magic. Yet we see it work time and time again in various pentests conducted by NodeZero. In this post we’ll talk about what password spray is and walk through how NodeZero weaponizes this technique in internal and external pentests. We’ll then provide practical tips for defenders to guard against this common attack.


In a traditional brute force attack, an attacker targets a single account and tries to repeatedly guess the password for the account until he/she succeeds, or gives up. This type of attack rarely works unless the account happens to have a really weak password.

In a password spray attack, an attacker starts with a list of users and a shortlist of probable weak passwords. The attacker tries (i.e. “sprays”) each password, one at a time, against all all users in an attempt to compromise at least one account. Attackers usually limit the rate of their attempts to avoid causing account lockouts. Attackers know that, once they’ve compromised at least one account, they can abuse that account’s access to enumerate deeper and potentially compromise more accounts, assets, and data.

A password spray attack has a much higher chance of success than a traditional brute force attack because it only requires compromising one account out of many possible accounts. In large organizations especially, the odds are high that there are going to be some users with weak passwords who would be susceptible to password spray.

Password spray is tracked as MITRE ATT&CK technique T1110.003. APT-28 (Fancy Bear), APT-29 (Nobelium), and APT-33 (Elfin) are examples of well-known threat actors who have used this technique. But this is not a technique just reserved for nation-state threat actors. Microsoft has estimated in the past that password spray attacks account for nearly one third of account compromises. Many spraying toolkits, such as crackmapexec, are readily available, making password spray a point-and-click operation for any level of attacker.

How NodeZero Weaponizes Password Spray

Username Enumeration

The first step for an attacker executing a password spray attack is compiling a large list of users. The larger the list, the more likely the attack will succeed.

NodeZero uses about a dozen different methods to gather usernames, both internally and externally. These methods include scraping user information from social media and exploiting misconfigurations in commonly used applications such as Jira, Jenkins, ManageEngine ADManager Plus, and WordPress. In internal pentests with older domain controllers, anonymous access over SMB is an especially powerful misconfiguration for attackers because it can lead to directly enumerating all domain users. If NodeZero already has a regular domain user credential in hand, it uses that credential to enumerate other domain users.

These username enumeration misconfigurations are often thought to be medium or low severity issues to fix, but they can be really valuable for attackers when used in conjunction with password spray.

Here’s an example of a weakness raised by NodeZero after exploiting a Jira misconfiguration to enumerate all users:

And the associated proof for the weakness showing the list of users that were scraped:

Password List Generation

With a list of usernames in hand, the next step for an attacker is to come up with passwords to spray. NodeZero generates probable passwords to spray based on commonly known breached passwords, context-specific terms such as the company name or domain name, or a custom dictionary supplied by the user.

Attackers know that most companies have set up a password policy to enforce a minimum password length of 8 characters, password complexity rules (including lowercase, uppercase, digits, and special characters), and periodic rotation of passwords. Password complexity and rotation policies have ironically led users to creating more predictable passwords such as passwords starting with an uppercase letter, ending in 1!,, or containing seasons and years. NodeZero optimizes for these cases to maximize the likelihood of success.

In addition to spraying probable weak passwords, NodeZero also attempts to spray any passwords it finds organically during the course of a pentest, just like a real-world attacker would do. These are passwords that may be found through unintended data exposure or exploitation, and they may not necessarily be weak. This form of password spray is used to exploit password reuse across multiple accounts.

Password Spray Execution

In internal pentests, NodeZero conducts password spray against domain controllers in the hope of landing a domain user for initial access. If it already has a domain user in hand, NodeZero will further conduct targeted password spray against privileged domain users in an attempt to compromise the entire domain. In real-world pentests, NodeZero has fully compromised organizations through password spray alone.

Here’s an example of the attack graph generated from a successful password spray of a domain user in an internal pentest. In this case NodeZero scraped users off an ManageEngine ADManager Plus instance and guessed the password for the “santani” user using a password derived from a company name.

NodeZero raised the following weakness with proof of access:

In external pentests, NodeZero conducts password spray against Azure AD in the hope of landing an Azure AD user to access Microsoft365 services or backend Azure services such as the Azure Graph API. NodeZero uses a new public IP address each time it sprays in an effort to evade detection.

Here’s an example of an attack graph NodeZero generates from a successful password spray of an Azure AD user in an external pentest. In this case NodeZero scraped users off an externally accessible Jenkins instance and guessed the password for the “santani” user. NodeZero went on to access the user’s Microsoft365 Outlook mailbox.

NodeZero is designed to be safe to run in production environments. To minimize the possibility of locking out users, NodeZero throttles the rate of password spray to two attempts an hour. In real-world pentests, the time it takes for NodeZero to be successful at password spray can range from less than hour (a single spray attempt) to several days.

Tips for Defenders

There are two approaches for defense against password spray: one is increasing the level of effort for an attacker to succeed, and the second is putting controls in place in case an attacker does succeed. Both approaches are important. There is a tendency to scrutinize specific users and their passwords, but the reality, especially for large organizations, is that there are always going to be some users who choose predictable passwords that a motivated attacker will be able to compromise.

Increasing Attacker Difficulty

To increase the level of effort for attackers to succeed at password spray, we recommend implementing a password policy that is configured to:
  • Ban certain terms and their variants from appearing in passwords. These terms include dictionary words, known breached passwords and company-specific terms such as the company name. This is important because it makes attackers have to think outside the box to come up with passwords to spray. Consider using Azure AD Password Protection.
  • Do away with password complexity and password rotation policies. For a long time people who were advised that password complexity is important and passwords need to be rotated, but this advice has only led to people creating more predictable, easier-to-guess passwords. Our guidance on this is in line with the latest guidance from NIST Special Publication 800-63B.
  • Enforce a minimum password length – we recommend at least 12 characters. This is higher than the NIST-recommended minimum of 8 characters.
  • Set a relatively low account lockout threshold, but not too low. A lower account lockout threshold makes it so attackers have to spend more time conducting the spray. At the same time, if it’s too low, regular users may end up calling the IT helpdesk often after mistyping their passwords, and it’ll also enable attackers to easily perform a denial of service (DoS) attack against the organization. We recommend a threshold between 5 and 10 attempts before lockout.
  • Monitor application and domain controller logs, and setup alerts for login failure events happening across many users within a short window of time.
  • Fix any misconfigurations related to username enumeration, especially ones that yield a full snapshot of all users in the domain. Note that motivated attackers will still be able to compile a list of users, but it’s better to make it harder.

Other Controls

Multi-factor authentication (MFA) is a must-have for any external exposed endpoints. And if there’s an endpoint that doesn’t support MFA, it should not be exposed externally under any circumstances. The advantage of MFA is that, even if an attacker succeeds at password spray, he/she will have another hurdle to get through before fully compromising an account.

For internal networks, MFA won’t help much because there are many lower level endpoints using non-MFA protocols such as SMB, RPC, LDAP, and Kerberos that an attacker can spray against.

We also strongly recommend adhering to the standard principle of least privilege, ensuring all users are provisioned with only the access they need. Security is about defense in depth, and it’s important to minimize the blast radius – a single user being compromised should not instantly cascade into the rest of the organization also being compromised.

Try NodeZero

Finally, to truly get an idea of how well your organization can stand up to a password spray attack, you can run an internal or external pentest with NodeZero. Not only will NodeZero identify whether it was able to successfully execute a password spray attack, you’ll also be able to test your defenses and see what NodeZero is able to do with the credentials it acquires from the attack. Check out the free trial here!

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.