I have read some good posts on password spraying over the past few years, along with reviewing and using a few tools to perform this type of attack. For reference, Black Hills has a few good posts here, here, and here, and MDSec posted a cool article on Lync along with a tool here. I’ve implemented password spraying into my methodology to some extent, but was never really satisfied with how I was doing it. The biggest problem I had was the time scoped for an assessment combined with the likelihood for account lockout policies.

The rockyou password list is way too large (~14,344,392 passwords) to ever get through if account lockouts are enabled. Most customers that I have worked with implement password policies that require complexity to some extent, but even then the complex password count in the rockyou list is over 42,000 unique passwords. However, based on a recent assessment, I had some ideas popup to refine my methodology for this type of attack. I am sure many other people are doing this, but I hadn’t read anything written on the subject (I am sure someone out there has written about similar methodologies though).

I was recently performing a wireless penetration test for a company using WPA2-Enterprise. I setup an evil twin AP using hostpad that was patched with the Wireless Pwnage Edition (WPE) patch. I was only able to obtain the challenge-response from one client, as it appeared most were correctly configured, so I wasn’t overly confident in cracking the password. Nevertheless, I fired up hashcat and fed it the rockyou password list, which is typically the first one I try. To my surprise, the password was cracked within a second or so and ended up being a complex variant of the word password (using upper case, lower case, a special character, and a number). This got me thinking on how I could use some distance comparison techniques to further reduce my password spraying list, as it is likely that the top passwords from rockyou are still frequently used, but with minor modifications to meet corporate password policy complexity requirements.

The plan was to take the complex passwords from rockyou as well as top used rockyou passwords, and then perform a distance test between them using the Damerau-Levenshtein algorithm. I arbitrarily chose the top 20 passwords that weren’t all numbers using the rockyou-withcount.txt list from here. I created a script to automate this for me. The script defaults to setting a minimum password length of 7 and maximum of 12 based on my experience with password policy minimums at previously assessed customers, in addition to password lengths for successfully cracked credentials – it is not all that common for normal users to choose a password greater than 12 characters (even that is probably high). This process reduced the total unique passwords count down to 921 with a distance of 4 or lower, and 252 with a distance of 3 or lower. This is a much more manageable size.

I created a companion script that will take a list of users, list of passwords, and URI to perform a password spraying attack against Outlook Web Access, Outlook Anywhere, or ActiveSync (I will probably add more services later, such as SMB, WMI, RDP, etc). This script can be configured to stop after a successful authentication, as well as set an account lockout threshold and account lockout timer such that the script pauses authentication tests until the timer is up. You can download the Python script that will perform the distance test along with this password spraying script (PowerSniper – hat tip to @dafthack‘s MailSniper tool and @domchell‘s LyncSniper tool) here: https://github.com/codewatchorg/PowerSniper.

MailSniper can already perform password spraying against Outlook Web Access and Outlook Anywhere, so that is probably a better option if account lockouts aren’t a concern (I didn’t see support for avoiding locking out accounts), as I am sure his code is better than mine – note though that we have slightly different approaches in the authentication.