Have you heard of a password brute-force attack? A brute-force attack is when attackers try to hack into a single account by guessing its password.
Let’s say an attacker is trying to hack the account of the user “Vickie”. The attacker will first generate a password list to use. She can either use a dictionary of common passwords she found online, or a list of likely passwords generated based on her knowledge of the user. Then, the attacker uses a script to rapidly fire off login attempts to the service. She tries to log into the service with the username “Vickie” and different passwords until she finds the correct one.
But modern applications are getting smarter. The majority of web applications now implement account lockout policies. If the application detects that an account has had a few failed login attempts in a short timeframe, the application will block the account from further logins. The application will often also notify the user of the failed login attempts or alert the system admins.
This means that traditional brute-force attacks are no longer feasible for a majority of applications. To avoid account lockouts, attackers will have to space out their password guesses. This makes brute-forcing too time-consuming. That’s why attackers are utilizing an attack called “password spraying” as an alternative to brute-forcing.
What is password spraying?
During a password spraying attack, the attacker attempts to access a large number of accounts with a small list of commonly used passwords. She will first try to login to all the usernames with the first common password before trying the second common password across all accounts, and so on.
For example, login attempts generated by a traditional brute-force attack look like this:
username: john, password: password username: john, password: password1 username: john, password: password2 username: john, password: password3 username: chris, password: password username: chris, password: password2 username: chris, password: password3 username: chris, password: password4
While the login attempts of a password spraying attack look like this:
username: john, password: password username: chris, password: password username: dave, password: password username: richard, password: password username: john, password: password2 username: chris, password: password2 username: dave, password: password2 username: richard, password: password2
By trying the same password on a large number of accounts, attackers can naturally space out the guesses on every single account. And because many users use weak passwords, it is possible to get a hit after trying just a few of the most common passwords.
Using Hydra to spray passwords
Now let’s spray some passwords to learn how the attack works!
We will be using Hydra to execute our attack. Hydra is an authentication brute-forcing tool that can be used for many protocols and services. It can help us automate our password spraying attack!
First, let’s install Hydra. If you are using Kali Linux, a version of Hydra is already installed. Otherwise, you can run this command.
sudo apt-get install hydra
You can also build Hydra from its source. To install from source, you first have to download Hydra here:
Then, go into Hydra’s directory and run these commands.
./configure make make install
Before you start spraying for passwords, you have to collect a list of usernames and a list of passwords to use.
For usernames, consider using a generic username list like one of these.
This list contains many of the most common usernames and default account-names. If you are targeting a specific organization, you might want to perform some recon to collect usernames to make your attack more effective. You can also collect usernames by using techniques like Google Dork.
And you can find is a list of the most commonly used passwords here.
Running Hydra to spray passwords
Armed with our usernames and passwords, let’s start spraying for passwords! Here’s the basic syntax for a Hydra command:
hydra -L <USERNAME_LIST> -P <PASSWORD_LIST> <TARGET_IP> <PROTOCOL>
hydra -L users.txt -P passwords.txt 192.168.0.1 ssh
Since this is a password spraying attack and not a normal brute-force attack, we need to use the
-u flag. This flag tells Hydra to try each password for every user first, instead of trying every password on a single user before moving on to the next user. So, you can launch a password spraying attack by running:
hydra -L users.txt -P passwords.txt 192.168.0.1 ssh -u
I also recommend using the
-V flag to turn on verbose output, so that you can see the password spray in action!
hydra -L users.txt -P passwords.txt 192.168.0.1 ssh -u -V
Password spraying is an attack that malicious hackers use to bypass policies that thwart brute-force attacks, such as account lockout. These attacks are simple to execute, and often yield effective results.