Passwords are essential to keep both your professional and personal information protected. With nearly all business being conducted online and many of us working remotely, we all have multiple accounts to manage. Strong, unique passwords are a great defense against hackers.
But hackers are after your passwords as well! In fact, 80% of hacking-related breaches leverage compromised credentials. So, how are criminals able to steal your passwords and gain access to your accounts? Let’s take a look at common password attacks and how to prevent them by implementing password policies, password managers and multi-factor authentication (MFA).
We recently caught up with one of our expert ethical hackers to find out which password attacks they find to be most successful when performing pen tests on a client’s network. One of the most common tactics they use to get gain access is password spraying.
Password spraying is a variation of the classic brute force attack that has been around for decades. In a classic brute force attack, the hacker guesses and tries multiple passwords on a single account. Due to the popularity of this attack, today, many operating systems and data-filled online websites, like your online banking, will lock out an account if an incorrect password is entered too many times. This hasn’t stopped the brute force tactic, so you need to use strong passwords. If you have a weak, generic password, hackers may be able to guess it before getting locked out.
With password spraying, hackers found a way to get around the account lock out by flipping the script. Instead of trying a lot of passwords for a single account, they will try a single password against multiple accounts. Oftentimes, pen testers and cybercriminals will be able to get into an account this way, simply because there is at least one account with a weak, generic password. Our pen testers find common passwords across our client base. A top offender is season followed by year (think, Summer2020), which is complex enough for Windows basic requirements.
The success of password spraying attacks depends on multiple factors such as the size of the target organization, the number of accounts present, technical password security controls that are in place, and security awareness training.
The takeaway here? Always have unique, complex passwords for each of your accounts to make it harder for the hacker to guess them!
Focused Password Spraying
Initial password spraying attacks are often conducted using either username lists built from sources such as LinkedIn, or by using generic publicly available username lists. However, if the attacker can compromise a single account, often a list of all users can be downloaded from directory services or address books. This allows the attacker to conduct a password spraying attack using a more accurate username list, thus yielding more accounts.
Another common – but more complicated – password attack uses Kerberos, which is the primary authentication system for Windows Active Directory. When a user logs in to a Windows Active Directory network, the Domain Controller (DC) issues a ticket granting ticket (TGT) to the user. When the user needs to access a service on the network, such as a Microsoft SQL server, a service ticket is issued to the user which is provided to the service to gain access. Because the service needs to validate the service ticket provided to the user, the service ticket is encrypted with the credentials of the account running the service.
Kerberoasting is an attack that exploits how service accounts use Kerberos authentication. The attacker will download Kerberos service tickets for various services on the network from the domain controller. Because the service tickets are encrypted with the credentials of the account running each service, the attack can load the service tickets into a password cracking software such as hashcat. If the attacker successfully cracks a password for one of these service accounts, they will be able to access resources on the network as that account. Often, service accounts are members of highly privileged accounts such as domain administrators.
Kerberoasting attacks are useful after the hacker gains access to a low-level user account via a password spraying attack. Having that initial access as a low-level user may give the hacker the ability to request service tickets for the Kerberoasting attack.
If the hacker is able to gain domain administrator access, the impact can be devastating to an organization. To avoid a Kerberoasting attack, we would recommend using managed service accounts wherever possible. Managed service accounts are supported for Windows services, scheduled tasks, and IIS application pools. For services that don’t support managed service accounts, you should require long (25+ character) passwords for service accounts and ensure that complexity is turned on.
Preventing Common Password Attacks
To prevent password attacks like the ones mentioned here, it’s essential to have strong, complex, and unique passwords. Having a well-defined, organization-wide password policy will also help employees be on the same page when it comes to setting and changing their passwords regularly. If your organization used Microsoft, take a look at their password policy recommendations for guidance on how to build one for your organization.
Another thing that will help users with creating strong passwords is having a password manager. Today, where mostly everything is done online, a password manager will help with storing passwords so you can feel at ease creating complex passwords. Instead of having to remember each account password, the password manager will store them for you – all you have to do is remember your master password! A list of popular password managers can be found here.
We also highly recommend that you enable multi-factor authentication (MFA) whenever possible. MFA is an authentication method where access to an account is granted only after proving that the account belongs to you. It provides you with an extra layer of security because it requires at least two things to access an account – something you know (a password), something you have (an authentication code generated by an authenticator app on your phone or a One-Time-PIN [OTP] texted to your phone), and/or something you are (a fingerprint).
Lastly, if you’d like to find out where network weaknesses and vulnerabilities lie or just have security concerns – including concerns with user credentials – it’s a great idea to outsource your penetration testing efforts.An independent provider can help you get an outside perspective to know where to focus your cybersecurity program and recommend continuous improvements for an edge up on today’s cybercriminals.