CAPEC-565: Password Spraying
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Determine target's password policy] Determine the password policies of the target system/application.
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
步骤 2 Explore
[Select passwords] Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)
- Select passwords based on common use or a particular user's additional details.
- Select passwords based on the target's password complexity policies.
步骤 3 Exploit
[Brute force password] Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.
- Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
- Iterate through the remaining passwords for each known user account.
前提条件
- The system/application uses one factor password based authentication.
- The system/application does not have a sound password policy that is being enforced.
- The system/application does not implement an effective password throttling mechanism.
- The adversary possesses a list of known user accounts on the target system/application.
所需技能
所需资源
- A machine with sufficient resources for the job (e.g. CPU, RAM, HD).
- Applicable password lists.
- A password cracking tool or a custom script that leverages the password list to launch the attack.
后果影响
影响范围: Confidentiality Access Control Authentication
技术影响: Gain Privileges
影响范围: Confidentiality Authorization
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
缓解措施
Create a strong password policy and ensure that your system enforces this policy.
Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.
Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
示例实例
A user selects the phrase "Password123" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.
The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1110.003 | Brute Force:Password Spraying |