Password Guessing

Information

• Name: Password Guessing

• ID: T1110.001

• Tactics:

• Technique:

Introduction

Password Guessing () is a sub-technique of the MITRE ATT&CK framework under the technique "Brute Force" (T1110). It involves systematically attempting to authenticate to a system or service by guessing passwords. Attackers typically leverage automated tools or scripts that repeatedly try common passwords, leaked credentials, or passwords generated from dictionaries and common patterns. This technique exploits weak authentication practices, predictable passwords, or reused credentials to gain unauthorized access.

Deep Dive Into Technique

Password Guessing encompasses multiple approaches and methodologies:

• Dictionary Attacks:

  • Attackers use predefined dictionaries containing common passwords, phrases, or previously compromised credentials.

  • Dictionaries can be customized based on target-specific information, such as company names, employee details, or known interests.

• Credential Stuffing:

  • Attackers utilize automated tools to test previously compromised username/password pairs across multiple services.

  • Exploits the common practice of credential reuse across different platforms.

• Spraying Attacks:

  • Attackers attempt a small number of common passwords across multiple user accounts to evade account lockout policies.

  • Typically targets organizations by attempting passwords like "Password123", "Welcome123", or seasonal variations such as "Summer2023".

• Brute Force Attacks:

  • Attackers systematically attempt all possible combinations of passwords within a defined character set.

  • Computationally intensive and less common due to efficiency concerns; however, still used against weakly protected services.

Attackers may use automated tools and scripts such as:

• Hydra

• Medusa

• CrackMapExec

• Burp Suite Intruder

• Metasploit auxiliary modules

Real-world procedures often include:

• Identifying login portals or authentication endpoints.

• Enumerating valid usernames through reconnaissance activities.

• Automating attempts to authenticate with a list of passwords.

• Utilizing proxy chains or VPNs to mask source IP addresses and bypass rate-limiting protections.

When this Technique is Usually Used

Password Guessing commonly appears in various attack scenarios and stages:

• Initial Access:

  • Attackers attempt to gain initial footholds by guessing passwords for publicly accessible services (e.g., VPN, webmail, remote desktop protocols).

• Privilege Escalation:

  • Attackers guess passwords of privileged accounts once initial access has been obtained to escalate privileges within the compromised environment.

• Lateral Movement:

  • Attackers attempt to authenticate to additional systems within a network using guessed or previously compromised credentials.

• Persistence:

  • Attackers may establish persistent access by obtaining credentials that allow continuous entry into compromised systems.

Typical scenarios include:

• Targeting cloud-based email services to gain access to sensitive emails or documents.

• Attempting to access remote desktop services (RDP, SSH) exposed to the internet.

• Exploiting weak passwords in internal network services after initial compromise.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) include:

• Monitoring Authentication Logs:

  • Track repeated authentication failures from the same IP address or against the same user account.

  • Identify patterns such as multiple failed attempts followed by a successful login.

• Behavioral Analytics and SIEM Tools:

  • Utilize Security Information and Event Management (SIEM) solutions to correlate events and detect anomalous login behaviors.

  • Implement detection rules for password spraying, credential stuffing, and brute force patterns.

• Network Monitoring and Intrusion Detection Systems (IDS):

  • Detect unusual spikes in authentication traffic or login attempts.

  • Identify automated tools by analyzing user-agent strings, request frequency, and source IP reputation.

• Account Lockout and Alerting Mechanisms:

  • Configure account lockout thresholds and alert administrators upon multiple failed login attempts.

  • Implement adaptive authentication mechanisms to detect and mitigate automated attacks.

• Endpoint Detection and Response (EDR):

  • Identify unusual login attempts and credential misuse on endpoints.

  • Detect suspicious processes or scripts executing password guessing activities.

Specific IoCs include:

• High frequency of failed login attempts from single or multiple IP addresses.

• Login attempts from unusual geographic locations or VPN/proxy IP addresses.

• Successful logins following a series of failed attempts.

• Use of known password-guessing tools or scripts identified by endpoint or network security solutions.

Why it is Important to Detect This Technique

Early detection of Password Guessing is critical due to the following potential impacts on systems and networks:

• Unauthorized Access:

  • Successful password guessing provides attackers initial footholds or lateral movement capabilities, enabling further attacks.

• Data Breaches and Information Theft:

  • Attackers gaining access to sensitive systems may exfiltrate confidential data, intellectual property, or personally identifiable information (PII).

• Privilege Escalation and Persistence:

  • Compromised credentials can facilitate attackers in escalating privileges, installing backdoors, or maintaining persistent access.

• Ransomware and Malware Deployment:

  • Attackers leveraging compromised accounts may deploy ransomware, malware, or other malicious payloads, causing significant operational disruptions.

• Compliance and Regulatory Impact:

  • Failure to detect and respond to credential-based attacks may lead to regulatory non-compliance, legal consequences, or financial penalties.

• Reputational Damage:

  • Successful breaches resulting from weak authentication practices can severely impact organizational reputation and customer trust.

Early detection and rapid response significantly reduce the risk of successful compromise, limit damage, and minimize remediation costs.

Examples

Real-world examples of Password Guessing attacks include:

• Credential Stuffing Attack on Financial Institutions:

  • Attackers utilized automated credential stuffing tools to test leaked username/password combinations against online banking portals.

  • Successful attempts resulted in unauthorized access to customer accounts, financial fraud, and identity theft.

• Password Spraying Against Cloud Services:

  • Attackers targeted Microsoft 365 and Google Workspace accounts using common passwords across multiple user accounts.

  • Successful logins led to unauthorized email access, sensitive data exfiltration, and subsequent phishing attacks against internal and external contacts.

• Dictionary Attack on SSH Servers:

  • Attackers employed automated tools such as Hydra and Medusa to perform dictionary attacks against SSH services exposed to the internet.

  • Compromised servers were used for further lateral movement, cryptocurrency mining, or launching Distributed Denial of Service (DDoS) attacks.

• Brute Force Attack on RDP Services:

  • Attackers systematically attempted authentication to Remote Desktop Protocol (RDP) services using automated brute force tools.

  • Successful access allowed attackers to deploy ransomware, encrypt critical data, and demand ransom payments.

• APT29 (Cozy Bear) Password Spraying Campaigns:

  • Advanced Persistent Threat (APT) group APT29 leveraged password spraying attacks against government organizations and think tanks.

  • Successful credential compromise facilitated espionage activities, data exfiltration, and persistent access to sensitive environments.

These examples highlight the diverse use-cases, attacker motivations, and severe impacts associated with Password Guessing techniques.