I’m as fascinated as the next person by sophisticated attacks like pass-the-hash and golden tickets. But you know what? Studies show that weak passwords is still the most effective method to compromise admin credentials (note: not just end-user but admin credentials). Case in point is a report from Praetorian. Mimikatz style attacks rank #3 and #4 behind simply weak passwords which takes first place. The Verizon 2017 Data Breach Investigations Report supports this finding and identifies that 81 percent of hacking-related breaches leveraged either stolen and/or weak credentials.
But didn’t we solve that with password length, complexity and lockout policies? Not so much. Those controls help protect against an 80’s style hacker trying to guess your password but they don’t stand a chance against today’s low and slow technique called “password spraying”.
Password spraying leverages the fact that users (and admins) persist in selecting predictable passwords, following the letter of the law (length and “complexity”) but miss the spirit. Password spraying also takes into account the target’s lockout policy and throttles its logon attempts to a rate just slow enough to avoid triggering lockouts. This proves to be a lethal combination. Especially when you feed the spraying tool a nice big list of known passwords gleaned from mega-attacks you’ve heard about in the news.
In this real training for free event, I’ll show you Spray, a password spraying tool written by Jacob Wilkin, that is specifically built for discovering Active Directory credentials. I’ll show you pre-built password lists that meet Active Directory complexity requirements (upper case, lower case and a number or symbol) that have been gleaned by various methods and represent real world passwords chosen by people every day. You may be surprised by what you learn if your run this against your domain.
But we’ll go beyond hacker tools and discuss what can be done to address this risk. First, I’ll recap everything AD offers natively to protect passwords including the more modern “fine-grained password policy” feature that allows you to enforce stronger password requirements over selected users. And we’ll explain a user exit feature in Windows called password filters. We’ll share some important caveats concerning local accounts and the built-in Administrator account.
Then we’ll move on to how to detect password spraying attempts in the security log and how to find the weak passwords in your environment. STEALTHbits’ very knowledgeable Jeff Warren brought me this idea for the webinar and he will briefly share how his research has enhanced ways to better protect your organization from password spraying.
Please join us for this real training for free event.