Spraying attack

Password Spraying is an effective technique for identifying valid credentials and is commonly used to uncover weak passwords. It's applied to various online services and authentication systems like SSH, SMB, RDP, SMTP, and Outlook Web Application. Unlike Brute-Force attacks, which try many weak passwords for a single username, a Password Spraying attack targets many usernames with one common weak password. This approach can help avoid account lockout policies.

Commonly used weak passwords:

  1. Current season followed by the current year (e.g., Fall2020, Spring2021).

  2. Current month followed by the current year (e.g., November2020, March2021).

  3. Company name with random numbers (e.g., TryHackMe01, TryHackMe02).

  4. With password complexity policies: Passwords with symbols (e.g., October2021!, Spring2021!).

For a successful Password Spraying attack, it's crucial to compile a list of valid usernames (or email addresses).

Usernames

$ cat usernames-list.txt
admin
victim
dummy
adm
sammy

Hydra

Hydra can perfom password attacks (one user - multiple pwds) such as spray attacks (multiple user - one pwds) just use hydra -L user-list.txt -p 12345

-l specific user “admin”

-L User list

-p specific password “12345”

-P password list

ssh

hydra -L usernames-list.txt -p Spring2021 ssh://10.1.1.10

see online attacks for more details

RDP

PreviousOnline attacksNextWordlists

Last updated