As we are witnessing many organizations moving aggressively towards cloud-based platforms, we are also coming more into contact with Federation services. Federations extend the authentication process or mechanisms from one system to another. These systems can be of the same organization or completely separate. One of the most common implementations of this is the Active Directory Federation Servers (ADFS) of Microsoft.
What is Password Spraying?
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users.
Note: For the success of a password attack, a good password list is essential. You can use certain tools like CEWL to generate target-specific lists in accordance, using words from websites, or come up with your own method. In the past, I have had a lot of success using MonthYear, welcome1, and organization1 and also simple passwords like qwerty12345. However, we are going to take the password-spraying method further.
Google Dork, as we know, is a very useful tool for finding an ADFS instance which provides us with a direct login to services generally reserved for members of an organization. Many times, we are presented with options for which services to sign directly into. This can also reveal an attack surface, and the third-party service providers may be vulnerable.
The login page is located at /adfs/ls/IdpInitiatedSignOn.aspx by default. What we can do is use common attributes from the URL to effectively find exposed login interfaces using Google and the following terms for search:
Inurl:”/adfs/ls/” intitle:”Sign In”
Now we will see how we can carry out a password spraying attack. We will use two methods: the first will be by using Burp suite, and the second by using CURL (client URL). So let’s get started/
Setting Up Burp Suite Proxy
The default port is 8080, but I already have something running and bound there, so I simply added a new proxy listener with the bind address of 127.0.0.1 port 9999. Likewise, you can choose your own favorite web browser for whichever port you decide to listen on. While I was testing, I chose Firefox.
Firefox can be configured by navigating to about: preferences and finding the section labeled Network Proxy. Under that, you can set the local host and port.
Now we are set with our Burp suite and browser. Next, we will navigate to the newly-found ADFS login page. I have chosen a random website, but you can choose your own.
Sign in using the login credentials (that may be valid) and then, in the Target tab in Burp Suite, locate the POST request to /adfs/ls/ldpInitiatedSignOn.aspx. I have logged in using the credentials, as shown in the Burp below.
Now as you sign in, you will see the POST request in Burp. Right-click on that and click Send to Intruder. In the Intruder tab, select the second inner tab and click the Clear button as highlighted.
This will reset the attack positions in the payload. Now change the password to whatever password you would like to run against all the selected usernames. Highlight just the username portion of the form and click the Add button on the right side.
In the payload tab you can add a list of usernames or emails to check. Below, I have added some of my own options as input.
Once you’re set up the way you like, simply click Start attack.
Ethical Hacking Training – Resources (InfoSec)
As you can see, we came out with number of responses and all were unsuccessful. If we had gotten type 302 (Not Found), then this would have been the response that we get during a successful login to ADFS. You can check by changing certain passwords and by increasing the list of usernames.
Password Spraying Using Curl
Apart from this technique, you can still capture the POST request from earlier and use CURL. Locate the POST request again, and right click that line and select Copy as curl command.
What we will do is save a list of usernames to a file named “emails” (one per line) and run a “for loop.” Once you paste the link to your terminal, it should look something like this.
We will modify that a bit and throw it into a for loop, like so. It will print out the list of successful usernames that it finds. In my case it did not find any legal usernames, so it exited normally. If it had found any, then output would have been the list of successful usernames using the password qwert123.
Bad guys (or pentesters) generally, after successfully getting a list of valid users from the valid domain controllers, use their knowledge of common passwords and try ONE carefully-crafted password against ALL of the known user accounts (one password to many accounts). This was what we did above. If the attack is unsuccessful at first try, then attackers will try again utilizing a different password, generally by waiting about for around a few minutes or so in between attempts so as to not to trigger any time-based account lockout thresholds.
Password-spraying attacks have become the favorite technique of attackers and pentesters alike, as it has proved to be very effective for advancing through a network after having established a foothold inside. Many organizations are indeed vulnerable to a password spray attack, because they either keep a weak password or use a password that can be easily guessed by attackers.