As we see many organizations aggressively moving to cloud platforms, we are also coming more into contact with Password spraying federation services. Federations extend the authentication process or mechanisms from one system to another. These systems can be the same organization or they can be completely separate. One of the most common implementations of this is Microsoft’s Active Directory Federation Servers (ADFS).
Read about cracking passwords
Discover key forensic concepts and best practices related to passwords and encryption. This skill course covers
⇒ Crack password security
⇒ Crack Windows passwords
⇒ Two-factor authentication
What is password spraying?
Password injection refers to an attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of password attempts is usually low compared to the number of user attempts. This method prevents password locking and is often more effective at detecting weak passwords than targeting specific users.
Note: A good password list is essential for a successful password attack. You can use certain tools like CEWL to generate target-specific lists according to word usage from websites or come up with your own method. I’ve had a lot of success in the past using MonthYear, welcome1, and organization1, as well as simple passwords like qwerty12345. However, we will take the password spraying method further.
Google Dork, as we know, is a very useful tool for finding an ADFS instance that provides us with direct login to services generally reserved for organization members. Many times we will be presented with options for which services to log into directly. This can also expose the attack surface and make third-party service providers vulnerable.
By default, the login page is located at /adfs/ls/IdpInitiatedSignOn.aspx. What we can do is use common attributes from the URL to efficiently find the exposed login interfaces using Google and the following search terms:
Inurl:”/adfs/ls/” intitle:”Log in”
Now we will see how we can perform a password spraying attack. We will use two methods: the first will be using Burp and the second will be using CURL (Client URL). So let’s start/
Burp proxy settings
The default port is 8080, but I already have something running and bound there, so I simply added a new proxy listener with binding address 127.0.0.1 port 9999. Likewise, you can choose your own favorite web browser for any port to listen on. I chose Firefox for testing.
Firefox can be configured by going to: preferences and finding the section labeled Network Proxy. Below that you can set localhost and port.
We are now set up with our Burp kit and browser. Next, we go to the newly found ADFS login page. I chose a random website, but you can choose your own.
Sign in with your credentials (which may be valid) and then on the Target tab of Burp, look for a POST request to /adfs/ls/ldpInitiatedSignOn.aspx. I logged in using the credentials as shown in Burp below.
Now when you login you will see a POST request in Burp. Right click on it and click Send to Intruders. On the Alien tab, select the second inner tab and click the highlighted Delete button.
This resets the attack positions in the payload. Now change the password to whatever password you want to use against all the selected usernames. Highlight only the username part of the form and click the Add button on the right.
In the Payload tab, you can add a list of usernames or emails that you want to check. I’ve added some of my own options below as input.
Once you’re set up the way you like, simply click Start attack.
As you can see, we received many responses and all were unsuccessful. If we got a 302 (Not Found) type, then that would be the response we would get during a successful ADFS login. You can check this by changing certain passwords and increasing the username list.
Password injection using Curl
In addition to this technique, you can still capture the POST request from earlier and use CURL. Find the POST request again and right-click on that line and select Copy as curl.
What we do is store the list of usernames in a file called “emails” (one per line) and run a “for loop”. Once you paste the link into your terminal, it should look something like this.
We’ll modify it a bit and throw it into a for loop, like this. Prints a list of successful usernames it finds. In my case it didn’t find any legit usernames so it quit normally. If it found any, the output would be a list of successful usernames using the password qwert123.
Generally, after successfully obtaining a list of valid users from valid domain controllers, bad guys (or pentesters) will use their knowledge of common passwords and try ONE carefully crafted password against ALL known user accounts (one password for many accounts). We did that above. If the attack is unsuccessful on the first attempt, the attackers will try again using a different password, usually by waiting around a few minutes between attempts so as not to trigger any time-based account lockout thresholds.