ExplainTheHack
← Back to Password Spray Campaign

Password Spraying Brief

What It Is

Password spraying tests a small number of commonly used passwords against many accounts, staying under the lockout threshold. It inverts brute force: instead of many passwords against one account, it uses one password against many accounts.

Preconditions

A list of valid domain user accounts, knowledge of the domain password policy (lockout threshold, reset counter, minimum length), and network access to an authentication endpoint (LDAP, SMB, Kerberos, OWA).

Operational Decisions

  • Safe spray rate — one attempt per reset window with margin (threshold 5 + 30-min reset = one per 35 minutes)
  • Password selection — must match policy; Season+Year+Symbol, Company+Number; useless if below minimum length
  • Target filtering — prioritize service accounts with SPNs, privileged group members; exclude disabled accounts
  • Protocol choice — SMB, Kerberos AS-REQ, OWA each have different detection characteristics

Attacker Gain

Valid domain credentials — usually a standard user account. This provides an authenticated foothold for BloodHound, Kerberoasting, enumeration, and lateral movement. The foothold enables the chain, not direct admin access.

Stakeholder Explanation

An attacker tries common passwords against every employee account, staying under the lockout threshold. In any large organization, some accounts will match. One successful login gives an employee-level foothold for further attacks. Defenses: longer minimum passwords, MFA, distributed-failure monitoring.

Report Phrasing

Finding: Successful Password Spray. The operator enumerated the password policy (min length [N], lockout [N]/[N]min) and sprayed [N] passwords against [N] accounts. [N] credentials recovered, including [account] with [access]. Zero lockouts. Severity: High. Recommendation: Increase minimum length to 14+. Deploy MFA. Implement spray-aware monitoring.

Common Pitfalls

  • Describing spraying as 'trying passwords slowly' — misses the inverted model and policy-informed decision-making
  • Spraying without policy enumeration — risks mass lockouts and shows no methodology
  • Choosing passwords that do not match the policy's minimum length
  • Claiming spraying always yields Domain Admin — most hits are standard users; the value is the foothold