Password Spraying

As we are witnessing many organizations moving aggressively towards cloud-based platforms, we are also coming more into contact with Federation services. Federations extend the authentication process or mechanisms from one system to another. These systems can be of the same organization or completely separate. One of the most common implementations of this is the Active Directory Federation Servers (ADFS) of Microsoft.

Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users.

Note: For the success of a password attack, a good password list is essential. You can use certain tools like CEWL to generate target-specific lists in accordance, using words from websites, or come up with your own method. In the past, I have had a lot of success using MonthYear, welcome1, and organization1 and also simple passwords like qwerty12345. However, we are going to take the password-spraying method further.

Google Dork, as we know, is a very useful tool for finding an ADFS instance which provides us with a direct login to services generally reserved for members of an organization. Many times, we are presented with options for which services to sign directly into. This can also reveal an attack surface, and the third-party service providers may be vulnerable.

The login page is located at /adfs/ls/IdpInitiatedSignOn.aspx by default. What we can do is use common attributes from the URL to effectively find exposed login interfaces using Google and the following terms for search:

Inurl:”/adfs/ls/” intitle:”Sign In”

Now we will (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sayaala. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/oCVuhwFm8aM/