During an attack, a threat actor can often enumerate leverageable information through open-source intelligence (OSINT) gathering techniques. This can include information on users that are present on the target environment, such as usernames and email addresses. Often, a threat actor can use this information to craft a targeted list of users to facilitate a variety of attack vectors, including brute force and reverse brute force attacks.
Brute force and reverse brute force attacks are a common attack vector that could allow an attacker to potentially compromise a user account by taking advantage of weak or commonly used passwords. In this “Back to Basics” post, we’ll detail how attackers gather leverageable information and perform these attacks. Further, we’ll outline actions that can be taken to mitigate the risks associated with these type of attacks.
What is Open-Source Intelligence?
OSINT refers to the collection and analysis of data gathered from open sources. These sources can vary depending on the target environment.
For this scenario, let’s assume that the target environment is a financial organization, such as a bank. If an attacker wanted to breach a user account, they could leverage OSINT tools to gather employee information such as usernames or email addresses.
Popular OSINT tools include CrossLinked and LinkedInt. These are site scraper tools that can allow an attacker to quickly enumerate employee names and potential employee email addresses on LinkedIn. A threat actor could use these tools to quickly collate a list of potentially valid email addresses associated with the target organization for use in a brute force or reverse brute force attack.
What are Brute Force and Reverse Brute Force Attacks?
A brute force attack employs trial-and-error to guess credential information. Attackers work through all possible password combinations for a particular user, often using common word lists, in the hopes of guessing a password correctly. These attacks are done by ‘brute force’, meaning attackers use excessive attempts to ‘force’ authentication into a user’s account.
While this is an older attack method, attackers still often employ brute force attacks during a network attack because cracking common or easy-to-guess passwords can often take only a few seconds.
Instead of a typical brute force attack, which involves attempting multiple passwords against one user, a reverse brute-force attack involves guessing a small number of weak passwords against an entire list of users. In this way, attackers are able to make large amounts of guesses while minimizing the likelihood of triggering lockout thresholds.
Often, attackers attempt to access user accounts by guessing common passwords, such as variations of ‘password’, season/year (e.g., “Autumn2022!”), and the company name where the targeted user is employed.
How are Brute Force and Reverse Brute Force Attacks Performed?
Password Spraying Against Microsoft 365 Using OSINT with CrossLinked
- Download CrossLinked, an open-source OSINT tool that scrapes Google and Bing for LinkedIn users tied to any given organization.
- The syntax for using CrossLinked is simple. To put together an emails list, you would use “crosslinked “COMPANY NAME” -f {first}.{last}@COMPANYEMAIL.com -o OUTFILE”. This will create a test file containing the entries found from scraping in the format LASTNAME@COMPANYNAME.COM.
Using Crosslinked - Download CredMaster and follow the installation/setup instructions contained in the readme.
- Using the emails list you have obtained with CrossLinked, it is time to get to perform a reverse brute force attack! Launch CredMaster with the plugin that best suits your needs (in our case, Office 365), set the usersfile to your CrossLinked list, and the password you want to force against the email list. Our syntax here is “python3 credmaster.py –plugin o365 -u testemail.txt -p pass.txt”. Note that the AWS access key and secret access key is not required for this attack.
Enumerated Email Addresses - Start the attack and the application will begin spraying your chosen password against the email list, if successful you will have obtained valid credentials associated with the target environment. In the example here, we utilized CrossLinked to generate a list of emails for employees at RSM US LLP, then used CredMaster to perform a reverse brute force attack.
Performing Reverse Brute Force Attack
SMB Login Brute Force Attack Using Metasploit
- Launch Metasploit with “msfconsole”
Metasploit Console (Click to Expand) - Use the “auxiliary/scanner/smb/smb_login” module with “use auxiliary/scanner/smb/smb_login”.
- Time to set our options. Once you’ve gathered a list of valid users in the domain, put them into a file (or if you only have a few, you can enter them manually separated by a comma.)
- Set the RHOSTS to your target
- Set the SMBDomain to your target domain name (e.g., AJMAN.CORP)
- Set the SMBPass to a password list file or the password you’d like to try against your enumerated email addresses.
- Start the attack with the “run” command; if successful, you will have obtained valid credentials associated with the target environment.
How to Mitigate Brute Force Attacks
There are several actions an organization could perform to mitigate the risks associated with brute force and reverse brute force attacks:
Strong Password Policy
Implementing a strong password policy for your organization can ensure that users employ unique and complex passwords that are considerably more difficult to crack. Following National Institute of Standard and Technology (NIST) guidelines can ensure that your password policy is robust and configured to significantly decrease the likelihood of successful brute-force or reverse brute-force attacks.
NIST guidelines include ensuring that passwords are a minimum of 12 characters, checking new passwords against a list of the top 1,000 to 10,000 common passwords before accepting a password change, and displaying a password strength meters to users.
Login Controls
Implementing strict login controls can mitigate the risks associated with brute force attacks as they can introduce new factors that an attacker has to consider when planning their attack.
- Implementing a multifactor authentication mechanism can help to ensure that breached passwords do not result in an account compromise.
- A CAPTCHA mechanism can limit the amount of guesses an attacker can make during a brute-force and reverse-brute force attacks. As a result, the likelihood of a successful brute force or reverse brute force attack is greatly reduced.
- Implementing an account lockout mechanism can protect user accounts from excessive password guesses.
- Implementing an alerting mechanism can ensure that users and administrators are promptly alerted of suspicious activity and can allow administrators to address this activity quickly.
Limit Access to Internal Resources
Network administrators should make an effort to limit access to internal resources by ensuring that these resources are only accessible through a corporate VPN.
Often, attackers can enumerate internal resources, including login portals, during the initial stages of an attack. By limiting access to the internal resources, organizations can reduce the number of attack paths an attacker could explore when performing brute-force or reverse-brute force attacks.
This article was authored by Ayush Nangia, with special thanks to AJ Hammond for assistance with demos.