Columbus Collaboratory
Published Jul 25, 2018

Attackers abuse poor passwords. In any given environment with more than a few hundred end users, it is almost guaranteed that someone has chosen a poor password, such as the season (e.g. Summer2018); the year (Success2018!); or the enterprise name and a number (e.g. CompanyName1!).

This is how an attacker will gain an initial foothold into your enterprise.

Passwords that use trivially predictable patterns are weak and can be easily exposed through a technique known as Password Spraying—the inverse of a Brute Force attack—in which a small number of poor passwords are tried against a large number of accounts. Password Spraying is highly, highly effective. We know, because we do it regularly and it hasn't failed once. Password Spraying is also difficult to detect.

Additionally, the ability for password hashes to be cracked offline has dramatically increased thanks to immense improvements in commodity video hardware/GPUs. To prove this point, the Collaboratory spent approximately $10k on commodity video cards and built what is to our knowledge the best dedicated cracking rig in Columbus. With this meager investment, we cracked more than 60% of user passwords in some enterprises in only a day or two.

Our test mimics the capabilities available to attackers willing to spend a small amount of money on hardware or Amazon Cloud GPUs. Using a rig similar to ours, attackers can brute-force many passwords up to 8 characters in length (even high-security, random passwords).

How to Protect Your Enterprise from Password Spraying

The best defense is eliminating common password patterns, company names, and dictionary words. Unfortunately, good tools to achieve this—particularly in Microsoft Active Directory environments—do not exist.

To address this gap, Columbus Collaboratory has partnered with leading offensive testing firm Black Hills Security to contribute to their Open Source project called CredDefense. 

At its heart, CredDefense is a password "filter" that will reject passwords that fall into dangerous patterns. Our software engineers have reviewed and improved CredDefense with an eye to security, stability, and technical correctness of software that will run on Domain Controllers.

Collaboratory will continue to contribute to this toolkit and will provide assistance to Members and Collaborators seeking to implement this functionality.

Using a tool like CredDefense is the single most practical, high value security control you can add to dramatically reduce an attacker's ability to move laterally within your network. 

If you're sick of guys like Mike, Brian, and Todd running ransack through your networks engagement after engagement, please consider deploying this tool! We'd love to help you test and deploy CredDefense . We're also an active contributor so we can add the features you want and squash bugs you may find. Email us to get started using CredDefense. 

Jeff and the Collaboratory Security Team