Password Spray

What is Password Spray?

Rather than the usual dictionary brute force methods involving a dictionary of hundreds if not millions of password entries, the idea of password spray is to reverse the process: introduce a list of as many users as possible, while trying just a single password attempt against tens or hundreds of user accounts.

Username Enumeration

Here is a username list example:

https://github.com/insidetrust/statistically-likely-usernames

We can enumerate usernames using SMTP VRFY method:

head -n 50 john.txt > users.txt
smtp-user-enum -M VRFY -U users.txt -t $IP

This is same as the Metasploit module auxiliary/scanner/smtp/smtp_enum .

Password Selection

Now that we have validated some users, we should determine one (recommended) or two (maximum) commonly-used passwords we can use for our attack.

Regarding commonly used passwords, real-world experience has shown that one of the most commonly used passwords are usually found to be the current season, along with the current year, e.g., Spring2022.

Another very common password is "CompanyName" along with a numerical value, e.g., FooCorp01, FooCorp02, etc.

SSH Password Spray

Spray a single server:

hydra -L users.txt -p <password> ssh://$IP -t 4

Spray multiple servers:

hydra -l <username> -p <password> -M ssh_servers.txt ssh -t 4

When bruteforcing SSH, always use 4 threads. This is because >= 4 threads may get caught by defense mechanism.