User Enumeration vs Password Spraying
What do you call a User Enumeration attack against a logon service (i.e. username + password)? Based on recent polling (Source_1, Source_2), it would appear our industry peers call this a password spray attack (by a 3-to-1 margin), despite the purpose clearly being for user enumeration. This article will explain why we are taking a minority view, while still recognizing the validity of our peers’ viewpoints, and incorporating them.
One of the most common attacks performed during a pentest, red team engagement, or even by an actual attacker, is a user enumeration attack – AKA email enumeration, username enumeration, account enumeration, etc. The reason this is common is that many other attacks depend on having a list of valid users/accounts – various password attacks (ex. password spraying), access control attacks (ex. vertical and horizontal privilege escalation), social engineering (ex. phishing), etc.
What is User Enumeration?
According to two highly respected sources in the cybersecurity industry:
- OWASP testing guide: it is “collect[ing] a set of valid usernames by interacting with the authentication mechanism of the application” [Source].
- Mitre’s ATT&CK: user enuemration is “gett[ing] a listing of accounts on a system or within an environment” which “can help adversaries determine which accounts exist to aid in follow-on behavior.” [Source]
How is it performed?
There are a few methods we use during engagements to obtain a list of potential users/accounts:
- Enumerating through a list of IDs – ex. requests for unique user profiles (often sequential)
- Recon – ex. employee list from LinkedIn
- List of common usernames – ex. admin, support, root, etc.
- List of common last names and enumerating the first intial – ex. when the username/email format is firstInitial + lastName
The list of potential users/accounts is often in the thousands or tens of thousands, even when there may only be dozens or hundreds of valid accounts. Before launching our core attacks, we must narrow that potential list of users/accounts to only valid accounts. The following is a list of a few techniques that are common to help with that:
- Using the target’s mail serv(er|ice) – ex. OWASP-AT-002 Vulnerability in Leading Email Providers
- “Check username” API endpoint – ex. a feature often exposed for use by new account creation or “change my username” type features
- Attempting a login with every potential username (and a password) – ex. looking for any difference in reponse: HTTP response code, response headers or content, timing differences, etc.
It’s the latter, “attempting a login”, that is the subject of this article.
What is Password Spraying?
To understand why ~75% of our peers call this particular attack a password spray, you first should understand what a password spray is. Password spraying is “us[ing] a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Logins are attempted with that password against many different accounts…to avoid account lockouts”. [Source]
That matches also, right? Or does it?
- Tactic – “the why of a technique”. “It is the adversary’s tactical goal: the reason for performing an action”.
- Technique – “how an adversary achieves a tactical goal by performing an action”
Based on the OWASP testing guide, a go-to method for user enumeration is by interacting with the logon service with a list of: (1) valid usernames and passwords, (2) valid usernames and invalid passwords, and (3) invalid usernames and passwords, and then looking for a “response message that reveals, directly or indirectly, some information useful for enumerating users”. [Source]
The purpose of this login-based user enumeration attack, or tactic, is very clear – to obtain a list of valid user accounts. The technique can, by definition, be considered a password spray. But, based on the OWASP testing standard, it could also be called user enumeration.
And that’s the rub – definitions, purpose, tactic vs technique, opinion, etc.
Why do we even need to take a position on this? At the end of the day, our reporting must call it something. In order to satisfy all parties, the title would have to be called something like, “user enumeration attack using a password spray technique with a single password for the primary purpose of finding valid user accounts in a manner which gives the possibility of also finding a limited number of valid credentials”. Wouldn’t fit too well in a title.
As the great C.J. Fresia put it, we will stick with the purpose of the attack and simply call it “User Enumeration”. In fact, the majority of the comments we received on the polls, in contrast to the votes, were in agreement with this position – R Michael Williams, Paul Goffar, Jackson S., Christian V., etc. The details of the attack, will, as they always have, include the technique(s) used, including spraying the login service with a single password across many potential accounts. However, calling the tactic by its technique seems to be contradictory to standards, misses the purpose of the attack, and could misdirect the client when it comes to the mitigation.
User enumeration against logon services has been in our core testing guides since day one. However, up until recently, the password chosen was usually something like “test”, “password”, or even just random characters. The password was not the focus…the username was. Strangely enough, that was sometimes successful in authenticating, despite not really trying to do so.
One of our rock star testers, Andrew Boyd, had the idea to use a password that actually stood a better chance of being successful (ex. Spring2021!). The main goal of the enumeration was still the same – generate a list of known valid usernames, and then launch an actual password spray (using dozens/hundreds of common/predictable passwords). To our surprise, that had a scary level of success not only in just achieving the main goal (user enumeration) but also proving that a secondary goal could, in some situations, be achieved (obtaining working credentials pre-password spray).
This is this point in which we started questioning, should this still be considered user enumeration or password spray now? Again, for brevity purposes (ex. for a finding title), we had to choose one; the one we felt would be the best fit. Since the core purpose was user enumeration, and since obtaining (or not obtaining) valid credentials during this testing had any impact on being successful at that goal, it still seemed user enumeration was, by far, the best label for the attack.
But, based on the polling data (Source_1, Source_2), it certainly made us question our assumptions and viewpoint. However, whether the password chosen is random or common, has no bearing on what to call this – user enumeration. As Paul Goffar pointed out, we “have to use something” in the password field. If we “pop an account” in the process, it doesn’t change the purpose, goal, or tactic, which is still clearly “user enumeration”.
Thank you to all who participated in the poll, provided feedback, and read this article! We have much respect for those with different opinions than us on this topic, and we look forward to chatting with you about it one day.
If you are interested to know how your network services and web apps would perform against these types of attacks, but you do not have the expertise or resources to do so, contact PEN Consultants today!
Featured image is a derivative work from the following images: geralt @ https://pixabay.com/illustrations/face-woman-mask-hand-stress-1013520/