CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
Last updated
Overview
Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform. Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account. Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service.
- An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
- An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
- An adversary conducts a sniffing attack to steal credentials as they are transmitted.
- An adversary gains access to a database and exfiltrates password hashes.
- An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.
- Step 2Explore
[Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).
- Step 3Experiment
[Attempt authentication] Try each username/password combination until the target grants access.
- Manually or automatically enter each username/password combination through the target's interface.
- Step 3Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application
- Step 4Exploit
[Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
- Step 5Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within the system or application.
What the attacker needs
Prerequisites
- The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.
- The system/application does not have a sound password policy that is being enforced.
- The system/application does not implement an effective password throttling mechanism.
- The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.
Skills required
- Low skill: A Credential Stuffing attack is very straightforward.
Resources required
- A machine with sufficient resources for the job (e.g. CPU, RAM, HD).
- A known list of username/password combinations.
- A custom script that leverages the credential list to launch the attack.
Consequences
What a successful CAPEC-600 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authentication
Read Data
Affects: Confidentiality, Authorization
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-600.
- Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
- Create a strong password policy and ensure that your system enforces this policy.
- Ensure users are not reusing username/password combinations for multiple systems, applications, or services.
- Do not reuse local administrator account credentials across systems.
- Deny remote use of local admin credentials to log into domain systems.
- Do not allow accounts to be a local administrator on more than one system.
- Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.
- Monitor system and domain logs for abnormal credential access.
How to detect it
Indicators that this attack may be underway.
- Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.
- The login attempts use passwords that have been used previously by the user account in question.
- Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.
Examples
A user leverages the password "Password123" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.
In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised.
Terminology & mappings
Mapped taxonomies
- ATTACK: Brute Force:Credential Stuffing (1110.004)
- OWASP Attacks: Credential stuffing
Frequently asked questions
Common questions about CAPEC-600.
- What is CAPEC-600?
- An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
- How does a Credential Stuffing attack work?
- It typically unfolds over 6 phases. It begins with: [Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service.
- How do you prevent CAPEC-600?
- Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
- What weaknesses does CAPEC-600 target?
- CAPEC-600 exploits 7 CWE weaknesses, including CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-307 (Improper Restriction of Excessive Authentication Attempts), CWE-308 (Use of Single-factor Authentication).
- How severe is CAPEC-600?
- MITRE rates CAPEC-600 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-600
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.