T1110.003Credential Access

Password Spraying

Try a small set of common passwords across many accounts to avoid lockout.

§ Where this technique fits

T1110.003 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 5.5 on average.

Authoritative reference: attack.mitre.org/techniques/T1110/003/.

§ Dossiers chaining this technique

SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
step 5 / 6
FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.
step 6 / 6

§ What commonly comes next

01
BloodHound / SharpHound Enumeration
AD-BLOODHOUND · Discovery
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SNMPv2c write-community → router config exfil → cred sprays

FortiGate SSL-VPN pre-auth RCE → config theft

§ What commonly comes next