| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 14.4 - Understanding Access Control Attacks (Part 2 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the attackerβs playbook from Domain 5, identity and access management. It climbs from crude cracking to precision credential theft, moving through smarter online password attacks and into the world where the proof of identity is stolen from memory rather than any password ever being guessed.
What this episode covers
- Password spraying β tries one password across many accounts to stay under the per-account lockout threshold.
- Credential stuffing β replays known-good reused pairs once per site, defeated by unique passwords everywhere.
- Birthday attacks β exploit how easily hash collisions arise, needing any input that produces the same hash.
- Rainbow tables β precomputed password and hash databases that match stolen hashes at high speed.
- Salts and peppers β random per-password data and a secret constant that make precomputed tables useless.
- Mimikatz β reads single sign-on memory to lift plaintext passwords, hashes, tickets, certificates, and keys.
- Pass-the-hash and Kerberos attacks β replay stolen hashes and forge silver and golden tickets from stolen material.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How does a spraying attack dodge account lockouts?
Instead of hammering one account with many guesses, a spraying attack tries a single password across a long list of accounts, then loops back with the next password. Lockout policies trigger when one account fails too many times in a short window, so by spreading a few attempts thinly across everyone, the attacker stays under the threshold on any single account. If a policy locks after five bad tries in thirty minutes but the spraying loop takes fifteen minutes per pass, each account sees only a couple of failures before the timer resets. Low and slow beats the counter.
How is credential stuffing different from spraying?
The two get confused, but the goal is not the same. Spraying tries to slip past lockout limits, while credential stuffing simply replays known-good username and password pairs, checking each one just once per site. It works because people reuse the same credentials everywhere: when one site is breached and its login database leaks, attackers take those pairs and try them automatically across hundreds of other sites. If someone used the same password on their streaming service and their bank, one leak unlocks both, and unique passwords per site break the attack completely.
What is a birthday attack really finding?
A birthday attack hunts for collisions, two different inputs that produce the same hash. The name comes from a surprising statistic: in a room of just 23 people, there is roughly a 50% chance two of them share a birthday, so collisions are far more likely than intuition suggests. Applied to hashing, an attacker does not need your exact password, only any password that produces the same hash, because to the system a matching hash is just as good. You blunt this by choosing hash functions whose output is long enough that finding a collision stays computationally out of reach.
How do rainbow tables speed up cracking, and how do salts stop them?
A rainbow table is a giant precomputed database of passwords paired with their hashes. Normally a cracker must guess a password, hash it, then compare, over and over, which is slow, but with a rainbow table all that hashing is already done, so the attacker just matches stored hashes against a stolen database at high speed. The defense is a salt, a chunk of random data added to each password before hashing, which makes precomputed tables useless because the attacker would need a fresh table for every possible salt. Adding a pepper, a secret constant kept outside the database, hardens it even further.
How do tools like Mimikatz steal hashes and tickets from memory?
Single sign-on systems hold credentials in memory so users are not prompted repeatedly, and Mimikatz reads that memory directly. It can pull plaintext passwords and PINs from the process that handles logon security, extract password hashes, grab Kerberos tickets, and even lift certificates and private keys, often running as fileless malware loaded straight into memory. Attackers then pass the hash, replaying a captured hash to authenticate without the real password, and abuse Kerberos with pass the ticket, silver tickets, and golden tickets. The strongest defense is upstream: protect that first machine from being compromised at all.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 14.4 - Understanding Access Control Attacks (Part 2 of 3).