search

6.Enumerating & Retrieving Password Policies

CrackMapExec (CME):

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

  • Retrieves detailed password policy information, including minimum password length, lockout thresholds, and complexity requirements.

hashtag
Enumerating Password Policies Without Credentials (Linux)

SMB NULL Sessions:

  • Exploits misconfigurations in older Domain Controllers.

  • Tools: rpcclient, enum4linux, enum4linux-ng, CrackMapExec.

rpcclient:

rpcclient -U "" -N 172.16.5.5

  • Commands within rpcclient:

    • querydominfo - Retrieves domain information.

    • getdompwinfo - Retrieves password policy.

enum4linux:

enum4linux -P 172.16.5.5

  • Enumerates various information, including password policy.

enum4linux-ng:

enum4linux-ng -P 172.16.5.5 -oA ilfreight
cat ilfreight.json

  • Enhanced version of enum4linux with JSON/YAML output.

Tools and Ports:

  • nmblookup: 137/UDP

  • nbtstat: 137/UDP

  • net: 139/TCP, 135/TCP, TCP and UDP 135 and 49152-65535

  • rpcclient: 135/TCP

  • smbclient: 445/TCP

LDAP Anonymous Binds:

  • Exploits legacy configurations.

  • Tools: ldapsearch, windapsearch.py, ad-ldapdomaindump.py.

ldapsearch:

hashtag
Enumerating Password Policies from Windows

SMB NULL Sessions (Windows):

  • Error messages:

    • Account disabled: System error 1331.

    • Incorrect password: System error 1326.

    • Account lockout: System error 1909.

Authenticated Access (Windows):

net.exe:

  • Retrieves password policy information.

PowerView:

  • Provides detailed policy information in PowerShell object format.

  • Other tools: SharpView, CrackMapExec (Windows port), SharpMapExec.

hashtag
Analyzing Password Policies

Key Parameters:

  • Minimum password length.

  • Account lockout threshold.

  • Lockout duration.

  • Password complexity requirements.

Default Password Policy:

  • Enforce password history: 24 days.

  • Maximum password age: 42 days.

  • Minimum password age: 1 day.

  • Minimum password length: 7.

  • Password complexity: Enabled.

  • Account lockout duration: Not set.

  • Account lockout threshold: 0.

  • Reset lockout counter: Not set.

hashtag
Password Spraying Considerations

  • Importance of obtaining password policy.

  • Precautions when policy is unknown.

  • Avoiding account lockouts.

  • Importance of creating a target user list.

Previous5.Password Spraying OverviewNext7.Password Spraying - Making a Target User List

Last updated