6.Enumerating & Retrieving Password Policies
CrackMapExec (CME):
Retrieves detailed password policy information, including minimum password length, lockout thresholds, and complexity requirements.
Enumerating Password Policies Without Credentials (Linux)
SMB NULL Sessions:
Exploits misconfigurations in older Domain Controllers.
Tools: rpcclient, enum4linux, enum4linux-ng, CrackMapExec.
rpcclient:
Commands within rpcclient:
querydominfo- Retrieves domain information.getdompwinfo- Retrieves password policy.
enum4linux:
Enumerates various information, including password policy.
enum4linux-ng:
Enhanced version of enum4linux with JSON/YAML output.
Tools and Ports:
nmblookup: 137/UDP
nbtstat: 137/UDP
net: 139/TCP, 135/TCP, TCP and UDP 135 and 49152-65535
rpcclient: 135/TCP
smbclient: 445/TCP
LDAP Anonymous Binds:
Exploits legacy configurations.
Tools: ldapsearch, windapsearch.py, ad-ldapdomaindump.py.
ldapsearch:
Enumerating Password Policies from Windows
SMB NULL Sessions (Windows):
Error messages:
Account disabled: System error 1331.
Incorrect password: System error 1326.
Account lockout: System error 1909.
Authenticated Access (Windows):
net.exe:
Retrieves password policy information.
PowerView:
Provides detailed policy information in PowerShell object format.
Other tools: SharpView, CrackMapExec (Windows port), SharpMapExec.
Analyzing Password Policies
Key Parameters:
Minimum password length.
Account lockout threshold.
Lockout duration.
Password complexity requirements.
Default Password Policy:
Enforce password history: 24 days.
Maximum password age: 42 days.
Minimum password age: 1 day.
Minimum password length: 7.
Password complexity: Enabled.
Account lockout duration: Not set.
Account lockout threshold: 0.
Reset lockout counter: Not set.
Password Spraying Considerations
Importance of obtaining password policy.
Precautions when policy is unknown.
Avoiding account lockouts.
Importance of creating a target user list.
Last updated