CtrlK

6.Enumerating & Retrieving Password Policies

CrackMapExec (CME):

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

Retrieves detailed password policy information, including minimum password length, lockout thresholds, and complexity requirements.

Enumerating Password Policies Without Credentials (Linux)

SMB NULL Sessions:

Exploits misconfigurations in older Domain Controllers.
Tools: rpcclient, enum4linux, enum4linux-ng, CrackMapExec.

rpcclient:

rpcclient -U "" -N 172.16.5.5

Commands within rpcclient:
- querydominfo - Retrieves domain information.
- getdompwinfo - Retrieves password policy.

enum4linux:

enum4linux -P 172.16.5.5

Enumerates various information, including password policy.

enum4linux-ng:

enum4linux-ng -P 172.16.5.5 -oA ilfreight
cat ilfreight.json

Enhanced version of enum4linux with JSON/YAML output.

Tools and Ports:

nmblookup: 137/UDP
nbtstat: 137/UDP
net: 139/TCP, 135/TCP, TCP and UDP 135 and 49152-65535
rpcclient: 135/TCP
smbclient: 445/TCP

LDAP Anonymous Binds:

Exploits legacy configurations.
Tools: ldapsearch, windapsearch.py, ad-ldapdomaindump.py.

ldapsearch:

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating Password Policies from Windows

SMB NULL Sessions (Windows):

net use \\DC01\ipc$ "" /u:""

Error messages:
- Account disabled: System error 1331.
- Incorrect password: System error 1326.
- Account lockout: System error 1909.

Authenticated Access (Windows):

net.exe:

net accounts

Retrieves password policy information.

PowerView:

import-module .\PowerView.ps1
Get-DomainPolicy

Provides detailed policy information in PowerShell object format.
Other tools: SharpView, CrackMapExec (Windows port), SharpMapExec.

Analyzing Password Policies

Key Parameters:

Minimum password length.
Account lockout threshold.
Lockout duration.
Password complexity requirements.

Default Password Policy:

Enforce password history: 24 days.
Maximum password age: 42 days.
Minimum password age: 1 day.
Minimum password length: 7.
Password complexity: Enabled.
Account lockout duration: Not set.
Account lockout threshold: 0.
Reset lockout counter: Not set.

Password Spraying Considerations

Importance of obtaining password policy.
Precautions when policy is unknown.
Avoiding account lockouts.
Importance of creating a target user list.

Previous5.Password Spraying Overview Next7.Password Spraying - Making a Target User List

Last updated 2 months ago