Password policy

When attacking Active Directory domains, directly targeting accounts is usually a great start. It could provide initial access and help the attackers operate lateral movement. The easiest way to compromise accounts is to operate some password , or . This kind of attack usually yields good results depending on the user's awareness. There are however technical measures that usually are in place, forcing the attackers to balance the number and speed of password attempts.

In order to fine-tune this, the password policy can be obtained. This policy can sometimes be enumerated with a null-session (i.e. an or an ).

On UNIX-like systems, there are many alternatives that allow obtaining the password policy like (Python), (Python), (Python) and .

# polenum (obtained through MS-RPC)
polenum -d $DOMAIN -u $USER -p $PASSWORD -d $DOMAIN

# netexec (obtained through MS-RPC)
nxc smb $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --pass-pol

# ldapsearch-ad (obtained through LDAP)
ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u $USER -p $PASSWORD -t pass-pol

# enum4linux-ng (obtained through MS-RPC)
enum4linux-ng -P -w -u $USER -p $PASSWORD $DOMAIN_CONTROLLER

From a domain-joined machine, the net cmdlet can be used to obtain the password policy.

net accounts
net accounts /domain

From non-domain-joined machines, it can be done with (Powershell).

Get-DomainPolicy

Accounts that lockout can be attacked with () while those that don't can be directly bruteforced with ()

Previousenum4linux ⚙️NextMovement

Last updated 1 year ago

Was this helpful?