password-policy

From Linux

Netexec

nxc smb 172.16.5.5 -u user -p password --pass-pol

rpcclient

rpcclient -U "" -N <ip>
$> querydominfo 
$> getdompwinfo

Enum4linux

enum4linux -P <ip>

Enum4linux-ng

enum4linux-ng -P "$ip" -oA "$out"

enum4linux-ng -A "$domain"

Ldap tools.py

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

From Windows

Check NULL session

net use [\\DC01\ipc$](file://dc01/ipc$) "" /u:""

Enumerate password policy

If we can authenticate to domain from a windows host, we can use built-in windows tool such as net.exe. If we can transfer tools to windows host we can use various tools such as powerview, crackmapexec, sharpmapexec, sharpview, etc.

• Net.exe

net accounts

• Powerview.ps1

Import-module .\powerview.ps1

Get-DomainPolicy

CrackMapExec (CME):

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

• Retrieves detailed password policy information, including minimum password length, lockout thresholds, and complexity requirements.

Enumerating Password Policies Without Credentials (Linux)

SMB NULL Sessions:

• Exploits misconfigurations in older Domain Controllers.

• Tools: rpcclient, enum4linux, enum4linux-ng, CrackMapExec.

rpcclient:

rpcclient -U "" -N 172.16.5.5

• Commands within rpcclient:

  • querydominfo - Retrieves domain information.

  • getdompwinfo - Retrieves password policy.

enum4linux:

enum4linux -P 172.16.5.5

• Enumerates various information, including password policy.

enum4linux-ng:

enum4linux-ng -P 172.16.5.5 -oA ilfreight
cat ilfreight.json

• Enhanced version of enum4linux with JSON/YAML output.

Tools and Ports:

• nmblookup: 137/UDP

• nbtstat: 137/UDP

• net: 139/TCP, 135/TCP, TCP and UDP 135 and 49152-65535

• rpcclient: 135/TCP

• smbclient: 445/TCP

LDAP Anonymous Binds:

• Exploits legacy configurations.

• Tools: ldapsearch, windapsearch.py, ad-ldapdomaindump.py.

ldapsearch:

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating Password Policies from Windows

SMB NULL Sessions (Windows):

net use \\DC01\ipc$ "" /u:""

• Error messages:

  • Account disabled: System error 1331.

  • Incorrect password: System error 1326.

  • Account lockout: System error 1909.

Authenticated Access (Windows):

net.exe:

net accounts

• Retrieves password policy information.

PowerView:

import-module .\PowerView.ps1
Get-DomainPolicy

• Provides detailed policy information in PowerShell object format.

• Other tools: SharpView, CrackMapExec (Windows port), SharpMapExec.

Analyzing Password Policies

Key Parameters:

• Minimum password length.

• Account lockout threshold.

• Lockout duration.

• Password complexity requirements.

Default Password Policy:

• Enforce password history: 24 days.

• Maximum password age: 42 days.

• Minimum password age: 1 day.

• Minimum password length: 7.

• Password complexity: Enabled.

• Account lockout duration: Not set.

• Account lockout threshold: 0.

• Reset lockout counter: Not set.

Password Spraying Considerations

• Importance of obtaining password policy.

• Precautions when policy is unknown.

• Avoiding account lockouts.

• Importance of creating a target user list.