Enumerating the Password Policy

By Ismail on Aug 5, 2023
Enumearte the password policy

The password policy usually outlines requirements for password complexity, expiration, and account lockout. Knowing this policy is crucial for assessing system security. For instance, attempting brute force attacks without knowledge of the policy may result in account lockouts.

Without Creds

When attempting to access a system without valid credentials, one common approach is to check if the Server Message Block (SMB) or Remote Procedure Call (RPC) ports are open. These ports are commonly used for network communication in Windows environments.

If either the SMB or RPC port is open, it suggests that the system may be configured to allow network connections. In some cases, systems with open SMB or RPC ports may permit null sessions, which are unauthenticated connections that provide limited access to certain resources.

By establishing a null session, it may be possible to retrieve sensitive information such as the password policy.

For Rpc we can use

rpcclient -U "" -N $IP
rpcclient $> getdompwinfo

Using Smb Null session to get password Policy

cme smb $DOMAIN_CONTROLLER -d $DOMAIN -u '' -p '' --pass-pol

For Automation, we can use

enum4linux-ng -P $IP
OR 
enum4linux -P $IP

If we have Ldap Port Open we can try

ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u '' -p '' -t pass-pol

With Creds

This tool, leveraging the MS-RPC protocol, can enumerate various aspects of Windows systems, including password policies. By querying the target system through MS-RPC, CrackMapExec can extract details such as password complexity requirements, password expiration rules, and account lockout settings, providing valuable insights into the password policy configuration.

cme smb $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --pass-pol

Through the Lightweight Directory Access Protocol (LDAP), ldapsearch-ad enables querying Active Directory (AD) for a wide range of information, including password policy settings. By querying the AD server, ldapsearch-ad can retrieve details such as password complexity requirements, password expiration rules, and account lockout thresholds, offering comprehensive insights into the password policy configuration within the AD environment.

ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u $USER -p $PASSWORD -t pass-pol

While primarily focused on enumerating information from Windows and Samba systems, enum4linux-ng can also assist in retrieving password policy details. By querying the target system using MS-RPC, enum4linux-ng can extract information related to password policies, including complexity requirements, expiration rules, and lockout settings, aiding in understanding the password policy configuration within the target environment.

enum4linux-ng -P -w -u $USER -p $PASSWORD $DOMAIN_CONTROLLER

Analyzing Output

Before proceeding with an assessment, it’s crucial to consider the following factors:

Minimum password length: Identify the minimum character length required for passwords. This detail is essential for creating effective wordlists used in password cracking attempts.

Lockout threshold: Determine the number of failed login attempts allowed before an account is locked out. Understanding this threshold is crucial for avoiding inadvertent account lockouts when conducting password spraying attacks.

Lockout duration: Find out how long an account remains locked out after reaching the lockout threshold. This information helps in understanding the impact of lockouts on account accessibility and operational continuity.

Read my other blogs at this page.

Once Again, Feel Free to Contact Me :)
Linkedin icondiscord icon
Built with ♥