Enumerating & Retrieving Password Policies

PreviousMaking a Target User List NextEnumerating Security Controls

Last updated 8 months ago

Enumerating & Retrieving Password Policies

nxc smb 172.16.5.5 -u otter -p Password123 --pass-pol

Without credentials, we may be able to obtain the password policy via an SMB NULL session or LDAP anonymous bind. The first is via an SMB NULL session. SMB NULL sessions allow an unauthenticated attacker to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. SMB NULL session misconfigurations are often the result of legacy Domain Controllers being upgraded in place, ultimately bringing along insecure configurations, which existed by default in older versions of Windows Server.

When creating a domain in earlier versions of Windows Server, anonymous access was granted to certain shares, which allowed for domain enumeration. An SMB NULL session can be enumerated easily. For enumeration, we can use tools such as enum4linux, CrackMapExec, rpcclient, etc.

We can use to check a Domain Controller for SMB NULL session access.

Once connected, we can issue an RPC command such as querydominfo to obtain information about the domain and confirm NULL session access.

rpcclient -U "" -N 172.16.5.5

rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
	DOMAIN_PASSWORD_COMPLEX

Another way is to use enum4linux or enum4linux-ng

enum4linux -P 172.16.5.5

enum4linux-ng -P 172.16.5.5 -oA output

Enumerating the Password Policy - from Linux - LDAP Anonymous Bind

allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a legacy configuration, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests. We still see this configuration from time to time as an admin may have needed to set up a particular application to allow anonymous binds and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.

With an LDAP anonymous bind, we can use LDAP-specific enumeration tools such as windapsearch.py, ldapsearch, ad-ldapdomaindump.py, etc., to pull the password policy. With , it can be a bit cumbersome but doable. One example command to get the password policy is as follows:

ldapsearch -h 172.16.5.5 -x -b "DC=DOMAIN,DC=COM" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating the Password Policy - from Windows

net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          Unlimited
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

import-module .\PowerView.ps1
Get-DomainPolicy

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path           : \\domain.com\sysvol\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
                 NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

The default password policy when a new domain is created is as follows, and there have been plenty of organizations that never changed this policy:

Policy

Default Value

Enforce password history

24 days

Maximum password age

42 days

Minimum password age

1 day

Minimum password length

Password must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled

Account lockout duration

Not set

Account lockout threshold

Reset account lockout counter after

Not set

PreviousMaking a Target User List NextEnumerating Security Controls

Last updated 8 months ago

nxc smb 172.16.5.5 -u otter -p Password123 --pass-pol

We can use to check a Domain Controller for SMB NULL session access.

Once connected, we can issue an RPC command such as querydominfo to obtain information about the domain and confirm NULL session access.

rpcclient -U "" -N 172.16.5.5

rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
	DOMAIN_PASSWORD_COMPLEX

Another way is to use enum4linux or enum4linux-ng

enum4linux -P 172.16.5.5

enum4linux-ng -P 172.16.5.5 -oA output

Enumerating the Password Policy - from Linux - LDAP Anonymous Bind

ldapsearch -h 172.16.5.5 -x -b "DC=DOMAIN,DC=COM" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating the Password Policy - from Windows

net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          Unlimited
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

import-module .\PowerView.ps1
Get-DomainPolicy

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path           : \\domain.com\sysvol\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
                 NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

The default password policy when a new domain is created is as follows, and there have been plenty of organizations that never changed this policy:

Policy

Default Value

Enforce password history

24 days

Maximum password age

42 days

Minimum password age

1 day

Minimum password length

Password must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled

Account lockout duration

Not set

Account lockout threshold

Reset account lockout counter after

Not set