Enumerating the Password Policy - from Linux - SMB NULL Sessions
Without credentials, we may be able to obtain the password policy via an SMB NULL session or LDAP anonymous bind. . For enumeration, we can use tools such as enum4linux, CrackMapExec, rpcclient, etc.
Using rpcclient
attacker@kali$ rpcclient -U "" -N 172.16.5.5
rpcclient $> querydominfo
Domain: INLANEFREIGHT
Server:
Comment:
Total Users: 3650
Total Groups: 0
Total Aliases: 37
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
Obtaining the Password Policy using rpcclient
rpcclient $> querydominfo
Domain: INLANEFREIGHT
Server:
Comment:
Total Users: 3650
Total Groups: 0
Total Aliases: 37
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEX
Using enum4linux
$ enum4linux -P 172.16.5.5
<SNIP>
==================================================
| Password Policy Information for 172.16.5.5 |
==================================================
[+] Attaching to 172.16.5.5 using a NULL share
[+] Trying protocol 139/SMB...
[+] Password Info for Domain: INLANEFREIGHT
[+] Minimum password length: 8
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000001
Using enum4linux-ng (rewrite of enum4linux in python)
$ enum4linux-ng -P 172.16.5.5 -oA ilfreight
=======================================
| Policies via RPC for 172.16.5.5 |
=======================================
[*] Trying port 445/tcp
[+] Found policy:
domain_password_information:
pw_history_length: 24
min_pw_length: 8
min_pw_age: 1 day 4 minutes
max_pw_age: not set
Enumerating the Password Policy - from Linux - LDAP Anonymous Bind
If we can authenticate to the domain from a Windows host, we can use built-in windows libraries such as net.exe.
Using net.exe
C:\htb> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.
C:\htb> net use \\DC01\ipc$ "" /u:""
The command completed successfully.
Error: Account is Disabled
C:\htb> net use \\DC01\ipc$ "" /u:guest
System error 1331 has occurred.
This user can't sign in because this account is currently disabled.
Error: Password is Incorrect
C:\htb> net use \\DC01\ipc$ "password" /u:guest
System error 1326 has occurred.
The user name or password is incorrect.
Error: Account is locked out (Password Policy)
C:\htb> net use \\DC01\ipc$ "password" /u:guest
System error 1909 has occurred.
The referenced account is currently locked out and may not be logged on to.
\
Analyzing the Password Policy
Most password policies now-a-days are as follows:
Minimum length of 8 is very common, but nowadays, we are seeing more and more organizations enforce a 10-14 character password
The account lockout threshold is 5. 3 Is not uncommon.
The lockout duration is 30 minutes (or higher)
Accounts unlock automatically
Password complexity is enabled, meaning that a user must choose a password with 3/4 of the following: an uppercase letter, lowercase letter, number, special character (Password1 or Welcome1 would satisfy the "complexity")
Policy
Default Value
Enforce password history
24 days
Maximum password age
42 days
Minimum password age
1 day
Minimum password length
7
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
Disabled
Account lockout duration
Not set
Account lockout threshold
0
Reset account lockout counter after
Not set
Now that we have the password policy in hand, we need to create a target user list to perform our password spraying attack.
allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy.