Enumerating Password Policy

If you don’t know the password policy, a good rule of thumb is to wait a few hours between attempts, which should be long enough for the account lockout threshold to reset. It is best to obtain the password policy before attempting the attack during an internal assessment, but this is not always possible.

Enumerating Password Policy

Linux

Credentialed

$ crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\avazquez:Password123 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Dumping password info for domain: INLANEFREIGHT
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Minimum password length: 8
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Password history length: 24
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Maximum password age: Not Set
SMB         172.16.5.5      445    ACADEMY-EA-DC01  
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Password Complexity Flags: 000001
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Refuse Password Change: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password Store Cleartext: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password Lockout Admins: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password No Clear Change: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password No Anon Change: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password Complex: 1
SMB         172.16.5.5      445    ACADEMY-EA-DC01  
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Minimum password age: 1 day 4 minutes 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Reset Account Lockout Counter: 30 minutes 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Locked Account Duration: 30 minutes 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Account Lockout Threshold: 5
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Forced Log off Time: Not Set

Null Sessions

• Using rpcclient

  $ rpcclient -U "" -N 172.16.5.5
  
  rpcclient $> querydominfo
  Domain:		INLANEFREIGHT
  Server:		
  Comment:	
  Total Users:	3650
  Total Groups:	0
  Total Aliases:	37
  Sequence No:	1
  Force Logoff:	-1
  Domain Server State:	0x1
  Server Role:	ROLE_DOMAIN_PDC
  Unknown 3:	0x1
  
  rpcclient $> getdompwinfo
  min_password_length: 8
  password_properties: 0x00000001
  	DOMAIN_PASSWORD_COMPLEX

• Using enum4linux

  $ enum4linux -P 172.16.5.5
  
  <SNIP>
  
   ================================================== 
  |    Password Policy Information for 172.16.5.5    |
   ================================================== 
  
  [+] Attaching to 172.16.5.5 using a NULL share
  [+] Trying protocol 139/SMB...
  
  	[!] Protocol failed: Cannot request session (Called Name:172.16.5.5)
  
  [+] Trying protocol 445/SMB...
  [+] Found domain(s):
  
  	[+] INLANEFREIGHT
  	[+] Builtin
  
  [+] Password Info for Domain: INLANEFREIGHT
  
  	[+] Minimum password length: 8
  	[+] Password history length: 24
  	[+] Maximum password age: Not Set
  	[+] Password Complexity Flags: 000001
  
  		[+] Domain Refuse Password Change: 0
  		[+] Domain Password Store Cleartext: 0
  		[+] Domain Password Lockout Admins: 0
  		[+] Domain Password No Clear Change: 0
  		[+] Domain Password No Anon Change: 0
  		[+] Domain Password Complex: 1
  
  	[+] Minimum password age: 1 day 4 minutes 
  	[+] Reset Account Lockout Counter: 30 minutes 
  	[+] Locked Account Duration: 30 minutes 
  	[+] Account Lockout Threshold: 5
  	[+] Forced Log off Time: Not Set
  
  [+] Retieved partial password policy with rpcclient:
  
  Password Complexity: Enabled
  Minimum Password Length: 8
  
  enum4linux complete on Tue Feb 22 17:39:29 2022

• Using enum4linux-ng

  $ enum4linux-ng -P 172.16.5.5 -oA ilfreight
  
  ENUM4LINUX - next generation
  
  <SNIP>
  
   =======================================
  |    RPC Session Check on 172.16.5.5    |
   =======================================
  [*] Check for null session
  [+] Server allows session using username '', password ''
  [*] Check for random user session
  [-] Could not establish random user session: STATUS_LOGON_FAILURE
  
   =================================================
  |    Domain Information via RPC for 172.16.5.5    |
   =================================================
  [+] Domain: INLANEFREIGHT
  [+] SID: S-1-5-21-3842939050-3880317879-2865463114
  [+] Host is part of a domain (not a workgroup)
   =========================================================
  |    Domain Information via SMB session for 172.16.5.5    |
  ========================================================
  [*] Enumerating via unauthenticated SMB session on 445/tcp
  [+] Found domain information via SMB
  NetBIOS computer name: ACADEMY-EA-DC01
  NetBIOS domain name: INLANEFREIGHT
  DNS domain: INLANEFREIGHT.LOCAL
  FQDN: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
  
   =======================================
  |    Policies via RPC for 172.16.5.5    |
   =======================================
  [*] Trying port 445/tcp
  [+] Found policy:
  domain_password_information:
    pw_history_length: 24
    min_pw_length: 8
    min_pw_age: 1 day 4 minutes
    max_pw_age: not set
    pw_properties:
    - DOMAIN_PASSWORD_COMPLEX: true
    - DOMAIN_PASSWORD_NO_ANON_CHANGE: false
    - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
    - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
    - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
    - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
  domain_lockout_information:
    lockout_observation_window: 30 minutes
    lockout_duration: 30 minutes
    lockout_threshold: 5
  domain_logoff_information:
    force_logoff_time: not set
  
  Completed after 5.41 seconds

Windows

Null Sessions

• SMB Null session

  C:\htb> net use \\DC01\ipc$ "" /u:""
  The command completed successfully.

  Error: Account is Disabled

  C:\htb> net use \\DC01\ipc$ "" /u:guest
  System error 1331 has occurred.
  
  This user can't sign in because this account is currently disabled.

  Error: Password is Incorrect

  C:\htb> net use \\DC01\ipc$ "password" /u:guest
  System error 1326 has occurred.
  
  The user name or password is incorrect.

  Error: Account is locked out (Password Policy)

  C:\htb> net use \\DC01\ipc$ "password" /u:guest
  System error 1909 has occurred.
  
  The referenced account is currently locked out and may not be logged on to.

• LDAP anonymous bind

  $ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
  
  forceLogoff: -9223372036854775808
  lockoutDuration: -18000000000
  lockOutObservationWindow: -18000000000
  lockoutThreshold: 5
  maxPwdAge: -9223372036854775808
  minPwdAge: -864000000000
  minPwdLength: 8
  modifiedCountAtLastProm: 0
  nextRid: 1002
  pwdProperties: 1
  pwdHistoryLength: 24

Credentialed

• If we can connect to a windows host, we can use the net.exe binary to retrieve password policy. We can also use PowerView in powershell to view password policy.

C:\htb> net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          Unlimited
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

PS C:\htb> import-module .\PowerView.ps1
PS C:\htb> Get-DomainPolicy

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path           : \\INLANEFREIGHT.LOCAL\sysvol\INLANEFREIGHT.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
                 NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Here we can glean the following information:

• Passwords never expire (Maximum password age set to Unlimited)

• The minimum password length is 8 so weak passwords are likely in use

• The lockout threshold is 5 wrong passwords

• Accounts remained locked out for 30 minutes

This password policy is excellent for password spraying. The eight-character minimum means that we can try common weak passwords such as Welcome1. The lockout threshold of 5 means that we can attempt 2-3 (to be safe) sprays every 31 minutes without the risk of locking out any accounts. If an account has been locked out, it will automatically unlock (without manual intervention from an admin) after 30 minutes, but we should avoid locking out ANY accounts at all costs.

Analyzing Password Policy

We've now pulled the password policy in numerous ways. Let's go through the policy for the INLANEFREIGHT.LOCAL domain piece by piece.

• The minimum password length is 8 (8 is very common, but nowadays, we are seeing more and more organizations enforce a 10-14 character password, which can remove some password options for us, but does not mitigate the password spraying vector completely)

• The account lockout threshold is 5 (it is not uncommon to see a lower threshold such as 3 or even no lockout threshold set at all)

• The lockout duration is 30 minutes (this may be higher or lower depending on the organization), so if we do accidentally lockout (avoid!!) an account, it will unlock after the 30-minute window passes

• Accounts unlock automatically (in some organizations, an admin must manually unlock the account). We never want to lockout accounts while performing password spraying, but we especially want to avoid locking out accounts in an organization where an admin would have to intervene and unlock hundreds (or thousands) of accounts by hand/script

• Password complexity is enabled, meaning that a user must choose a password with 3/4 of the following: an uppercase letter, lowercase letter, number, special character (Password1 or Welcome1 would satisfy the "complexity" requirement here, but are still clearly weak passwords).

The default password policy when a new domain is created is as follows, and there have been plenty of organizations that never changed this policy:

Policy	Default Value
Enforce password history	24 days
Maximum password age	42 days
Minimum password age	1 day
Minimum password length	7
Password must meet complexity requirements	Enabled
Store passwords using reversible encryption	Disabled
Account lockout duration	Not set
Account lockout threshold	0
Reset account lockout counter after	Not set

If asking for the policy does not fit the expectations of the assessment or the client does not want to provide it, we should run one, max two, password spraying attempts (regardless of whether we are internal or external) and wait over an hour between attempts if we indeed decide to attempt two