Enumerating Password Policy
Enumerating Password Policy
Linux
Credentialed
$ crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Dumping password info for domain: INLANEFREIGHT
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password length: 8
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password history length: 24
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Maximum password age: Not Set
SMB 172.16.5.5 445 ACADEMY-EA-DC01
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password Complexity Flags: 000001
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Refuse Password Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Store Cleartext: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Lockout Admins: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password No Clear Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password No Anon Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Complex: 1
SMB 172.16.5.5 445 ACADEMY-EA-DC01
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password age: 1 day 4 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Reset Account Lockout Counter: 30 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Locked Account Duration: 30 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Account Lockout Threshold: 5
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Forced Log off Time: Not SetNull Sessions
Using rpcclient
$ rpcclient -U "" -N 172.16.5.5 rpcclient $> querydominfo Domain: INLANEFREIGHT Server: Comment: Total Users: 3650 Total Groups: 0 Total Aliases: 37 Sequence No: 1 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1 rpcclient $> getdompwinfo min_password_length: 8 password_properties: 0x00000001 DOMAIN_PASSWORD_COMPLEXUsing enum4linux
$ enum4linux -P 172.16.5.5 <SNIP> ================================================== | Password Policy Information for 172.16.5.5 | ================================================== [+] Attaching to 172.16.5.5 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:172.16.5.5) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] INLANEFREIGHT [+] Builtin [+] Password Info for Domain: INLANEFREIGHT [+] Minimum password length: 8 [+] Password history length: 24 [+] Maximum password age: Not Set [+] Password Complexity Flags: 000001 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 1 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: 5 [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Enabled Minimum Password Length: 8 enum4linux complete on Tue Feb 22 17:39:29 2022Using enum4linux-ng
$ enum4linux-ng -P 172.16.5.5 -oA ilfreight ENUM4LINUX - next generation <SNIP> ======================================= | RPC Session Check on 172.16.5.5 | ======================================= [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user session [-] Could not establish random user session: STATUS_LOGON_FAILURE ================================================= | Domain Information via RPC for 172.16.5.5 | ================================================= [+] Domain: INLANEFREIGHT [+] SID: S-1-5-21-3842939050-3880317879-2865463114 [+] Host is part of a domain (not a workgroup) ========================================================= | Domain Information via SMB session for 172.16.5.5 | ======================================================== [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: ACADEMY-EA-DC01 NetBIOS domain name: INLANEFREIGHT DNS domain: INLANEFREIGHT.LOCAL FQDN: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL ======================================= | Policies via RPC for 172.16.5.5 | ======================================= [*] Trying port 445/tcp [+] Found policy: domain_password_information: pw_history_length: 24 min_pw_length: 8 min_pw_age: 1 day 4 minutes max_pw_age: not set pw_properties: - DOMAIN_PASSWORD_COMPLEX: true - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false domain_lockout_information: lockout_observation_window: 30 minutes lockout_duration: 30 minutes lockout_threshold: 5 domain_logoff_information: force_logoff_time: not set Completed after 5.41 seconds
Windows
Null Sessions
SMB Null session
C:\htb> net use \\DC01\ipc$ "" /u:"" The command completed successfully.Error: Account is Disabled
C:\htb> net use \\DC01\ipc$ "" /u:guest System error 1331 has occurred. This user can't sign in because this account is currently disabled.Error: Password is Incorrect
C:\htb> net use \\DC01\ipc$ "password" /u:guest System error 1326 has occurred. The user name or password is incorrect.Error: Account is locked out (Password Policy)
C:\htb> net use \\DC01\ipc$ "password" /u:guest System error 1909 has occurred. The referenced account is currently locked out and may not be logged on to.LDAP anonymous bind
$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength forceLogoff: -9223372036854775808 lockoutDuration: -18000000000 lockOutObservationWindow: -18000000000 lockoutThreshold: 5 maxPwdAge: -9223372036854775808 minPwdAge: -864000000000 minPwdLength: 8 modifiedCountAtLastProm: 0 nextRid: 1002 pwdProperties: 1 pwdHistoryLength: 24
Credentialed
If we can connect to a windows host, we can use the net.exe binary to retrieve password policy. We can also use PowerView in powershell to view password policy.
C:\htb> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.PS C:\htb> import-module .\PowerView.ps1
PS C:\htb> Get-DomainPolicy
Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path : \\INLANEFREIGHT.LOCAL\sysvol\INLANEFREIGHT.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain PolicyHere we can glean the following information:
Passwords never expire (Maximum password age set to Unlimited)
The minimum password length is 8 so weak passwords are likely in use
The lockout threshold is 5 wrong passwords
Accounts remained locked out for 30 minutes
This password policy is excellent for password spraying. The eight-character minimum means that we can try common weak passwords such as Welcome1. The lockout threshold of 5 means that we can attempt 2-3 (to be safe) sprays every 31 minutes without the risk of locking out any accounts. If an account has been locked out, it will automatically unlock (without manual intervention from an admin) after 30 minutes, but we should avoid locking out ANY accounts at all costs.
Analyzing Password Policy
We've now pulled the password policy in numerous ways. Let's go through the policy for the INLANEFREIGHT.LOCAL domain piece by piece.
The minimum password length is 8 (8 is very common, but nowadays, we are seeing more and more organizations enforce a 10-14 character password, which can remove some password options for us, but does not mitigate the password spraying vector completely)
The account lockout threshold is 5 (it is not uncommon to see a lower threshold such as 3 or even no lockout threshold set at all)
The lockout duration is 30 minutes (this may be higher or lower depending on the organization), so if we do accidentally lockout (avoid!!) an account, it will unlock after the 30-minute window passes
Accounts unlock automatically (in some organizations, an admin must manually unlock the account). We never want to lockout accounts while performing password spraying, but we especially want to avoid locking out accounts in an organization where an admin would have to intervene and unlock hundreds (or thousands) of accounts by hand/script
Password complexity is enabled, meaning that a user must choose a password with 3/4 of the following: an uppercase letter, lowercase letter, number, special character (
Password1orWelcome1would satisfy the "complexity" requirement here, but are still clearly weak passwords).
The default password policy when a new domain is created is as follows, and there have been plenty of organizations that never changed this policy:
Enforce password history
24 days
Maximum password age
42 days
Minimum password age
1 day
Minimum password length
7
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
Disabled
Account lockout duration
Not set
Account lockout threshold
0
Reset account lockout counter after
Not set
Last updated