πPassword Policy Enumeration
π Overview
Password policy enumeration is a critical reconnaissance step in Active Directory assessments. Understanding the domain's password requirements, lockout thresholds, and complexity rules helps determine the feasibility of password spraying attacks and guides credential attack strategies.
π― Why Password Policies Matter
π Assessment Value
Password Spraying Planning: Determines safe attack parameters
Lockout Avoidance: Critical for maintaining stealth
Attack Vector Selection: Influences credential attack methodology
Risk Assessment: Weak policies indicate higher security risk
β οΈ Key Policy Settings
Minimum Password Length: Affects password complexity
Lockout Threshold: Maximum failed attempts before lockout
Lockout Duration: How long accounts remain locked
Password Complexity: Character requirements
Password History: Prevents password reuse
π§ Linux-Based Enumeration
π Credentialed Enumeration
CrackMapExec - Password Policy
# Enumerate password policy with valid credentials
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-polExample Output:
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Dumping password info for domain: INLANEFREIGHT
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password length: 8
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password history length: 24
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Maximum password age: Not Set
SMB 172.16.5.5 445 ACADEMY-EA-DC01
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password Complexity Flags: 000001
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Refuse Password Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Store Cleartext: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Lockout Admins: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password No Clear Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password No Anon Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Complex: 1
SMB 172.16.5.5 445 ACADEMY-EA-DC01
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password age: 1 day 4 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Reset Account Lockout Counter: 30 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Locked Account Duration: 30 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Account Lockout Threshold: 5
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Forced Log off Time: Not Setπ SMB NULL Session Enumeration
rpcclient - NULL Session
# Connect with NULL session
rpcclient -U "" -N 172.16.5.5
# Query domain information
rpcclient $> querydominfo
Domain: INLANEFREIGHT
Server:
Comment:
Total Users: 3650
Total Groups: 0
Total Aliases: 37
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
# Get password policy
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEXenum4linux - Legacy Tool
# Enumerate password policy
enum4linux -P 172.16.5.5Key Output:
[+] Password Info for Domain: INLANEFREIGHT
[+] Minimum password length: 8
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000001
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 1
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: 5
[+] Forced Log off Time: Not Setenum4linux-ng - Modern Rewrite
# Enhanced enumeration with export options
enum4linux-ng -P 172.16.5.5 -oA ilfreightYAML/JSON Output:
domain_password_information:
pw_history_length: 24
min_pw_length: 8
min_pw_age: 1 day 4 minutes
max_pw_age: not set
pw_properties:
- DOMAIN_PASSWORD_COMPLEX: true
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
domain_lockout_information:
lockout_observation_window: 30 minutes
lockout_duration: 30 minutes
lockout_threshold: 5Tool Port Usage
Tool
Ports
nmblookup
137/UDP
nbtstat
137/UDP
net
139/TCP, 135/TCP, 49152-65535
rpcclient
135/TCP
smbclient
445/TCP
π LDAP Anonymous Bind
ldapsearch - LDAP Query
# Query password policy via LDAP
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLengthExample Output:
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -9223372036854775808
minPwdAge: -864000000000
minPwdLength: 8
modifiedCountAtLastProm: 0
nextRid: 1002
pwdProperties: 1
pwdHistoryLength: 24Note: In newer versions, use -H ldap://IP instead of -h IP
πͺ Windows-Based Enumeration
π NULL Session from Windows
net use Command
# Establish NULL session
net use \\DC01\ipc$ "" /u:""
The command completed successfully.
# Test with credentials
net use \\DC01\ipc$ "password" /u:guestCommon Error Messages
# Account Disabled
System error 1331 has occurred.
This user can't sign in because this account is currently disabled.
# Incorrect Password
System error 1326 has occurred.
The user name or password is incorrect.
# Account Locked Out
System error 1909 has occurred.
The referenced account is currently locked out and may not be logged on to.π Credentialed Windows Enumeration
net.exe - Built-in Tool
# Query account policy
net accountsExample Output:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.PowerView - PowerShell Module
# Import and query domain policy
Import-Module .\PowerView.ps1
Get-DomainPolicyExample Output:
Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version : @{signature="$CHICAGO$"; Revision=1}
Path : \\INLANEFREIGHT.LOCAL\sysvol\INLANEFREIGHT.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policyπ Password Policy Analysis
π INLANEFREIGHT.LOCAL Analysis
Setting
Value
Implication
Minimum Length
8 characters
Allows weak passwords like Welcome1
Lockout Threshold
5 attempts
Safe for 2-3 password spraying attempts
Lockout Duration
30 minutes
Accounts auto-unlock (no admin required)
Password Complexity
Enabled
3/4 character types required
Password History
24 passwords
Prevents immediate reuse
Maximum Age
Unlimited
Passwords never expire
β οΈ Password Spraying Implications
Safe Attempt Count: 2-3 attempts per user
Wait Time: 31+ minutes between spray rounds
Target Passwords:
Welcome1,Password1,Company1Risk Level: Low (auto-unlock, high threshold)
π Default Domain Password Policy
Policy
Default Value
Enforce password history
24 days
Maximum password age
42 days
Minimum password age
1 day
Minimum password length
7
Password complexity
Enabled
Store passwords using reversible encryption
Disabled
Account lockout duration
Not set
Account lockout threshold
0
Reset account lockout counter
Not set
π― HTB Academy Lab Walkthrough
π Lab Questions
Question 1: "What is the default Minimum password length when a new domain is created?"
Question 2: "What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain?"
π Step-by-Step Solution
1οΈβ£ Connect to Target
# SSH to target system
ssh htb-student@TARGET_IP
# Password: HTB_@cademy_stdnt!2οΈβ£ Method 1: enum4linux
# Enumerate password policy
enum4linux -P 172.16.5.53οΈβ£ Method 2: rpcclient NULL Session
# Connect with NULL session
rpcclient -U "" -N 172.16.5.5
# Query password policy
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEX4οΈβ£ Method 3: ldapsearch
# Query via LDAP
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep minPwdLength
minPwdLength: 85οΈβ£ Method 4: enum4linux-ng
# Modern tool with structured output
enum4linux-ng -P 172.16.5.5 -oA ilfreight
# Check JSON output
cat ilfreight.json | grep -A5 "domain_password_information"β
Answers
Default minimum password length:
7INLANEFREIGHT.LOCAL minPwdLength:
8
π‘οΈ Password Policy Best Practices
β
Strong Policy Recommendations
Minimum Length: 12-14 characters
Lockout Threshold: 3-5 attempts
Lockout Duration: 15-30 minutes
Complexity: Enable but educate users
Password Age: 90-180 days maximum
π« Disable Legacy Features
SMB NULL Sessions: Prevent anonymous access
LDAP Anonymous Bind: Require authentication
LM Hash Storage: Use only NTLM/NTLMv2
Reversible Encryption: Never enable
π§ Group Policy Hardening
Computer Configuration β Windows Settings β Security Settings β Account Policies β Password Policy
- Minimum password length: 12
- Password complexity requirements: Enabled
- Minimum password age: 1 day
- Maximum password age: 90 days
- Password history: 24 passwordsπ Detection & Monitoring
π Event IDs to Monitor
4625: Failed logon attempts
4740: Account lockout events
4767: Account unlock events
4724: Password reset attempts
π¨ Anomaly Detection
Multiple failed authentications from single source
Unusual authentication patterns across multiple accounts
Service account lockouts (often indicates spraying)
Authentication attempts outside business hours
π Baseline Metrics
Normal failed authentication rates
Typical lockout frequencies
Service account authentication patterns
Geographic authentication patterns
β‘ Quick Reference Commands
π§ Linux Enumeration
# CrackMapExec with credentials
crackmapexec smb TARGET -u USER -p PASS --pass-pol
# rpcclient NULL session
rpcclient -U "" -N TARGET
rpcclient $> getdompwinfo
# enum4linux-ng modern
enum4linux-ng -P TARGET -oA output
# LDAP anonymous bind
ldapsearch -h TARGET -x -b "DC=DOMAIN,DC=LOCAL" -s sub "*" | grep -A10 -B10 pwdHistoryLengthπͺ Windows Enumeration
REM Built-in Windows command
net accounts
REM NULL session test
net use \\DC\ipc$ "" /u:""# PowerView
Import-Module .\PowerView.ps1
Get-DomainPolicyπ Key Takeaways
β
Enumeration Success Factors
Multiple Methods: Try various approaches (SMB, LDAP, RPC)
Legacy Misconfigurations: NULL sessions often work on older domains
Tool Redundancy: Use both traditional and modern tools
Credential Context: Some methods require authentication
β οΈ Critical Considerations
Lockout Avoidance: Never exceed safe attempt thresholds
Stealth Operations: Avoid generating excessive authentication logs
Policy Documentation: Record all discovered settings for planning
Client Communication: Confirm lockout policies when possible
π― Next Steps
User Enumeration: Gather target user lists
Password List Creation: Build spraying wordlists
Attack Timing: Plan spray intervals based on lockout policy
Monitoring Setup: Watch for defensive responses
Understanding the password policy is fundamental to safe and effective credential attacks in Active Directory environments.
Last updated