🔐Password Policy Enumeration

📋 Overview

Password policy enumeration is a critical reconnaissance step in Active Directory assessments. Understanding the domain's password requirements, lockout thresholds, and complexity rules helps determine the feasibility of password spraying attacks and guides credential attack strategies.

🎯 Why Password Policies Matter

🔍 Assessment Value

Password Spraying Planning: Determines safe attack parameters
Lockout Avoidance: Critical for maintaining stealth
Attack Vector Selection: Influences credential attack methodology
Risk Assessment: Weak policies indicate higher security risk

⚠️ Key Policy Settings

Minimum Password Length: Affects password complexity
Lockout Threshold: Maximum failed attempts before lockout
Lockout Duration: How long accounts remain locked
Password Complexity: Character requirements
Password History: Prevents password reuse

🐧 Linux-Based Enumeration

🔑 Credentialed Enumeration

CrackMapExec - Password Policy

# Enumerate password policy with valid credentials
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

Example Output:

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\avazquez:Password123 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] Dumping password info for domain: INLANEFREIGHT
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Minimum password length: 8
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Password history length: 24
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Maximum password age: Not Set
SMB         172.16.5.5      445    ACADEMY-EA-DC01  
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Password Complexity Flags: 000001
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Refuse Password Change: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password Store Cleartext: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password Lockout Admins: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password No Clear Change: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password No Anon Change: 0
SMB         172.16.5.5      445    ACADEMY-EA-DC01  	Domain Password Complex: 1
SMB         172.16.5.5      445    ACADEMY-EA-DC01  
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Minimum password age: 1 day 4 minutes 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Reset Account Lockout Counter: 30 minutes 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Locked Account Duration: 30 minutes 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Account Lockout Threshold: 5
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Forced Log off Time: Not Set

🔓 SMB NULL Session Enumeration

rpcclient - NULL Session

# Connect with NULL session
rpcclient -U "" -N 172.16.5.5

# Query domain information
rpcclient $> querydominfo
Domain:		INLANEFREIGHT
Server:		
Comment:	
Total Users:	3650
Total Groups:	0
Total Aliases:	37
Sequence No:	1
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1

# Get password policy
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
	DOMAIN_PASSWORD_COMPLEX

enum4linux - Legacy Tool

# Enumerate password policy
enum4linux -P 172.16.5.5

Key Output:

[+] Password Info for Domain: INLANEFREIGHT

	[+] Minimum password length: 8
	[+] Password history length: 24
	[+] Maximum password age: Not Set
	[+] Password Complexity Flags: 000001

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 1

	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: 5
	[+] Forced Log off Time: Not Set

enum4linux-ng - Modern Rewrite

# Enhanced enumeration with export options
enum4linux-ng -P 172.16.5.5 -oA ilfreight

YAML/JSON Output:

domain_password_information:
  pw_history_length: 24
  min_pw_length: 8
  min_pw_age: 1 day 4 minutes
  max_pw_age: not set
  pw_properties:
  - DOMAIN_PASSWORD_COMPLEX: true
  - DOMAIN_PASSWORD_NO_ANON_CHANGE: false
  - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
  - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
  - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
  - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
domain_lockout_information:
  lockout_observation_window: 30 minutes
  lockout_duration: 30 minutes
  lockout_threshold: 5

Tool Port Usage

Tool

Ports

nmblookup

137/UDP

nbtstat

137/UDP

net

139/TCP, 135/TCP, 49152-65535

rpcclient

135/TCP

smbclient

445/TCP

🌐 LDAP Anonymous Bind

ldapsearch - LDAP Query

# Query password policy via LDAP
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Example Output:

forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -9223372036854775808
minPwdAge: -864000000000
minPwdLength: 8
modifiedCountAtLastProm: 0
nextRid: 1002
pwdProperties: 1
pwdHistoryLength: 24

Note: In newer versions, use -H ldap://IP instead of -h IP

🪟 Windows-Based Enumeration

🔓 NULL Session from Windows

net use Command

# Establish NULL session
net use \\DC01\ipc$ "" /u:""
The command completed successfully.

# Test with credentials
net use \\DC01\ipc$ "password" /u:guest

Common Error Messages

# Account Disabled
System error 1331 has occurred.
This user can't sign in because this account is currently disabled.

# Incorrect Password
System error 1326 has occurred.
The user name or password is incorrect.

# Account Locked Out
System error 1909 has occurred.
The referenced account is currently locked out and may not be logged on to.

🔑 Credentialed Windows Enumeration

net.exe - Built-in Tool

# Query account policy
net accounts

Example Output:

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          Unlimited
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

PowerView - PowerShell Module

# Import and query domain policy
Import-Module .\PowerView.ps1
Get-DomainPolicy

Example Output:

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
Path           : \\INLANEFREIGHT.LOCAL\sysvol\INLANEFREIGHT.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

📊 Password Policy Analysis

🔍 INLANEFREIGHT.LOCAL Analysis

Setting

Value

Implication

Minimum Length

8 characters

Allows weak passwords like Welcome1

Lockout Threshold

5 attempts

Safe for 2-3 password spraying attempts

Lockout Duration

30 minutes

Accounts auto-unlock (no admin required)

Password Complexity

Enabled

3/4 character types required

Password History

24 passwords

Prevents immediate reuse

Maximum Age

Unlimited

Passwords never expire

⚠️ Password Spraying Implications

Safe Attempt Count: 2-3 attempts per user
Wait Time: 31+ minutes between spray rounds
Target Passwords: Welcome1, Password1, Company1
Risk Level: Low (auto-unlock, high threshold)

📋 Default Domain Password Policy

Policy

Default Value

Enforce password history

24 days

Maximum password age

42 days

Minimum password age

1 day

Minimum password length

Password complexity

Enabled

Store passwords using reversible encryption

Disabled

Account lockout duration

Not set

Account lockout threshold

Reset account lockout counter

Not set

🎯 HTB Academy Lab Walkthrough

📝 Lab Questions

Question 1: "What is the default Minimum password length when a new domain is created?"

Question 2: "What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain?"

🚀 Step-by-Step Solution

1️⃣ Connect to Target

# SSH to target system
ssh htb-student@TARGET_IP
# Password: HTB_@cademy_stdnt!

2️⃣ Method 1: enum4linux

# Enumerate password policy
enum4linux -P 172.16.5.5

3️⃣ Method 2: rpcclient NULL Session

# Connect with NULL session
rpcclient -U "" -N 172.16.5.5

# Query password policy
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
	DOMAIN_PASSWORD_COMPLEX

4️⃣ Method 3: ldapsearch

# Query via LDAP
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep minPwdLength
minPwdLength: 8

5️⃣ Method 4: enum4linux-ng

# Modern tool with structured output
enum4linux-ng -P 172.16.5.5 -oA ilfreight

# Check JSON output
cat ilfreight.json | grep -A5 "domain_password_information"

✅ Answers

Default minimum password length: 7
INLANEFREIGHT.LOCAL minPwdLength: 8

🛡️ Password Policy Best Practices

✅ Strong Policy Recommendations

Minimum Length: 12-14 characters
Lockout Threshold: 3-5 attempts
Lockout Duration: 15-30 minutes
Complexity: Enable but educate users
Password Age: 90-180 days maximum

🚫 Disable Legacy Features

SMB NULL Sessions: Prevent anonymous access
LDAP Anonymous Bind: Require authentication
LM Hash Storage: Use only NTLM/NTLMv2
Reversible Encryption: Never enable

🔧 Group Policy Hardening

Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy
- Minimum password length: 12
- Password complexity requirements: Enabled
- Minimum password age: 1 day
- Maximum password age: 90 days
- Password history: 24 passwords

🔍 Detection & Monitoring

📊 Event IDs to Monitor

4625: Failed logon attempts
4740: Account lockout events
4767: Account unlock events
4724: Password reset attempts

🚨 Anomaly Detection

Multiple failed authentications from single source
Unusual authentication patterns across multiple accounts
Service account lockouts (often indicates spraying)
Authentication attempts outside business hours

📈 Baseline Metrics

Normal failed authentication rates
Typical lockout frequencies
Service account authentication patterns
Geographic authentication patterns

⚡ Quick Reference Commands

🐧 Linux Enumeration

# CrackMapExec with credentials
crackmapexec smb TARGET -u USER -p PASS --pass-pol

# rpcclient NULL session
rpcclient -U "" -N TARGET
rpcclient $> getdompwinfo

# enum4linux-ng modern
enum4linux-ng -P TARGET -oA output

# LDAP anonymous bind
ldapsearch -h TARGET -x -b "DC=DOMAIN,DC=LOCAL" -s sub "*" | grep -A10 -B10 pwdHistoryLength

🪟 Windows Enumeration

REM Built-in Windows command
net accounts

REM NULL session test
net use \\DC\ipc$ "" /u:""

# PowerView
Import-Module .\PowerView.ps1
Get-DomainPolicy

🔑 Key Takeaways

✅ Enumeration Success Factors

Multiple Methods: Try various approaches (SMB, LDAP, RPC)
Legacy Misconfigurations: NULL sessions often work on older domains
Tool Redundancy: Use both traditional and modern tools
Credential Context: Some methods require authentication

⚠️ Critical Considerations

Lockout Avoidance: Never exceed safe attempt thresholds
Stealth Operations: Avoid generating excessive authentication logs
Policy Documentation: Record all discovered settings for planning
Client Communication: Confirm lockout policies when possible

🎯 Next Steps

User Enumeration: Gather target user lists
Password List Creation: Build spraying wordlists
Attack Timing: Plan spray intervals based on lockout policy
Monitoring Setup: Watch for defensive responses

Understanding the password policy is fundamental to safe and effective credential attacks in Active Directory environments.

PreviousLLMNR/NBT-NS Poisoning from Windows NextPassword Spraying - Target User Lists

Last updated 6 months ago

hashtag📋 Overview

hashtag🎯 Why Password Policies Matter

hashtag🔍 Assessment Value

hashtag⚠️ Key Policy Settings

hashtag🐧 Linux-Based Enumeration

hashtag🔑 Credentialed Enumeration

hashtagCrackMapExec - Password Policy

hashtag🔓 SMB NULL Session Enumeration

hashtagrpcclient - NULL Session

hashtagenum4linux - Legacy Tool

hashtagenum4linux-ng - Modern Rewrite

hashtagTool Port Usage

hashtag🌐 LDAP Anonymous Bind

hashtagldapsearch - LDAP Query

hashtag🪟 Windows-Based Enumeration

hashtag🔓 NULL Session from Windows

hashtagnet use Command

hashtagCommon Error Messages

hashtag🔑 Credentialed Windows Enumeration

hashtagnet.exe - Built-in Tool

hashtagPowerView - PowerShell Module

hashtag📊 Password Policy Analysis

hashtag🔍 INLANEFREIGHT.LOCAL Analysis

hashtag⚠️ Password Spraying Implications

hashtag📋 Default Domain Password Policy

hashtag🎯 HTB Academy Lab Walkthrough

hashtag📝 Lab Questions

hashtagQuestion 1: "What is the default Minimum password length when a new domain is created?"

hashtagQuestion 2: "What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain?"

hashtag🚀 Step-by-Step Solution

hashtag1️⃣ Connect to Target

hashtag2️⃣ Method 1: enum4linux

hashtag3️⃣ Method 2: rpcclient NULL Session

hashtag4️⃣ Method 3: ldapsearch

hashtag5️⃣ Method 4: enum4linux-ng

hashtag✅ Answers

hashtag🛡️ Password Policy Best Practices

hashtag✅ Strong Policy Recommendations

hashtag🚫 Disable Legacy Features

hashtag🔧 Group Policy Hardening

hashtag🔍 Detection & Monitoring

hashtag📊 Event IDs to Monitor

hashtag🚨 Anomaly Detection

hashtag📈 Baseline Metrics

hashtag⚡ Quick Reference Commands

hashtag🐧 Linux Enumeration

hashtag🪟 Windows Enumeration

hashtag🔑 Key Takeaways

hashtag✅ Enumeration Success Factors

hashtag⚠️ Critical Considerations

hashtag🎯 Next Steps

📋 Overview

🎯 Why Password Policies Matter

🔍 Assessment Value

⚠️ Key Policy Settings

🐧 Linux-Based Enumeration

🔑 Credentialed Enumeration

CrackMapExec - Password Policy

🔓 SMB NULL Session Enumeration

rpcclient - NULL Session

enum4linux - Legacy Tool

enum4linux-ng - Modern Rewrite

Tool Port Usage

🌐 LDAP Anonymous Bind

ldapsearch - LDAP Query

🪟 Windows-Based Enumeration

🔓 NULL Session from Windows

net use Command

Common Error Messages

🔑 Credentialed Windows Enumeration

net.exe - Built-in Tool

PowerView - PowerShell Module

📊 Password Policy Analysis

🔍 INLANEFREIGHT.LOCAL Analysis

⚠️ Password Spraying Implications

📋 Default Domain Password Policy

🎯 HTB Academy Lab Walkthrough

📝 Lab Questions

Question 1: "What is the default Minimum password length when a new domain is created?"

Question 2: "What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain?"

🚀 Step-by-Step Solution

1️⃣ Connect to Target

2️⃣ Method 1: enum4linux

3️⃣ Method 2: rpcclient NULL Session

4️⃣ Method 3: ldapsearch

5️⃣ Method 4: enum4linux-ng

✅ Answers

🛡️ Password Policy Best Practices

✅ Strong Policy Recommendations

🚫 Disable Legacy Features

🔧 Group Policy Hardening

🔍 Detection & Monitoring

📊 Event IDs to Monitor

🚨 Anomaly Detection

📈 Baseline Metrics

⚡ Quick Reference Commands

🐧 Linux Enumeration

🪟 Windows Enumeration

🔑 Key Takeaways

✅ Enumeration Success Factors

⚠️ Critical Considerations

🎯 Next Steps