Password Policy
A password policy is a set of rules enforced by an organization to enhance password security, typically defining requirements like minimum length, complexity, expiration, and lockout thresholds. In Active Directory, it is managed via Group Policy and affects user authentication across the domain.
Linux
- CrackMapExec
- SMB NULL Sessions
- LDAP Anonymous Bind
## Credentialed
crackmapexec smb 10.10.10.10 -u rezydev -p Password1 --pass-pol
## Without Credentials
crackmapexec ldap 10.10.10.10 --anon --pass-pol
# Without Credentials
## [RPC CLIENT]
rpcclient -U "" -N 10.10.10.10 ## anonymous access
$> querydominfo # information about the domain
$> getdompwinfo # information about the password policy
## [ENUM4LINUX]
enum4linux -P 10.10.10.10
enum4linux-ng -P 10.10.10.10 -oA output
LDAP Anonymous Bind allows unauthenticated users to connect to an LDAP directory, such as Active Directory, and retrieve publicly accessible information. Attackers can use it to enumerate domain password policies by querying attributes like maxPwdAge and minPwdLength from the RootDSE or Default Naming Context if anonymous queries are permitted.
## [LDAPSEARCH]
ldapsearch -h 10.10.10.10 -x -b "DC=REZYDEV,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
ldapsearch -x -H ldap://10.10.10.10 -s base "(objectclass=*)" maxPwdAge minPwdLength
## [LDAPDOMAINDUMP]
ldapdomaindump --no-pass -d rezydev.local 10.10.10.10
cat domain_policy.json | jq '.DomainPasswordPolicy'
Windows
- net.exe
- PowerView
- PowerShell
## SMB NULL Sessions
net use \\DC01\ipc$ "" /u:""
## Retrive Password Policy
net accounts
PS C:\> . .\PowerView.ps1 ## Importing the Script
PS C:\> Get-DomainPolicy ## Retrive Password Policy
Get-ADDefaultDomainPasswordPolicy -Server 10.10.10.10