Enumerating & Retrieving PwdPols
Enumerating the Password Policy - from Linux - Credentialed
neutron@kali[/kali]$ crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:legalcorp.local) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] legalcorp.local\avazquez:Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Dumping password info for domain: LEGALCORP
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password length: 8
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password history length: 24
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Maximum password age: Not Set
SMB 172.16.5.5 445 ACADEMY-EA-DC01
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password Complexity Flags: 000001
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Refuse Password Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Store Cleartext: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Lockout Admins: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password No Clear Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password No Anon Change: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Password Complex: 1
SMB 172.16.5.5 445 ACADEMY-EA-DC01
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password age: 1 day 4 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Reset Account Lockout Counter: 30 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Locked Account Duration: 30 minutes
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Account Lockout Threshold: 5
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Forced Log off Time: Not Set
Enumerating the Password Policy - from Linux - SMB NULL Sessions
Without credentials, we may be able to obtain the password policy via an SMB NULL session or LDAP anonymous bind.
neutron@kali[/kali]$ rpcclient -U "" -N 172.16.5.5
rpcclient $> querydominfo
Domain: LEGALCORP
Server:
Comment:
Total Users: 3650
Total Groups: 0
Total Aliases: 37
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
Obtain the password policy.
rpcclient $> querydominfo
Domain: LEGALCORP
Server:
Comment:
Total Users: 3650
Total Groups: 0
Total Aliases: 37
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEX
neutron@kali[/kali]$ enum4linux -P 172.16.5.5
<SNIP>
==================================================
| Password Policy Information for 172.16.5.5 |
==================================================
[+] Attaching to 172.16.5.5 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:172.16.5.5)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] LEGALCORP
[+] Builtin
[+] Password Info for Domain: LEGALCORP
[+] Minimum password length: 8
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000001
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 1
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: 5
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Enabled
Minimum Password Length: 8
enum4linux complete on Tue Feb 22 17:39:29 2022
Enum4linux-ng provides us with a bit clearer output and handy JSON and YAML output using the -oA flag.
neutron@kali[/kali]$ enum4linux-ng -P 172.16.5.5 -oA lcorp
ENUM4LINUX - next generation
<SNIP>
=======================================
| RPC Session Check on 172.16.5.5 |
=======================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user session
[-] Could not establish random user session: STATUS_LOGON_FAILURE
=================================================
| Domain Information via RPC for 172.16.5.5 |
=================================================
[+] Domain: LEGALCORP
[+] SID: S-1-5-21-3842939050-3880317879-2865463114
[+] Host is part of a domain (not a workgroup)
=========================================================
| Domain Information via SMB session for 172.16.5.5 |
========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: ACADEMY-EA-DC01
NetBIOS domain name: LEGALCORP
DNS domain: legalcorp.local
FQDN: ACADEMY-EA-DC01.legalcorp.local
=======================================
| Policies via RPC for 172.16.5.5 |
=======================================
[*] Trying port 445/tcp
[+] Found policy:
domain_password_information:
pw_history_length: 24
min_pw_length: 8
min_pw_age: 1 day 4 minutes
max_pw_age: not set
pw_properties:
- DOMAIN_PASSWORD_COMPLEX: true
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
domain_lockout_information:
lockout_observation_window: 30 minutes
lockout_duration: 30 minutes
lockout_threshold: 5
domain_logoff_information:
force_logoff_time: not set
Completed after 5.41 seconds
Displaying the contents of lcorp.json
neutron@kali[/kali]$ cat lcorp.json
{
"target": {
"host": "172.16.5.5",
"workgroup": ""
},
"credentials": {
"user": "",
"password": "",
"random_user": "yxditqpc"
},
"services": {
"SMB": {
"port": 445,
"accessible": true
},
"SMB over NetBIOS": {
"port": 139,
"accessible": true
}
},
"smb_dialects": {
"SMB 1.0": false,
"SMB 2.02": true,
"SMB 2.1": true,
"SMB 3.0": true,
"SMB1 only": false,
"Preferred dialect": "SMB 3.0",
"SMB signing required": true
},
"sessions_possible": true,
"null_session_possible": true,
<SNIP>
Enumerating the Password Policy - from Linux - LDAP Anonymous Bind
LDAP anonymous binds allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy.
neutron@kali[/kali]$ ldapsearch -h 172.16.5.5 -x -b "DC=LEGALCORP,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
maxPwdAge: -9223372036854775808
minPwdAge: -864000000000
minPwdLength: 8
modifiedCountAtLastProm: 0
nextRid: 1002
pwdProperties: 1
pwdHistoryLength: 24
Enumerating the Password Policy - from Windows
If we can authenticate to the domain from a Windows host, we can use built-in Windows binaries such as net.exe to retrieve the password policy.
C:\xyz> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.
PowerView is also quite handy for this:
PS C:\xyz> import-module .\PowerView.ps1
PS C:\xyz> Get-DomainPolicy
Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path : \\legalcorp.local\sysvol\legalcorp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy