Tips & Tricks

Extracting Password Policy From Domain Machines

Before you start a Password Spraying or Brute Force attack, you always want to check what the password policy is first so you don’t start locking accounts out. This post intends to serve as a guide that lists a handful of ways to enumerate this.


Using CrackMapExec:

crackmapexec smb <targetIP> --pass-pol

If that doesn’t work, you can attempt again with a null authentication attempt by using the following. This typically works when a domain has been upgraded from 2003:

crackmapexec smb <targetIP> --pass-pol -u '' -p ''


Using Enum4Linux:

enum4linux <targetIP>


Using RPCClient:

If the below works, then we may be able to utilize RPC commands to extract details about the user and password policies.

rpcclient -U '' <targetIP>


Using PowerShell:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addefaultdomainpasswordpolicy?view=win10-ps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s