Before you start a Password Spraying or Brute Force attack, you always want to check what the password policy is first so you don’t start locking accounts out. This post intends to serve as a guide that lists a handful of ways to enumerate this.
crackmapexec smb <targetIP> --pass-pol
If that doesn’t work, you can attempt again with a null authentication attempt by using the following. This typically works when a domain has been upgraded from 2003:
crackmapexec smb <targetIP> --pass-pol -u '' -p ''
If the below works, then we may be able to utilize RPC commands to extract details about the user and password policies.
rpcclient -U '' <targetIP>