Extracting Password Policy From Domain Machines

Before you start a Password Spraying or Brute Force attack, you always want to check what the password policy is first so you don’t start locking accounts out. This post intends to serve as a guide that lists a handful of ways to enumerate this.

Using CrackMapExec:

crackmapexec smb <targetIP> --pass-pol

If that doesn’t work, you can attempt again with a null authentication attempt by using the following. This typically works when a domain has been upgraded from 2003:

crackmapexec smb <targetIP> --pass-pol -u '' -p ''

Using Enum4Linux:

enum4linux <targetIP>

Using RPCClient:

If the below works, then we may be able to utilize RPC commands to extract details about the user and password policies.

rpcclient -U '' <targetIP>

Using PowerShell:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addefaultdomainpasswordpolicy?view=win10-ps

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Infinite Logins

Infinite Logins

Extracting Password Policy From Domain Machines

Leave a Reply Cancel reply

Infinite Logins

Share this:

Like this:

Related

Leave a Reply Cancel reply