Password Policy
Before attempting attacks such as Password Spraying or even brute forcing, we often want to learn more about the password policy to:
- π‘οΈ Is account lockout enabled?
- π₯· How much delay must we add before tries?
- β οΈ How many tries can we perform before locking the account?
- πΊοΈ Is there a minimum/maximum password length?
- π² Is password complexity enabled?
We want to avoid locking accounts at all costοΈ.
On Windows Server, there is no lockout by default, but many implement a lockout after three or five invalid passwords. Account lockout threshold reset is usually between 30 minutes and 3 hours.
Knowing the minimum length of the password and the password rules is handy to fine-tune the passwords we try.
Obtain Windows Password Policy
Leveraging SMB
You can use SMB credentials to obtain the password policy.
$ nxc smb [...] --pass-pol
$ nxc smb [...] --users # show 'badpasswordcount' for each user
$ enum4linux-ng [...] -P
Leveraging RPC
You can use RPC credentials to obtain the password policy.
$ rpcclient [...]
client> getdompwinfo # Password Policy
Leveraging Windows Commands
If you can run commands, you may use:
PS> net accounts
PS> net accounts /domain
This one from AD module may be handy:
PS> Get-ADObject -Filter 'badPwdCount -gt 0' -includeDeletedObjects
Additional Notes
You can use PowerView:
PS> Get-DomainPolicy
Website Password Policy
Register Page
The password policy is often shown, directly or indirectly when registering an account. If indirect, you have to register an account with a weak password (a, a0, a0!, etc.) and read expose it bit by bit.