If we already obtained valid credentials, we can use crackmapexec or rpcclient.:
ElFelixio@htb[/htb]$ crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\avazquez:Password123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Dumping password info for domain: INLANEFREIGHT
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Minimum password length: 8
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Password history length: 24
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Maximum password age: Not Set
And there we have the password policy
Password Policy - from Linux - SMB NULL Sessions
If we don't have credentials we could try null sessions or LDAP anonymous bind
SMB NULL session. SMB NULL sessions allow an unauthenticated attacker to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. For enumeration, we can use tools such as enum4linux, CrackMapExec, rpcclient, etc
Password Policy - from Linux - LDAP Anonymous Bind
LDAP anonymous binds allow unauthenticated attackers to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy.
We could use some well known tools to enumerate for password policy (windapsearch.py, ldapsearch, ad-ldapdomaindump.py, etc)
we can see the minimum password length of 8, lockout threshold of 5
Password Policy - from Windows
Using net.exe
C:\htb> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.
Here we can glean the following information:
Passwords never expire (Maximum password age set to Unlimited)
The minimum password length is 8 so weak passwords are likely in use
Using a set of credentials from a Linux or Windows attack system either provided by our client or obtained through another means such as LLMNR/NBT-NS response poisoning using Responder
No matter the method we choose, it is also vital for us to consider the domain password policy.
Weneed to know minimum password length, account lockout threshold and how many minutes we should wait between spray attempts.
This method will also show the badpwdcount (invalid login attempts), so we can remove any accounts from our list that are close to the lockout threshold. It also shows the baddpwdtime, which is the date and time of the last bad password attempt, so we can see how close an account is to having its badpwdcount reset.