Password Policy

As an attacker, password policies are extremely important to enumerate for performing both credential-based attacks such as password spraying.

Enumerate Password Policy

# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''

# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol

# Get Password Policy with Net Accounts
net accounts

# Enumerate the default password policy settings from the Default Domain Policy GPO

Fine-Grained Password Policy

# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *

# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity parzival

# Obtain FGPP via WMIC
wmic /namespace:\\ROOT\directory\LDAP PATH ds_msds_passwordsettings GET DS_DisplayName, ds_msds_PasswordSettingsPrecedence, ds_msds_LockoutObservationWindow, ds_msds_LockoutDuration, ds_msds_LockoutThreshold, ds_msds_PSOAppliesTo


Last updated