Password Policy

As an attacker, password policies are extremely important to enumerate for performing both credential-based attacks such as password spraying.

Enumerate Password Policy

# Get Password Policy with CrackMapExec (Unauthenticated)
cme smb $dc -u '' -p ''

# Get Password Policy with CrackMapExec
crackmapexec smb $dc -u $username -p $password --pass-pol

# Get Password Policy with Net Accounts
net accounts

# Enumerate the default password policy settings from the Default Domain Policy GPO
Get-ADDefaultDomainPasswordPolicy

Fine-Grained Password Policy

# Enumerate all FGPPs configured
Get-ADFineGrainedPasswordPolicy -Filter *

# Obtain the FGPP assigned to a specific user
Get-ADUserResultantPasswordPolicy -Identity parzival

# Obtain FGPP via WMIC
wmic /namespace:\\ROOT\directory\LDAP PATH ds_msds_passwordsettings GET DS_DisplayName, ds_msds_PasswordSettingsPrecedence, ds_msds_LockoutObservationWindow, ds_msds_LockoutDuration, ds_msds_LockoutThreshold, ds_msds_PSOAppliesTo

References

How to create a fine-grained password policy in ADSpecops Software

PreviousPassword Cracking NextPassword Spraying

Last updated 1 year ago