Password Policies
FROM LINUX
CrackMapExec:
With valid domain credentials, the password policy can be obtained remotely using tools like CrackMapExec or rpcclient.
crackmapexec smb 13.13.13.13 -u sol -p pwd123 --pass-polSMB NULL Sessions
An SMB NULL session may allow an attacker to retrieve domain information without authentication.
Using rpcclient:
rpcclient -U "" -N 13.13.13.13
rpcclient $> querydominfo
rpcclient $> getdompwinfoUsing enum4linux:
enum4linux -P 13.13.13.13Using enum4linux-ng:
enum4linux-ng -P 13.13.13.13 -oA militech
cat militech.jsonLDAP Anonymous Bind
Using ldapsearch:
ldapsearch -h 13.13.13.13 -x -b "DC=ARASAKA,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLengthFROM WINDOWS
net.exe
C:\> net accountsPowerView
PS C:\> import-module .\PowerView.ps1
PS C:\> Get-DomainPolicy