Password policy

When attacking Active Directory domains, directly targeting accounts is usually a great start. It could provide initial access and help the attackers operate lateral movement. The easiest way to compromise accounts is to operate some password bruteforcing, guessing or spraying. This kind of attack usually yields good results depending on the user's awareness. There are however technical measures that usually are in place, forcing the attackers to balance the number and speed of password attempts.

In order to fine-tune this, the password policy can be obtained. This policy can sometimes be enumerated with a null-session (i.e. an MS-RPC null session or an LDAP anonymous bind).

UNIX-like
Windows
UNIX-like

On UNIX-like systems, there are many alternatives that allow to obtain the password policy like polenum (Python), CrackMapExec (Python), ldapsearch-ad (Python) and enum4linux.

# polenum (obtained through MS-RPC)
polenum -d $DOMAIN -u $USER -p $PASSWORD -d $DOMAIN
​
# CrackMapExec (obtained through MS-RPC)
cme smb $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --pass-pol
​
# ldapsearch-ad (obtained through LDAP)
ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u $USER -p $PASSWORD -t pass-pol
​
# enum4linux-ng (obtained through MS-RPC)
enum4linux-ng -P -w -u $USER -p $PASSWORD $DOMAIN_CONTROLLER
Windows

From domain-joined machine, the net cmdlet can be used to obtain the password policy.

net accounts
net accounts /domain

From non domain-joined machines, it can be done with PowerView (Powershell).

Get-DomainPolicy

Accounts that lockout can be attacked with sprayhound (credential spraying) while those that don't can be directly bruteforced with kerbrute (Kerberos pre-auth bruteforcing)