When attacking Active Directory domains, directly targeting accounts is usually a great start. It could provide initial access and help the attackers operate lateral movement. The easiest way to compromise accounts is to operate some password bruteforcing, guessing or spraying. This kind of attack usually yields good results depending on the user's awareness. There are however technical measures that usually are in place, forcing the attackers to balance the number and speed of password attempts.
# polenum (obtained through MS-RPC)polenum -d $DOMAIN -u $USER -p $PASSWORD -d $DOMAIN# CrackMapExec (obtained through MS-RPC)cme smb $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --pass-pol# ldapsearch-ad (obtained through LDAP)ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u $USER -p $PASSWORD -t pass-pol# enum4linux-ng (obtained through MS-RPC)enum4linux-ng -P -w -u $USER -p $PASSWORD $DOMAIN_CONTROLLER
From a domain-joined machine, the
net cmdlet can be used to obtain the password policy.
net accountsnet accounts /domain
From non-domain-joined machines, it can be done with PowerView (Powershell).