π§ΊPassword Hunting and Gathering
Enumerating Password Policies via SMB NULL Sessions (Linux)
Without credentials, we may be able to obtain a password password policy via SMB NULL session or LDAP anonymous bind.
SMB NULL sessions allow an unauthenticated attacker to retrieve information for the domain, such as a list of users, groups, computers and domain password policy.
Using rpcclient
We can use rpcclient to check a Domain controller for SMB Null session access.
rpcclient -U "" -N IP
Once connected we will can run querydominfo
to obtain information about the domain.
We can then run getdompwinfo
to get the password policy
Domain: TESTDOMAIN
Server:
Comment:
Total Users: 3650
Total Groups: 0
Total Aliases: 37
Sequence No: 1
Force Logoff: -1
Domain Server State: 0x1
Server Role: ROLE_DOMAIN_PDC
Unknown 3: 0x1
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEX
Using enum4linux
We can use this tool to scan for NULL shares and retrieve information similarly to rpcclient. We cam also use the latest rewrite of enum4linux
, enum4linux-ng
which allow us to export data as YAML or JSON files.
enum4linux -P IP
enum4linux-ng -P IP -oA file-name
Enumerating Null Session (Windows)
It is a less common type of attack from Windows but is sometimes still used.
We can use the net use
command to establish a null session from a Windows machine.
Establish a NULL session
net use \\DC01\ipc$ "" /u:""
The command completed successfully.
Enumerating Password Policy with LDAP Anonymous Bind (Linux)
The technique allows unauthenticated attackers to retrieve information from the domain. This is a legacy configuration and as of Windows Server 2003, only authenticated users are permitted to run LDAP requests.
We can use tools such as windapsearch.py
, ldapsearch
and ad-ldapdomaindump.py
to pull the password policy.
Using ldapsearch
ldapsearch -h IP -x -b "DC=DOMAIN-NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Enumerating Password Policy (Windows)
If we can authenticate to the domain for a Windows host we can use built-in Windows binaries such as net.exe
to retrieve the password policy.
Using net.exe
net accounts
From this command, we should be able to see the following information:
If passwords expire (Maximum password age set to Unlimited)
The minimum password length
The lockout threshold
Time accounts remained locked out for
Using PowerView
import-module .\PowerView.ps1
Get-DomainPolicy
PowerView will give us the same output as using net accounts
but in a slightly different format.
Password Policy Analysis
The minimum password length:
A common length for passwords is 8 characters, but more and more organizations are now beginning to enforce a 10-14 character password.
The account lockout threshold:
It is not unusual to see a lower threshold such as 3 or even no threshold set
The lockout duration:
30 minutes is common to see but it's a good idea to make sure we adhere to this so we don't accidentally lockout an account
Password complexity is enabled:
This means that a user must choose a password with 3/4 of the following: an uppercase letter, a lowercase letter, a number and at least a special characters.
Making a Target User List
If we are on an internal machine and don't have valid credentials, we can look for SMB NULL session or LDAP anonymous binds on Domain Controllers.
We can do this with the SYSTEM
account because it can impersonate the computer. A computer object is treated as a domain user account.
Using enum4linux
We can again use enum4linux to leverage SMB Null sessions and LDAP anonymous binds to obtain a list of usernames using the -U
option.
enum4linux -U IP | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
Using rpcclient
We can use the command enumdomusers
after connecting to rpcclient
rpcclient -U "" -N 172.16.5.5
Using CrackMapExec
We can run this tool with the --users
flag to show invalid login attempts and the time of the last invalid login attempt.
Gathering Users with LDAP Anonymous
As discussed we can use various tools to gather users when we find an LDAP anonymous bind
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
Enumerating Users with Kerbrute
An enumeration tool used to brute force and enumerate valid AD users by using and abusing the Kerberos pre-authentication.
Bruteforcing Kerberos pre-authentication does not trigger the "account failed on log on" event, this means that it's harder for blue teams to spot.
First, make sure DNS and IP are in the etc/hosts
file
ex: 10.10.191.131 DOMAIN.local
A fantastic list to use is the jsmith.txt
one from https://github.com/insidetrust/statistically-likely-usernames
kerbrute userenum -d DOMAIN.local --dc IP /jsmith.txt
Last updated
Was this helpful?