🧺Password Hunting and Gathering

Enumerating Password Policies via SMB NULL Sessions (Linux)

Without credentials, we may be able to obtain a password password policy via SMB NULL session or LDAP anonymous bind.

SMB NULL sessions allow an unauthenticated attacker to retrieve information for the domain, such as a list of users, groups, computers and domain password policy.

Using rpcclient

We can use rpcclient to check a Domain controller for SMB Null session access.

rpcclient -U "" -N IP

Once connected we will can run querydominfo to obtain information about the domain.

We can then run getdompwinfo to get the password policy

Domain:		TESTDOMAIN
Server:		
Comment:	
Total Users:	3650
Total Groups:	0
Total Aliases:	37
Sequence No:	1
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1
rpcclient $> getdompwinfo
min_password_length: 8
password_properties: 0x00000001
	DOMAIN_PASSWORD_COMPLEX

Using enum4linux

We can use this tool to scan for NULL shares and retrieve information similarly to rpcclient. We cam also use the latest rewrite of enum4linux, enum4linux-ng which allow us to export data as YAML or JSON files.

enum4linux -P IP

enum4linux-ng -P IP -oA file-name

Enumerating Null Session (Windows)

It is a less common type of attack from Windows but is sometimes still used.

We can use the net use command to establish a null session from a Windows machine.

Establish a NULL session

net use \\DC01\ipc$ "" /u:""
The command completed successfully.

Enumerating Password Policy with LDAP Anonymous Bind (Linux)

The technique allows unauthenticated attackers to retrieve information from the domain. This is a legacy configuration and as of Windows Server 2003, only authenticated users are permitted to run LDAP requests.

We can use tools such as windapsearch.py, ldapsearch and ad-ldapdomaindump.py to pull the password policy.

Using ldapsearch

ldapsearch -h IP -x -b "DC=DOMAIN-NAME,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Enumerating Password Policy (Windows)

If we can authenticate to the domain for a Windows host we can use built-in Windows binaries such as net.exe to retrieve the password policy.

Using net.exe

net accounts

From this command, we should be able to see the following information:

If passwords expire (Maximum password age set to Unlimited)
The minimum password length
The lockout threshold
Time accounts remained locked out for

An eight-letter character minimum password policy is a great candidate for password spraying!

Using PowerView

import-module .\PowerView.ps1
Get-DomainPolicy

PowerView will give us the same output as using net accounts but in a slightly different format.

Password Policy Analysis

The minimum password length:
- A common length for passwords is 8 characters, but more and more organizations are now beginning to enforce a 10-14 character password.
The account lockout threshold:
- It is not unusual to see a lower threshold such as 3 or even no threshold set
The lockout duration:
- 30 minutes is common to see but it's a good idea to make sure we adhere to this so we don't accidentally lockout an account
Password complexity is enabled:
- This means that a user must choose a password with 3/4 of the following: an uppercase letter, a lowercase letter, a number and at least a special characters.

Making a Target User List

If we are on an internal machine and don't have valid credentials, we can look for SMB NULL session or LDAP anonymous binds on Domain Controllers.

We can do this with the SYSTEM account because it can impersonate the computer. A computer object is treated as a domain user account.

Using enum4linux

We can again use enum4linux to leverage SMB Null sessions and LDAP anonymous binds to obtain a list of usernames using the -U option.

 enum4linux -U IP | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

Using rpcclient

We can use the command enumdomusers after connecting to rpcclient

rpcclient -U "" -N 172.16.5.5

Using CrackMapExec

We can run this tool with the --users flag to show invalid login attempts and the time of the last invalid login attempt.

Gathering Users with LDAP Anonymous

As discussed we can use various tools to gather users when we find an LDAP anonymous bind

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

Enumerating Users with Kerbrute

An enumeration tool used to brute force and enumerate valid AD users by using and abusing the Kerberos pre-authentication.

Bruteforcing Kerberos pre-authentication does not trigger the "account failed on log on" event, this means that it's harder for blue teams to spot.

First, make sure DNS and IP are in the etc/hosts file

ex: 10.10.191.131 DOMAIN.local

A fantastic list to use is the jsmith.txt one from https://github.com/insidetrust/statistically-likely-usernames

kerbrute userenum -d DOMAIN.local --dc IP /jsmith.txt

PreviousGetting a Foothold NextPassword Spraying

Last updated 1 year ago

Was this helpful?