Enumerating & Retrieving Password Policies
Obtaining the domain password policy is critical before password spraying to avoid locking out accounts. Methods vary depending on whether you have credentials, and whether the domain allows unauthenticated access via SMB NULL sessions or LDAP anonymous binds.
From Linux - With Credentials
With valid domain credentials, use CrackMapExec or rpcclient to pull the policy remotely.
CrackMapExec
crackmapexec smb <DC_IP> -u <user> -p <pass> --pass-pol
Key fields to look for:l minimum password length, account lockout threshold, lockout duration, reset lockout counter, password complexity flags.
rpcclient
rpcclient -U "<user>%<pass>" <DC_IP>
rpcclient $> getdompwinfo
From Linux - SMB NULL Sessions (No Credentials)
SMB NULL sessions allow unauthenticated retrieval of domain info including user lists, groups, and the password policy. This misconfiguration is common on legacy Domain Controllers upgraded in place.
rpcclient
rpcclient -U "" -N <DC_IP>
rpcclient $> querydominfo
rpcclient $> getdompwinfo
enum4linux
enum4linux -P <DC_IP>
enum4linux-ng (Python rewrite with JSON/YAML export)
enum4linux-ng -P <DC_IP> -oA <output_prefix>
Common Enumeration Tool Ports
| Tool | Ports |
|---|---|
| nmblookup | 137/UDP |
| nbtstat | 137/UDP |
| net | 139/TCP, 135/TCP, 49152-65535 TCP/UDP |
| rpcclient | 135/TCP |
| smbclient | 445/TCP |
From Linux - LDAP Anonymous Bind
A legacy configuration (default changed in Windows Server 2003). Use ldapsearch, windapsearch.py, or ad-ldapdomaindump.py.
ldapsearch -h <DC_IP> -x -b "DC=DOMAIN,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Look for: minPwdLength, lockoutThreshold, lockOutObservationWindow, lockoutDuration, pwdProperties (1 = complexity enabled).
From Windows - With Credentials
net.exe (built-in, no tools needed)
net accounts
PowerView
Import-Module .\PowerView.ps1
Get-DomainPolicy
Other options: SharpView, CrackMapExec (Windows port), SharpMapExec.
From Windows - NULL Session
net use \\DC01\ipc$ "" /u:""
Common error codes to watch for:
| Error Code | Meaning |
|---|---|
| 1331 | Account is disabled |
| 1326 | Incorrect password |
| 1909 | Account is locked out |
Analyzing the Policy
Key fields and what they mean for password spraying:
| Policy | What to Look For |
|---|---|
| Minimum password length | 8 is common; 10-14 reduces spray options but doesn’t eliminate the vector |
| Account lockout threshold | Typically 3-5; if 0, no lockout (rare) |
| Lockout duration | 30 min is common; some orgs require manual admin unlock |
| Password complexity | If enabled, passwords need 3/4 of: uppercase, lowercase, number, special char |
| Maximum password age | “Unlimited” means old weak passwords may still be in use |
Default Domain Policy (New Domain)
| Policy | Default Value |
|---|---|
| Enforce password history | 24 days |
| Maximum password age | 42 days |
| Minimum password age | 1 day |
| Minimum password length | 7 |
| Complexity requirements | Enabled |
| Reversible encryption | Disabled |
| Account lockout duration | Not set |
| Account lockout threshold | 0 |
| Reset lockout counter after | Not set |
Spray Safety Guidelines
- If you have the policy: stay 2-3 attempts below the lockout threshold per lockout window.
- If you cannot obtain the policy: limit to 1-2 spray attempts total, waiting over an hour between them.
- Never lock out accounts. Some orgs require manual admin unlock for hundreds/thousands of accounts.
- When possible, ask the client for the policy if the assessment scope allows it.