Password Policy

Built-in Administrator account

By design, the built-in Administrator account is exempt from the Account Lockout Policy. This ensures that critical administrative access is always available, even in cases of brute force or accidental lockout attempts. The logic: If this account were locked and no other Domain Admin account exists, it could prevent recovery during emergencies.

Brute force the built-in Administrator account

Authent

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

Null session

RPCclient

rpcclient -U "" -N 172.16.5.5

rpcclient $> querydominfo

rpcclient $> getdompwinfo

Enum4linux

enum4linux -P 172.16.5.5

enum4linux-ng -P 172.16.5.5 -oA ilfreight

LDAPsearch

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Windows CMD

C:\htb> net use \\DC01\ipc$ "" /u:""
The command completed successfully.

C:\htb> net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          Unlimited
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

Powershell - Powerview

PS C:\htb> import-module .\PowerView.ps1
PS C:\htb> Get-DomainPolicy

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path           : \\INLANEFREIGHT.LOCAL\sysvol\INLANEFREIGHT.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
                 NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Entropy Calculator

PreviousUsers Identification NextPassword Spray

Last updated 1 month ago