Password Policy

Ah, passwords. While having access to user passwords is less impactful on an organization's external network these days due to technical controls such as strong MFA, they can definitely be powerful once you've gained access to the organization's internal network.

In my opinion, it's important to know the target organization's password policy as it can speak a lot about the organization's cybersecurity maturity. Of course, it can also aid in things like password spraying attacks!

Default Domain Password Policy

As implied, the Default Domain Password Policy is the default password policy that all domain users follow unless a more specific policy overrides it.

Each Active Directory domain has a Default Domain Password Policy stored in the Default Domain Policy GPO, which has a well-known GUID. The full AD object path looks something like:

CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=weelee,DC=local

Tools that search for the default domain password policy will typically use LDAP to look for this AD object. You could craft an ldapsearch query to search for this AD object, but we can rely on existing tools such as NetExec to do this as well.

NetExec

ldapsearch

GitHub - Pennyw0rth/NetExec: The Network Execution ToolGitHub

Copy

# Get the Default Domain Password Policy
netexec smb -u [username] -p [password] -d [domain] --pass-pol

Fine-Grained Password Policy

Fine-Grained Password Policies allow administrators to apply different password policies to specific users or groups, overriding the default domain password policy. They are stored in the Password Settings Container in Active Directory:

Tools that search for Fine-Grained Password Policies look for this container.

Get-FGPP

ldapsearch

GitHub - n00py/GetFGPP: Get Fine Grained Password PolicyGitHub