# Password Policy

Ah, passwords. While having access to user passwords is less impactful on an organization's external network these days due to technical controls such as strong MFA, they can definitely be powerful once you've gained access to the organization's internal network.

In my opinion, it's important to know the target organization's password policy as it can speak a lot about the organization's cybersecurity maturity. Of course, it can also aid in things like password spraying attacks!

### Default Domain Password Policy

As implied, the Default Domain Password Policy is the default password policy that all domain users follow unless a more specific policy overrides it.

Each Active Directory domain has a Default Domain Password Policy stored in the Default Domain Policy GPO, which has a well-known GUID. The full AD object path looks something like:

```
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=weelee,DC=local
```

Tools that search for the default domain password policy will typically use LDAP to look for this AD object. You could craft an [ldapsearch](https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html) query to search for this AD object, but we can rely on existing tools such as NetExec to do this as well.

{% tabs %}
{% tab title="NetExec" %}
{% embed url="<https://github.com/Pennyw0rth/NetExec>" %}

```fish
# Get the Default Domain Password Policy
netexec smb -u [username] -p [password] -d [domain] --pass-pol
```

{% endtab %}

{% tab title="ldapsearch" %}

```fish
ldapsearch -x -H ldap://dc.domain.local \
-D "username@domain" -w 'password' \
-b "DC=domain,DC=local" \
-s base "(objectClass=domainDNS)" \
maxPwdAge minPwdAge minPwdLength pwdHistoryLength pwdProperties lockoutThreshold lockoutDuration lockoutObservationWindow
```

{% endtab %}
{% endtabs %}

### Fine-Grained Password Policy

Fine-Grained Password Policies allow administrators to apply different password policies to specific users or groups, overriding the default domain password policy. They are stored in the Password Settings Container in Active Directory:

```
CN=Password Settings Container,CN=System,DC=weelee,DC=local
```

Tools that search for Fine-Grained Password Policies look for this container.

{% tabs %}
{% tab title="Get-FGPP" %}
{% embed url="<https://github.com/n00py/GetFGPP>" %}

{% code title="Linux" %}

```fish
fgpp.py -l [DC IP] -d [domain] -u [username] -p [password]
```

{% endcode %}
{% endtab %}

{% tab title="ldapsearch" %}
{% embed url="<https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html>" %}

{% code title="Linux" %}

```fish
ldapsearch \
  -H ldap://[DC IP] -D 'username@domain' -w 'password' \
  -b 'CN=Password Settings Container,CN=System,DC=sccm,DC=lab' \
  -s one '(objectClass=msDS-PasswordSettings)' \
  cn msDS-MinimumPasswordLength msDS-MaximumPasswordAge msDS-LockoutThreshold msDS-PSOAppliesTo
```

{% endcode %}
{% endtab %}
{% endtabs %}