PRIMARY CATEGORY → WINDOWS RECONAISSANCE
Theory
When assesing an Active Directory environment, starting from an anonymous position, there is a point where an operator is able to glean several domain user accounts either by OSINT or by performing an exhaustive user enumeration with kerbrute and a wordlist such as one from statistically-likely-usernames
At that point, one TTP to take into account is the Password Spraying, where an adversary tries several logon attempts against a certain service providing a user list and one password
Before proceeding with it, the domain password policy must be checked in order to avoid locking out any domain user account
Any authenticated domain user can list this information. However, there are situations where an operator can list this data through an SMB Null Authentication or LDAP Anonymous Bind
SMB
Null Authentication
nxc smb <TARGET> --username '' --password '' --pass-polRPC
rpcclient --user '' --no-pass --command 'getdompwinfo' <TARGET>LDAP
Anonymous Bind
ldapsearch -x -H 'ldap://<TARGET>' -b 'DC=<DOMAIN>,DC=<TLD>' | grep -m 1 -B 10 pwdHistoryLengthEnumeration - Linux
Netexec
nxc smb <TARGET> --username '<USER>' --password '<PASSWD>' --pass-polRPCclient
rpcclient --user '<USER>%<PASSWD>' --command 'getdompwinfo' <TARGET>Ldapsearch
ldapsearch -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' | grep -m 1 -B 10 pwdHistoryLengthEnumeration - Windows
Net Command
net accountsPowerview
Get-DomainPolicy