Password policy enumeration tells us whether spraying is safe, how often attempts can be made, and whether lockouts are enabled.
We check policy before spraying.
Null Or Guest Attempts
Try unauthenticated policy discovery:
rpcclient 10.10.10.200 -U '%' -c 'querydominfo'
rpcclient 10.10.10.200 -U 'guest%' -c 'querydominfo'
enum4linux-ng -P 10.10.10.200
If blocked, use valid low-privileged credentials after initial access:
nxc smb 10.10.10.200 -d ootw.local -u alice.wright -p 'StudentPass2026!' --pass-pol
Windows Commands
From a domain-joined workstation:
net accounts /domain
With the AD module:
Get-ADDefaultDomainPasswordPolicy
PowerView:
Get-DomainPolicy
Values That Matter
Record:
Lockout threshold
Lockout duration
Reset account lockout counter after
Minimum password length
Password history length
Maximum password age
Complexity enabled
Spraying is dangerous when:
Lockout threshold is low
Reset window is long
Users are high value
No approval exists for lockout risk
Spray Timing Rule
If policy says:
Lockout threshold: 5
Reset counter: 30 minutes
Then we do not send 5 guesses per user. We send at most 1 or 2 attempts per window.
For exams and labs, follow the lab rules. In real operations, coordinate lockout risk before spraying.
Detection
Defenders look for:
- Security 4625 failed logons
- Security 4771 Kerberos preauthentication failures
- Security 4776 NTLM authentication failures
- one source testing many accounts
- password policy queries from unusual hosts
Remediation
- enforce lockout thresholds
- monitor failures across many accounts
- use MFA on external and privileged access
- disable legacy authentication where possible
- alert on password policy enumeration from non-admin systems