Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Enumeration

Password Policy

Password policy enumeration tells us whether spraying is safe, how often attempts can be made, and whether lockouts are enabled.

We check policy before spraying.


Null Or Guest Attempts

Try unauthenticated policy discovery:

rpcclient 10.10.10.200 -U '%' -c 'querydominfo'
rpcclient 10.10.10.200 -U 'guest%' -c 'querydominfo'
enum4linux-ng -P 10.10.10.200

If blocked, use valid low-privileged credentials after initial access:

nxc smb 10.10.10.200 -d ootw.local -u alice.wright -p 'StudentPass2026!' --pass-pol

Windows Commands

From a domain-joined workstation:

net accounts /domain

With the AD module:

Get-ADDefaultDomainPasswordPolicy

PowerView:

Get-DomainPolicy

Values That Matter

Record:

Lockout threshold
Lockout duration
Reset account lockout counter after
Minimum password length
Password history length
Maximum password age
Complexity enabled

Spraying is dangerous when:

Lockout threshold is low
Reset window is long
Users are high value
No approval exists for lockout risk

Spray Timing Rule

If policy says:

Lockout threshold: 5
Reset counter: 30 minutes

Then we do not send 5 guesses per user. We send at most 1 or 2 attempts per window.

For exams and labs, follow the lab rules. In real operations, coordinate lockout risk before spraying.


Detection

Defenders look for:

  • Security 4625 failed logons
  • Security 4771 Kerberos preauthentication failures
  • Security 4776 NTLM authentication failures
  • one source testing many accounts
  • password policy queries from unusual hosts

Remediation

  • enforce lockout thresholds
  • monitor failures across many accounts
  • use MFA on external and privileged access
  • disable legacy authentication where possible
  • alert on password policy enumeration from non-admin systems