# Password policy When attacking Active Directory domains, directly targeting accounts is usually a great start. It could provide initial access and help the attackers operate lateral movement. The easiest way to compromise accounts is to operate some password [bruteforcing](/ad/movement/credentials/bruteforcing.md), [guessing](/ad/movement/credentials/bruteforcing/guessing.md) or [spraying](/ad/movement/credentials/bruteforcing/password-spraying.md). This kind of attack usually yields good results depending on the user's awareness. There are however technical measures that usually are in place, forcing the attackers to balance the number and speed of password attempts. In order to fine-tune this, the password policy can be obtained. This policy can sometimes be enumerated with a null-session (i.e. an [MS-RPC null session](/ad/recon/network/ms-rpc.md#null-sessions) or an [LDAP anonymous bind](/ad/recon/network/ldap.md)). {% tabs %} {% tab title="UNIX-like" %} On UNIX-like systems, there are many alternatives that allow obtaining the password policy like [polenum](https://github.com/Wh1t3Fox/polenum) (Python), [NetExec](https://github.com/Pennyw0rth/NetExec) (Python), [ldapsearch-ad](https://github.com/yaap7/ldapsearch-ad) (Python) and [enum4linux](/ad/recon/tools/enum4linux.md). ```bash # polenum (obtained through MS-RPC) polenum -d $DOMAIN -u $USER -p $PASSWORD -d $DOMAIN # NetExec (obtained through MS-RPC) netexec smb $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --pass-pol # ldapsearch-ad (obtained through LDAP) ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u $USER -p $PASSWORD -t pass-pol # enum4linux-ng (obtained through MS-RPC) enum4linux-ng -P -w -u $USER -p $PASSWORD $DOMAIN_CONTROLLER ``` {% endtab %} {% tab title="Windows" %} From a domain-joined machine, the `net` cmdlet can be used to obtain the password policy. ```bash net accounts net accounts /domain ``` From non-domain-joined machines, it can be done with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) (Powershell). ```bash Get-DomainPolicy ``` {% endtab %} {% endtabs %} {% hint style="info" %} Accounts that lockout can be attacked with [sprayhound](https://github.com/Hackndo/sprayhound) ([credential spraying](/ad/movement/credentials/bruteforcing/password-spraying.md)) while those that don't can be directly bruteforced with [kerbrute](https://github.com/ropnop/kerbrute) ([Kerberos pre-auth bruteforcing](/ad/movement/kerberos/pre-auth-bruteforce.md)) {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad/recon/objects-and-settings/password-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.