Empty password
It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD_NOT_REQ.
Configuring
Login on
DC02
with the usernameAdministrator
and passwordWelcome01!
.Open the "Active Directory Users and Computers" administration tool on
DC02
3. Click on "View" and enable "Advanced Features".
4. Right click the "Users" section and select "New" and then "User". Create a new user named bank_dev
with the password Password01!
. Make sure to deselect "User must change password at next logon" and select "Password never expires".
4. Right click the user and select "Properties". Open the tab "Attribute Editor", search for "Useraccountcontrol" and click "Edit".
5. Set the value to 544
and cick "OK".
6. Click "Apply" and "OK".
7. Right click on bank_dev
and select "Reset Password". Uncheck "User must change password at next logon" and make sure the Password fields are empty. Click on "OK"
Attacking
How it works
It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD_NOT_REQ
. With access to a normal domain user we could request all users with this attribute set.
Tools
Executing the attack
Use the discovered credentials
john
and passwordWelcome2022!
with CrackMapExec to authenticate over ldap and request all users with the valuePASSWD_NOT_REQ
set.
2. We already knew the user steve
had a empty password from our initial access attacks. The Guest
password is empty by default, but this account is also disabled by default. We can check if bank_dev
user has a empty password just like we did earlier.
The password is indeed empty.
Defending
Recommendations
Periodically check for users with the
PASSWD_NOT_REQ
attribute and remove it.
Check for users with the attribute:
Remove the attribute:
Check for users with the attribute and remove the attribute:
Detection
References
Last updated