Empty password
It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD_NOT_REQ.
Configuring
Login on
DC02with the usernameAdministratorand passwordWelcome01!.Open the "Active Directory Users and Computers" administration tool on
DC02
3. Click on "View" and enable "Advanced Features".
4. Right click the "Users" section and select "New" and then "User". Create a new user named bank_dev with the password Password01!. Make sure to deselect "User must change password at next logon" and select "Password never expires".
4. Right click the user and select "Properties". Open the tab "Attribute Editor", search for "Useraccountcontrol" and click "Edit".
5. Set the value to 544 and cick "OK".
6. Click "Apply" and "OK".
7. Right click on bank_dev and select "Reset Password". Uncheck "User must change password at next logon" and make sure the Password fields are empty. Click on "OK"
Attacking
How it works
It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD_NOT_REQ. With access to a normal domain user we could request all users with this attribute set.
Tools
Executing the attack
Use the discovered credentials
johnand passwordWelcome2022!with CrackMapExec to authenticate over ldap and request all users with the valuePASSWD_NOT_REQset.
2. We already knew the user steve had a empty password from our initial access attacks. The Guest password is empty by default, but this account is also disabled by default. We can check if bank_dev user has a empty password just like we did earlier.
The password is indeed empty.
Defending
Recommendations
Periodically check for users with the
PASSWD_NOT_REQattribute and remove it.
Check for users with the attribute:
Remove the attribute:
Check for users with the attribute and remove the attribute:
Detection
References
Last updated
