# Empty password

## Configuring

1. Login on `DC02` with the username `Administrator` and password `Welcome01!`.
2. Open the "Active Directory Users and Computers" administration tool on `DC02`

![](/files/qaaMAst9wLs9tzsmjutT)

3\. Click on "View" and enable "Advanced Features".

<div align="left"><img src="/files/me3BDSU3WZxwyqbiBol6" alt=""></div>

4\. Right click the "Users" section and select "New" and then "User". Create a new user named `bank_dev` with the password `Password01!`. Make sure to deselect "User must change password at next logon" and select "Password never expires".

<div align="left"><img src="/files/Yt9sGIND50ErI4CqBnGQ" alt=""></div>

4\. Right click the user and select "Properties". Open the tab "Attribute Editor", search for "Useraccountcontrol" and click "Edit".

<div align="left"><img src="/files/gnvLMc3FewlP1BJZAGgo" alt=""></div>

5\. Set the value to `544` and cick "OK".

<div align="left"><img src="/files/Y5cd44vzhrWaBiJi4a1b" alt=""></div>

6\. Click "Apply" and "OK".

7\. Right click on `bank_dev` and select "Reset Password". Uncheck "User must change password at next logon" and make sure the Password fields are empty. Click on "OK"

<div align="left"><img src="/files/GGyWiUVQnscok5HmfbAi" alt=""></div>

## Attacking

### How it works

It is **possible** that accounts have an empty password if the useraccountcontrol attribute contains the value `PASSWD_NOT_REQ`. With access to a normal domain user we could request all users with this attribute set.

### Tools

* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)

### Executing the attack

1. Use the discovered credentials `john` and password `Welcome2022!` with CrackMapExec to authenticate over ldap and request all users with the value `PASSWD_NOT_REQ` set.

```
crackmapexec ldap 10.0.0.3 -u john -p Welcome2022! --password-not-required
```

<div align="left"><img src="/files/38w7zmYuAXI8bi2XleBu" alt=""></div>

2\. We already knew the user `steve` had a empty password from our initial access attacks. The `Guest` password is empty by default, but this account is also disabled by default. We can check if `bank_dev` user has a empty password just like we did earlier.

```
crackmapexec smb 10.0.0.3 -u bank_dev -p ''
```

![](/files/Oz83qxSKAVJFUEwgKkPf)

The password is indeed empty.

## Defending

### Recommendations

* Periodically check for users with the `PASSWD_NOT_REQ` attribute and remove it.

Check for users with the attribute:

```
Get-ADUser -Filter {PasswordNotRequired -eq $true} | Select-Object samAccountName
```

Remove the attribute:

```
Set-ADAccountControl -PasswordNotRequired $false -Identity <USER>
```

Check for users with the attribute and remove the attribute:

```
Get-ADUser -Filter {PasswordNotRequired -eq $true} | Set-ADAccountControl -PasswordNotRequired $false
```

### Detection

## References

{% embed url="<https://specopssoft.com/blog/find-ad-accounts-using-password-not-required-blank-password/>" %}

{% embed url="<https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1>" %}

{% embed url="<https://github.com/byt3bl33d3r/CrackMapExec>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.