Skip to content

Latest commit

 

History

History
197 lines (104 loc) · 4.4 KB

T1201.md

File metadata and controls

197 lines (104 loc) · 4.4 KB
Raw

T1201 - Password Policy Discovery

Description from ATT&CK

Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems. (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)

Windows

  • net accounts
  • net accounts /domain

Linux

  • chage -l
  • cat /etc/pam.d/common-password

macOS

  • pwpolicy getaccountpolicies

Atomic Tests


Atomic Test #1 - Examine password complexity policy - Ubuntu

Lists the password complexity policy to console on Ubuntu Linux.

Supported Platforms: Linux

Attack Commands: Run with bash!

cat /etc/pam.d/common-password


Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x

Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.

Supported Platforms: Linux

Attack Commands: Run with bash!

cat /etc/security/pwquality.conf

Dependencies: Run with bash!

Description: System must be CentOS or RHEL v7
Check Prereq Commands:
if [ $(rpm -q --queryformat '%{VERSION}') -eq "7" ]; then exit /b 0; else exit /b 1; fi;
Get Prereq Commands:
echo Please run from CentOS or RHEL v7


Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x

Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.

Supported Platforms: Linux

Attack Commands: Run with bash!

cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf

Dependencies: Run with bash!

Description: System must be CentOS or RHEL v6
Check Prereq Commands:
if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi;
Get Prereq Commands:
echo Please run from CentOS or RHEL v6


Atomic Test #4 - Examine password expiration policy - All Linux

Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.

Supported Platforms: Linux

Attack Commands: Run with bash!

cat /etc/login.defs


Atomic Test #5 - Examine local password policy - Windows

Lists the local password policy to console on Windows.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net accounts


Atomic Test #6 - Examine domain password policy - Windows

Lists the domain password policy to console on Windows.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net accounts /domain


Atomic Test #7 - Examine password policy - macOS

Lists the password policy to console on macOS.

Supported Platforms: macOS

Attack Commands: Run with bash!

pwpolicy getaccountpolicies