Bruteforcing Windows Accounts
Author: HollyGraceful Published: 19 October 2020 Last Updated: 05 July 2023
A common configuration on Windows Active Directory accounts is to have an account lockout threshold of say, 5 invalid attempts, and an observation window of 30 minutes. This is likely due to the fact that the “Suggested Setting” after setting a threshold is to enable a short observation window. As shown:
The suggested settings open an insecurity, allowing for account bruteforce
When setting an account lockout threshold, Windows “suggests” that you set the observation window at the same time, to 30 minutes. The observation window is often overlooked as a security risk; however it allows a threat actor to perform a bruteforce attack without locking an account.
An account with a lockout threshold of 5 attempts and an observation window of 30 minutes would lock after 5 attempts within 30 minutes; but not if 4 attempts were tried continuously every 30 minutes – that’s 192 attempts per day, per account.
A quick way to validate if this issue is configured is to check the domain policy, which can be done with the net accounts comment (although this will not take into account FGPP if configured):
The net command can be used to check the configured observation window
python3 patator.py smb_login --rate-limit 60 -t 1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt host=10.0.0.4 domain=akimbo.core.labs
In the above a delay of 60 seconds has been configured with a single thread; although this can be configured however is appropriate to avoid the current observation window. The following screenshot shows an example of the output:
Patator is one tools which can be configured to perform a bruteforce with a delay.