Polenum

Overview

Polenum is a Python-based security tool that extracts password policies and domain information from Windows domain controllers via RPC (Remote Procedure Call) protocol. It can query password complexity requirements, lockout policies, and other security settings without requiring valid domain credentials, making it essential for security assessments and penetration tests targeting Active Directory environments.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install python3 python3-pip
pip3 install polenum

From Source (Impacket Required)

git clone https://github.com/Wh1t3Fox/polenum.git
cd polenum
pip3 install impacket
python3 polenum.py

Install Dependencies

pip3 install impacket
pip3 install pycrypto
pip3 install pycryptodome

Verify Installation

python3 polenum.py --version
python3 polenum.py --help

Core Concepts

RPC Protocol

Polenum uses RPC to communicate with domain controllers without authentication, exploiting the information disclosure inherent in Active Directory.

Password Policy Fields

Minimum Password Length: Minimum characters required
Password History: Number of previous passwords remembered
Maximum Password Age: Days before password expiration
Minimum Password Age: Minimum days between password changes
Password Complexity: Requirement for uppercase, lowercase, numbers, symbols
Account Lockout Threshold: Failed login attempts before lockout
Account Lockout Duration: Minutes account remains locked
Account Lockout Observation Window: Reset period for failed login counter

Domain Information Extracted

Domain name
Forest name
Domain functional level
Trust relationships
Default domain policy
Password complexity requirements
Kerberos settings

Basic Commands

Query Single Domain Controller

python3 polenum.py -u DOMAIN.com
python3 polenum.py 192.168.1.10

Query with Target Specification

python3 polenum.py -u DOMAIN.com -t 192.168.1.100

Query Specific User Account

python3 polenum.py -u DOMAIN.com -U username

List Domain Controllers

python3 polenum.py -u DOMAIN.com -l

Common Usage Patterns

Command	Description
`python3 polenum.py DOMAIN.com`	Query domain password policy
`python3 polenum.py 192.168.1.10`	Query DC by IP address
`python3 polenum.py -u DOMAIN.com -t DC_IP`	Target specific DC
`python3 polenum.py -u DOMAIN.com -U admin`	Query user account info
`python3 polenum.py -u DOMAIN.com -l`	List domain information
`python3 polenum.py DOMAIN.com -o output.txt`	Save results to file

Password Policy Enumeration

Basic Policy Query

python3 polenum.py DOMAIN.local

Verbose Output

python3 polenum.py -u DOMAIN.com -v
python3 polenum.py DOMAIN.local -vv

Query Specific DC

python3 polenum.py -u DOMAIN.com -t domain-controller.domain.com

Output Results to File

python3 polenum.py DOMAIN.com > policy_output.txt
python3 polenum.py DOMAIN.local -o domain_policy.txt

Domain Enumeration

Query Domain Information

python3 polenum.py -u DOMAIN.com

Get DC List

python3 polenum.py -u DOMAIN.com -l

Enumerate Trust Relationships

python3 polenum.py -u DOMAIN.com --trusts

Query User Information

python3 polenum.py -u DOMAIN.com -U username
python3 polenum.py -u DOMAIN.com -U "domain\username"

Advanced Techniques

Query Multiple Domains

for domain in domain1.com domain2.com domain3.com; do
    python3 polenum.py $domain >> all_policies.txt
done

Extract Kerberos Settings

python3 polenum.py DOMAIN.com | grep -i kerberos

Find Weak Password Policies

python3 polenum.py DOMAIN.com | grep -i "minimum password length"

Query with Network Range

for ip in 192.168.1.{10..20}; do
    python3 polenum.py $ip 2>/dev/null
done

Policy Analysis

Parsing Policy Output

python3 polenum.py DOMAIN.com | grep -A 5 "Password Policy"

Extract Specific Policy Fields

python3 polenum.py DOMAIN.com | grep "Password required"
python3 polenum.py DOMAIN.com | grep "Lockout"

Generate Policy Report

echo "=== Domain Password Policies ===" > report.txt
python3 polenum.py DOMAIN.com >> report.txt
python3 polenum.py -u DOMAIN.com -t DC2 >> report.txt

Security Assessment Scenarios

Multi-Domain Assessment

#!/bin/bash
DOMAINS=("DOMAIN1.com" "DOMAIN2.com" "DOMAIN3.local")

for domain in "${DOMAINS[@]}"; do
    echo "=== Querying $domain ===" >> assessment_report.txt
    python3 polenum.py $domain >> assessment_report.txt
    echo "" >> assessment_report.txt
done

Find Weak Password Requirements

python3 polenum.py DOMAIN.com | grep -i "minimum password length" | awk '{print $NF}'

Check Default Policies

python3 polenum.py DOMAIN.com | grep -i "default\|standard\|minimum"

Account Lockout Assessment

python3 polenum.py DOMAIN.com | grep -i "lockout"

Troubleshooting

Connection Refused

# Ensure network connectivity to DC
ping domain-controller.domain.com

# Verify RPC port 135 is accessible
nmap -p 135 192.168.1.10

DNS Resolution Issues

# Specify DC by IP instead of hostname
python3 polenum.py 192.168.1.10

# Add domain to hosts file
echo "192.168.1.10 domain.com" | sudo tee -a /etc/hosts

RPC Protocol Errors

# Try different RPC binding
python3 polenum.py -u DOMAIN.com -t DC_IP --rpc-port 135

Timeout Issues

# Increase timeout
timeout 60 python3 polenum.py DOMAIN.com

Output Examples

Standard Policy Output

[+] Attempting to connect to 192.168.1.10
[+] Successfully connected to domain.local

[+] Domain Admins: domain\Domain Admins (S-1-5-21-xxx)
[+] Domain Users: domain\Domain Users (S-1-5-21-xxx)

Password Policy:
    Complexity: Enabled
    Minimum Length: 8
    History: 5 previous passwords
    Maximum Age: 90 days
    Minimum Age: 1 day
    Lockout Threshold: 5 attempts
    Lockout Duration: 30 minutes

Domain Trust Information

[+] Trust Relationships Found:
    DOMAIN.local (Parent)
    CHILD.local (Child)
    EXTERNAL.com (External)

Integration with Other Tools

Export to JSON

python3 -c "
import json
# Parse polenum output and convert to JSON
policy_data = {
    'domain': 'DOMAIN.com',
    'min_length': 8,
    'complexity': True,
    'lockout_threshold': 5
}
print(json.dumps(policy_data, indent=2))
"

Feed to Password Attack Tools

# Use minimum password length to optimize wordlist generation
MIN_LEN=$(python3 polenum.py DOMAIN.com | grep -i "minimum length" | awk '{print $NF}')
echo "Target minimum password length: $MIN_LEN"

Document Assessment Findings

python3 polenum.py DOMAIN.com > domain_policy_$(date +%Y%m%d).txt

Best Practices

Obtain Authorization: Ensure written permission before enumeration
Document Findings: Record all policy findings for reporting
Compare Baselines: Track policy changes across assessments
Risk Assessment: Identify weak policies vs. organizational standards
Recommendation Mapping: Map findings to security benchmarks (CIS, NIST)
Multiple Targets: Query multiple DCs to identify policy variations
Time Stamps: Log when enumeration was performed
Network Segmentation: Ensure assessment system has proper network access

Remediation Recommendations

Strong Password Requirements

Minimum Length: 14+ characters
Complexity: Enabled (uppercase, lowercase, numbers, symbols)
History: 5-12 previous passwords
Maximum Age: 60-90 days

Account Lockout Configuration

Threshold: 5 failed attempts
Duration: 30 minutes minimum
Observation Window: 30 minutes

Security Baseline Mapping

CIS Benchmark: Password policy settings
NIST SP 800-63B: Digital identity guidelines
Windows Security Baseline: Default secure configurations

Enum4Linux: Linux enumeration tool for Windows domains
ADRecon: Active Directory reconnaissance tool
Bloodhound: AD data visualization and analysis
Impacket: Network protocol suite for Python
Crackmapexec: Multi-protocol credential validation
Ldapsearch: LDAP directory search tool