Salta ai contenuti
1337skills 1337skills - Cheat Sheet

Polenum

Overview

Polenum is a Python-based security tool that extracts password policies and domain information from Windows domain controllers via RPC (Remote Procedure Call) protocol. It can query password complexity requirements, lockout policies, and other security settings without requiring valid domain credentials, making it essential for security assessments and penetration tests targeting Active Directory environments.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install python3 python3-pip
pip3 install polenum

From Source (Impacket Required)

git clone https://github.com/Wh1t3Fox/polenum.git
cd polenum
pip3 install impacket
python3 polenum.py

Install Dependencies

pip3 install impacket
pip3 install pycrypto
pip3 install pycryptodome

Verify Installation

python3 polenum.py --version
python3 polenum.py --help

Core Concepts

RPC Protocol

Polenum uses RPC to communicate with domain controllers without authentication, exploiting the information disclosure inherent in Active Directory.

Password Policy Fields

  • Minimum Password Length: Minimum characters required
  • Password History: Number of previous passwords remembered
  • Maximum Password Age: Days before password expiration
  • Minimum Password Age: Minimum days between password changes
  • Password Complexity: Requirement for uppercase, lowercase, numbers, symbols
  • Account Lockout Threshold: Failed login attempts before lockout
  • Account Lockout Duration: Minutes account remains locked
  • Account Lockout Observation Window: Reset period for failed login counter

Domain Information Extracted

  • Domain name
  • Forest name
  • Domain functional level
  • Trust relationships
  • Default domain policy
  • Password complexity requirements
  • Kerberos settings

Basic Commands

Query Single Domain Controller

python3 polenum.py -u DOMAIN.com
python3 polenum.py 192.168.1.10

Query with Target Specification

python3 polenum.py -u DOMAIN.com -t 192.168.1.100

Query Specific User Account

python3 polenum.py -u DOMAIN.com -U username

List Domain Controllers

python3 polenum.py -u DOMAIN.com -l

Common Usage Patterns

CommandDescription
python3 polenum.py DOMAIN.comQuery domain password policy
python3 polenum.py 192.168.1.10Query DC by IP address
python3 polenum.py -u DOMAIN.com -t DC_IPTarget specific DC
python3 polenum.py -u DOMAIN.com -U adminQuery user account info
python3 polenum.py -u DOMAIN.com -lList domain information
python3 polenum.py DOMAIN.com -o output.txtSave results to file

Password Policy Enumeration

Basic Policy Query

python3 polenum.py DOMAIN.local

Verbose Output

python3 polenum.py -u DOMAIN.com -v
python3 polenum.py DOMAIN.local -vv

Query Specific DC

python3 polenum.py -u DOMAIN.com -t domain-controller.domain.com

Output Results to File

python3 polenum.py DOMAIN.com > policy_output.txt
python3 polenum.py DOMAIN.local -o domain_policy.txt

Domain Enumeration

Query Domain Information

python3 polenum.py -u DOMAIN.com

Get DC List

python3 polenum.py -u DOMAIN.com -l

Enumerate Trust Relationships

python3 polenum.py -u DOMAIN.com --trusts

Query User Information

python3 polenum.py -u DOMAIN.com -U username
python3 polenum.py -u DOMAIN.com -U "domain\username"

Advanced Techniques

Query Multiple Domains

for domain in domain1.com domain2.com domain3.com; do
    python3 polenum.py $domain >> all_policies.txt
done

Extract Kerberos Settings

python3 polenum.py DOMAIN.com | grep -i kerberos

Find Weak Password Policies

python3 polenum.py DOMAIN.com | grep -i "minimum password length"

Query with Network Range

for ip in 192.168.1.{10..20}; do
    python3 polenum.py $ip 2>/dev/null
done

Policy Analysis

Parsing Policy Output

python3 polenum.py DOMAIN.com | grep -A 5 "Password Policy"

Extract Specific Policy Fields

python3 polenum.py DOMAIN.com | grep "Password required"
python3 polenum.py DOMAIN.com | grep "Lockout"

Generate Policy Report

echo "=== Domain Password Policies ===" > report.txt
python3 polenum.py DOMAIN.com >> report.txt
python3 polenum.py -u DOMAIN.com -t DC2 >> report.txt

Security Assessment Scenarios

Multi-Domain Assessment

#!/bin/bash
DOMAINS=("DOMAIN1.com" "DOMAIN2.com" "DOMAIN3.local")

for domain in "${DOMAINS[@]}"; do
    echo "=== Querying $domain ===" >> assessment_report.txt
    python3 polenum.py $domain >> assessment_report.txt
    echo "" >> assessment_report.txt
done

Find Weak Password Requirements

python3 polenum.py DOMAIN.com | grep -i "minimum password length" | awk '{print $NF}'

Check Default Policies

python3 polenum.py DOMAIN.com | grep -i "default\|standard\|minimum"

Account Lockout Assessment

python3 polenum.py DOMAIN.com | grep -i "lockout"

Troubleshooting

Connection Refused

# Ensure network connectivity to DC
ping domain-controller.domain.com

# Verify RPC port 135 is accessible
nmap -p 135 192.168.1.10

DNS Resolution Issues

# Specify DC by IP instead of hostname
python3 polenum.py 192.168.1.10

# Add domain to hosts file
echo "192.168.1.10 domain.com" | sudo tee -a /etc/hosts

RPC Protocol Errors

# Try different RPC binding
python3 polenum.py -u DOMAIN.com -t DC_IP --rpc-port 135

Timeout Issues

# Increase timeout
timeout 60 python3 polenum.py DOMAIN.com

Output Examples

Standard Policy Output

[+] Attempting to connect to 192.168.1.10
[+] Successfully connected to domain.local

[+] Domain Admins: domain\Domain Admins (S-1-5-21-xxx)
[+] Domain Users: domain\Domain Users (S-1-5-21-xxx)

Password Policy:
    Complexity: Enabled
    Minimum Length: 8
    History: 5 previous passwords
    Maximum Age: 90 days
    Minimum Age: 1 day
    Lockout Threshold: 5 attempts
    Lockout Duration: 30 minutes

Domain Trust Information

[+] Trust Relationships Found:
    DOMAIN.local (Parent)
    CHILD.local (Child)
    EXTERNAL.com (External)

Integration with Other Tools

Export to JSON

python3 -c "
import json
# Parse polenum output and convert to JSON
policy_data = {
    'domain': 'DOMAIN.com',
    'min_length': 8,
    'complexity': True,
    'lockout_threshold': 5
}
print(json.dumps(policy_data, indent=2))
"

Feed to Password Attack Tools

# Use minimum password length to optimize wordlist generation
MIN_LEN=$(python3 polenum.py DOMAIN.com | grep -i "minimum length" | awk '{print $NF}')
echo "Target minimum password length: $MIN_LEN"

Document Assessment Findings

python3 polenum.py DOMAIN.com > domain_policy_$(date +%Y%m%d).txt

Best Practices

  • Obtain Authorization: Ensure written permission before enumeration
  • Document Findings: Record all policy findings for reporting
  • Compare Baselines: Track policy changes across assessments
  • Risk Assessment: Identify weak policies vs. organizational standards
  • Recommendation Mapping: Map findings to security benchmarks (CIS, NIST)
  • Multiple Targets: Query multiple DCs to identify policy variations
  • Time Stamps: Log when enumeration was performed
  • Network Segmentation: Ensure assessment system has proper network access

Remediation Recommendations

Strong Password Requirements

Minimum Length: 14+ characters
Complexity: Enabled (uppercase, lowercase, numbers, symbols)
History: 5-12 previous passwords
Maximum Age: 60-90 days

Account Lockout Configuration

Threshold: 5 failed attempts
Duration: 30 minutes minimum
Observation Window: 30 minutes

Security Baseline Mapping

  • CIS Benchmark: Password policy settings
  • NIST SP 800-63B: Digital identity guidelines
  • Windows Security Baseline: Default secure configurations
  • Enum4Linux: Linux enumeration tool for Windows domains
  • ADRecon: Active Directory reconnaissance tool
  • Bloodhound: AD data visualization and analysis
  • Impacket: Network protocol suite for Python
  • Crackmapexec: Multi-protocol credential validation
  • Ldapsearch: LDAP directory search tool