Polenum
Overview
Seção intitulada “Overview”Polenum is a Python-based security tool that extracts password policies and domain information from Windows domain controllers via RPC (Remote Procedure Call) protocol. It can query password complexity requirements, lockout policies, and other security settings without requiring valid domain credentials, making it essential for security assessments and penetration tests targeting Active Directory environments.
Installation
Seção intitulada “Installation”Linux (Debian/Ubuntu)
Seção intitulada “Linux (Debian/Ubuntu)”sudo apt-get install python3 python3-pip
pip3 install polenumFrom Source (Impacket Required)
Seção intitulada “From Source (Impacket Required)”git clone https://github.com/Wh1t3Fox/polenum.git
cd polenum
pip3 install impacket
python3 polenum.pyInstall Dependencies
Seção intitulada “Install Dependencies”pip3 install impacket
pip3 install pycrypto
pip3 install pycryptodomeVerify Installation
Seção intitulada “Verify Installation”python3 polenum.py --version
python3 polenum.py --helpCore Concepts
Seção intitulada “Core Concepts”RPC Protocol
Seção intitulada “RPC Protocol”Polenum uses RPC to communicate with domain controllers without authentication, exploiting the information disclosure inherent in Active Directory.
Password Policy Fields
Seção intitulada “Password Policy Fields”- Minimum Password Length: Minimum characters required
- Password History: Number of previous passwords remembered
- Maximum Password Age: Days before password expiration
- Minimum Password Age: Minimum days between password changes
- Password Complexity: Requirement for uppercase, lowercase, numbers, symbols
- Account Lockout Threshold: Failed login attempts before lockout
- Account Lockout Duration: Minutes account remains locked
- Account Lockout Observation Window: Reset period for failed login counter
Domain Information Extracted
Seção intitulada “Domain Information Extracted”- Domain name
- Forest name
- Domain functional level
- Trust relationships
- Default domain policy
- Password complexity requirements
- Kerberos settings
Basic Commands
Seção intitulada “Basic Commands”Query Single Domain Controller
Seção intitulada “Query Single Domain Controller”python3 polenum.py -u DOMAIN.com
python3 polenum.py 192.168.1.10Query with Target Specification
Seção intitulada “Query with Target Specification”python3 polenum.py -u DOMAIN.com -t 192.168.1.100Query Specific User Account
Seção intitulada “Query Specific User Account”python3 polenum.py -u DOMAIN.com -U usernameList Domain Controllers
Seção intitulada “List Domain Controllers”python3 polenum.py -u DOMAIN.com -lCommon Usage Patterns
Seção intitulada “Common Usage Patterns”| Command | Description |
|---|---|
python3 polenum.py DOMAIN.com | Query domain password policy |
python3 polenum.py 192.168.1.10 | Query DC by IP address |
python3 polenum.py -u DOMAIN.com -t DC_IP | Target specific DC |
python3 polenum.py -u DOMAIN.com -U admin | Query user account info |
python3 polenum.py -u DOMAIN.com -l | List domain information |
python3 polenum.py DOMAIN.com -o output.txt | Save results to file |
Password Policy Enumeration
Seção intitulada “Password Policy Enumeration”Basic Policy Query
Seção intitulada “Basic Policy Query”python3 polenum.py DOMAIN.localVerbose Output
Seção intitulada “Verbose Output”python3 polenum.py -u DOMAIN.com -v
python3 polenum.py DOMAIN.local -vvQuery Specific DC
Seção intitulada “Query Specific DC”python3 polenum.py -u DOMAIN.com -t domain-controller.domain.comOutput Results to File
Seção intitulada “Output Results to File”python3 polenum.py DOMAIN.com > policy_output.txt
python3 polenum.py DOMAIN.local -o domain_policy.txtDomain Enumeration
Seção intitulada “Domain Enumeration”Query Domain Information
Seção intitulada “Query Domain Information”python3 polenum.py -u DOMAIN.comGet DC List
Seção intitulada “Get DC List”python3 polenum.py -u DOMAIN.com -lEnumerate Trust Relationships
Seção intitulada “Enumerate Trust Relationships”python3 polenum.py -u DOMAIN.com --trustsQuery User Information
Seção intitulada “Query User Information”python3 polenum.py -u DOMAIN.com -U username
python3 polenum.py -u DOMAIN.com -U "domain\username"Advanced Techniques
Seção intitulada “Advanced Techniques”Query Multiple Domains
Seção intitulada “Query Multiple Domains”for domain in domain1.com domain2.com domain3.com; do
python3 polenum.py $domain >> all_policies.txt
doneExtract Kerberos Settings
Seção intitulada “Extract Kerberos Settings”python3 polenum.py DOMAIN.com | grep -i kerberosFind Weak Password Policies
Seção intitulada “Find Weak Password Policies”python3 polenum.py DOMAIN.com | grep -i "minimum password length"Query with Network Range
Seção intitulada “Query with Network Range”for ip in 192.168.1.{10..20}; do
python3 polenum.py $ip 2>/dev/null
donePolicy Analysis
Seção intitulada “Policy Analysis”Parsing Policy Output
Seção intitulada “Parsing Policy Output”python3 polenum.py DOMAIN.com | grep -A 5 "Password Policy"Extract Specific Policy Fields
Seção intitulada “Extract Specific Policy Fields”python3 polenum.py DOMAIN.com | grep "Password required"
python3 polenum.py DOMAIN.com | grep "Lockout"Generate Policy Report
Seção intitulada “Generate Policy Report”echo "=== Domain Password Policies ===" > report.txt
python3 polenum.py DOMAIN.com >> report.txt
python3 polenum.py -u DOMAIN.com -t DC2 >> report.txtSecurity Assessment Scenarios
Seção intitulada “Security Assessment Scenarios”Multi-Domain Assessment
Seção intitulada “Multi-Domain Assessment”#!/bin/bash
DOMAINS=("DOMAIN1.com" "DOMAIN2.com" "DOMAIN3.local")
for domain in "${DOMAINS[@]}"; do
echo "=== Querying $domain ===" >> assessment_report.txt
python3 polenum.py $domain >> assessment_report.txt
echo "" >> assessment_report.txt
doneFind Weak Password Requirements
Seção intitulada “Find Weak Password Requirements”python3 polenum.py DOMAIN.com | grep -i "minimum password length" | awk '{print $NF}'Check Default Policies
Seção intitulada “Check Default Policies”python3 polenum.py DOMAIN.com | grep -i "default\|standard\|minimum"Account Lockout Assessment
Seção intitulada “Account Lockout Assessment”python3 polenum.py DOMAIN.com | grep -i "lockout"Troubleshooting
Seção intitulada “Troubleshooting”Connection Refused
Seção intitulada “Connection Refused”# Ensure network connectivity to DC
ping domain-controller.domain.com
# Verify RPC port 135 is accessible
nmap -p 135 192.168.1.10DNS Resolution Issues
Seção intitulada “DNS Resolution Issues”# Specify DC by IP instead of hostname
python3 polenum.py 192.168.1.10
# Add domain to hosts file
echo "192.168.1.10 domain.com" | sudo tee -a /etc/hostsRPC Protocol Errors
Seção intitulada “RPC Protocol Errors”# Try different RPC binding
python3 polenum.py -u DOMAIN.com -t DC_IP --rpc-port 135Timeout Issues
Seção intitulada “Timeout Issues”# Increase timeout
timeout 60 python3 polenum.py DOMAIN.comOutput Examples
Seção intitulada “Output Examples”Standard Policy Output
Seção intitulada “Standard Policy Output”[+] Attempting to connect to 192.168.1.10
[+] Successfully connected to domain.local
[+] Domain Admins: domain\Domain Admins (S-1-5-21-xxx)
[+] Domain Users: domain\Domain Users (S-1-5-21-xxx)
Password Policy:
Complexity: Enabled
Minimum Length: 8
History: 5 previous passwords
Maximum Age: 90 days
Minimum Age: 1 day
Lockout Threshold: 5 attempts
Lockout Duration: 30 minutesDomain Trust Information
Seção intitulada “Domain Trust Information”[+] Trust Relationships Found:
DOMAIN.local (Parent)
CHILD.local (Child)
EXTERNAL.com (External)Integration with Other Tools
Seção intitulada “Integration with Other Tools”Export to JSON
Seção intitulada “Export to JSON”python3 -c "
import json
# Parse polenum output and convert to JSON
policy_data = {
'domain': 'DOMAIN.com',
'min_length': 8,
'complexity': True,
'lockout_threshold': 5
}
print(json.dumps(policy_data, indent=2))
"Feed to Password Attack Tools
Seção intitulada “Feed to Password Attack Tools”# Use minimum password length to optimize wordlist generation
MIN_LEN=$(python3 polenum.py DOMAIN.com | grep -i "minimum length" | awk '{print $NF}')
echo "Target minimum password length: $MIN_LEN"Document Assessment Findings
Seção intitulada “Document Assessment Findings”python3 polenum.py DOMAIN.com > domain_policy_$(date +%Y%m%d).txtBest Practices
Seção intitulada “Best Practices”- Obtain Authorization: Ensure written permission before enumeration
- Document Findings: Record all policy findings for reporting
- Compare Baselines: Track policy changes across assessments
- Risk Assessment: Identify weak policies vs. organizational standards
- Recommendation Mapping: Map findings to security benchmarks (CIS, NIST)
- Multiple Targets: Query multiple DCs to identify policy variations
- Time Stamps: Log when enumeration was performed
- Network Segmentation: Ensure assessment system has proper network access
Remediation Recommendations
Seção intitulada “Remediation Recommendations”Strong Password Requirements
Seção intitulada “Strong Password Requirements”Minimum Length: 14+ characters
Complexity: Enabled (uppercase, lowercase, numbers, symbols)
History: 5-12 previous passwords
Maximum Age: 60-90 daysAccount Lockout Configuration
Seção intitulada “Account Lockout Configuration”Threshold: 5 failed attempts
Duration: 30 minutes minimum
Observation Window: 30 minutesSecurity Baseline Mapping
Seção intitulada “Security Baseline Mapping”- CIS Benchmark: Password policy settings
- NIST SP 800-63B: Digital identity guidelines
- Windows Security Baseline: Default secure configurations
Related Tools
Seção intitulada “Related Tools”- Enum4Linux: Linux enumeration tool for Windows domains
- ADRecon: Active Directory reconnaissance tool
- Bloodhound: AD data visualization and analysis
- Impacket: Network protocol suite for Python
- Crackmapexec: Multi-protocol credential validation
- Ldapsearch: LDAP directory search tool