Some logic errors in the lockout thresholds handling #19
Description
There seems to be some errors in the handling of account lockout thresholds.
- First, the variable
$SmallestLockoutThresholdis defined as the minimum value of all account lockout threshold (from the domain policy and other fine-grained password policies), as follows :
DomainPasswordSpray/DomainPasswordSpray.ps1
Line 382 in 94cb725
For each of these policies, a 0 value means that the lockout policy is disabled. However, if the lockout policy is disabled for a specific perimeter but not all accounts, the "minimum" value computed above is wrong (0), since it is hinted after that this value means no lockout policy for all accounts :
- As a consequence, some accounts are not tested password spraying on a domain where there is no lockout policy (on at least one perimeter). Indeed, the way the
$attemptsuntillockoutvariable is computed does not take the$SmallestLockoutThreshold=0case into account :
DomainPasswordSpray/DomainPasswordSpray.ps1
Line 454 in 94cb725
This value will never be greater than 0 (thus than 1), so the second part of the condition tested to add a specific user to the list of targets will never be True :
DomainPasswordSpray/DomainPasswordSpray.ps1
Line 458 in 94cb725
So, every account with a bad password attempt made in the last
$observation_window minutes is skipped.
To solve all these problems, I suggest you add some arbitrary high value in to the $AccountLockoutThresholds list instead of 0 when $objDeDomain.Properties.lockoutthreshold or $PSOLockoutThreshold is equal to 0.
Here :
DomainPasswordSpray/DomainPasswordSpray.ps1
Line 344 in 94cb725
And here :
DomainPasswordSpray/DomainPasswordSpray.ps1
Line 370 in 94cb725