Search code examples
c++dllactive-directoryldapdll-injection

Retrieving specific data from Active Directory via LDAP in C++ (getting lockout threshold)

I'm improving some code that helps test whether password sprays are properly monitored. Here is the source code of the injected DLL: https://github.com/outflanknl/Spray-AD/blob/master/Src/Spray-AD/Spray-AD/ReflectiveDll.cpp

The current issue in this DLL is that it might lock out users (since some users might already have some badPwdCount to their username), so I need to properly check what is the current badPwdCount of the user and what is the thresholdLockout for each user before attempting to authenticate as that specific user (since different users might have different password policies).

Fortunately, the badPwdCount was not difficult to implement and I've modified the LDAP filter properly:

WCHAR* pszPropertyList[3] = { L"sAMAccountName" , L"badPwdCount" , L"lockoutThreshold"};

and properly configured the ExecuteSearch function:

else
{
    // Return specified properties
    hr = pContainerToSearch->ExecuteSearch(pszSearchFilter,
        pszPropertyList,
        3,
        &hSearch);
}

And the switch case so it'll catch the badPwdCount properly:

case ADSTYPE_INTEGER:
for (x = 0; x < col.dwNumValues; x++) {
    if (_wcsicmp(col.pszAttrName, L"badPwdCount") == 0) {
        if (col.pADsValues->Integer >= 4 || col.pADsValues->Integer == 0) {  
            /*some code*/
            break;
        }
    }
}

But since I want to compare the badPwdCount to that specific user's lockout threshold (and not 4 as the example above), I tried to extract the lockoutThreshold attribute as can be viewed here: https://learn.microsoft.com/en-us/windows/win32/adschema/a-lockoutthreshold

Though I can't seem to get any result back for the threshold lockout.. the code doesn't even return me the unknown type error:

default:
     wprintf(L"[!] Unknown type %d.\n", col.dwADsType);

Which is very strange to me as I can retrieve other attributes (such as badPasswordTime) without issues.

How do I properly retrieve the lockoutThreshold? code samples will be awesome.

Solution

  • In the documentation for lockoutThreshold that you linked to, look at "Classes used in", which lists:

    • Domain-Policy
    • Sam-Domain
    • Sam-Domain-Base

    Note that it does not include "User".

    You won't find this attribute on a user account. You will find it on the root node of the domain.

    But yes, as you found, the lockoutThreshold can be overridden by a fine-grained password policy.