Breaking Issue - Accounts not being reported as Locked when they get locked. #3
Description
I have been running this for a while and there appears to be an issue that just popped up on one of my internal engagements. I used ldap relaying to get a list of all user accounts, then used the enumeration feature of Talon to look for valid and non valid accounts to test against. Once I got a list of valid accounts that were not locked (I found it odd they had no disabled accounts), I started my password spray and this morning the client said they had over 500 accounts locked in a 10 minute period. They confirmed that they were doing a lockout of three failed attempts in 30 minutes, I ran my test with 2 in 35 minutes. During my test it appears that 536 of 571 accounts I was spraying were locked in the first 10 minutes. Something tells me that 536 of their users did not enter a password wrong in the first 10 minutes of my scan.
The concerning part is that through the testing, only three accounts were reported back to Talon as being locked. All others were reported as a failed login attempt.