my personal blog about systemcenter

All posts in Active Directory

Crack and detect weak passwords in Active Directory on-the-fly

Categories: Active Directory
Comments Off on Crack and detect weak passwords in Active Directory on-the-fly

A serious problem with Active Directory (AD) and built-in password policies is, that although password complexity is required, attackers (including penetration testers) can easily find weak user passwords during an engagement, that IT administrators or security officers do not have the means to discover “out -of-the-box”. There’s no visibility into how strong or weak user passwords really are.

Simple and very common passwords, such as “Summer2015”, “October2015”, “Password123”, “[company name] + [year]”,”[Well-known-shared-password-in-the-company]”, etc., all meet the regular requirements for password length and complexity, but in practice they are extremely weak passwords and probably among the first guesses an attacker will try out.

Brute-force and NTDS.DIT attacks

A so-called “brute-force” attack can be performed in two different ways. The most well-known method is the attack of one given user account, where the attacker tries out a whole lot different password combinations. In most environments this will lead to the user account being locked after a few guesses and the attack ends.

A better version of the “brute-force” attack is to try out one weak and widely used password, for example “Summer2015” against all user accounts in the environment (also called “password spraying”). This method will most often lead to a successful login without any account being locked – especially in environments where users are not properly trained in generating strong passwords.

Previously, obtaining insight into the password usage and strength in an AD environment, has been done by extracting data from the NTDS.DIT file of a Domain Controller, which is a rather tedious and manual process.

With a new PowerShell module, DSInternals, it is now possible to analyze passwords “on-the-fly”, in a live environment, assuming that you have (acquired) the proper rights (equivalent of ‘Domain Admin’ or ‘Domain Controller’). If you’ve ever looked at the DCSync tool, recently built into Mimikatz, this PS module offers the same functionality.

Get-bADpasswords to the rescue

I have developed a simple PowerShell script, Get-bADpasswords, which utilizes some of the functionality in the new PS module. My intention is to enable IT administrators and security officers to discover weak (or bad) user passwords active in AD – hopefully before attackers do it.

The drawing below illustrates the concept of the script.

Concept of Get-bADpasswords

A Domain Controller contacted and asked to hand over user names and password hash values ​​(NT hash) of all active users (under a given naming context).

The script retrieves, from one or more text files (word lists), poor or unacceptable (non-compliant) passwords in the environment and then hashes (NT hash) so that they can be compared with the output from the AD.

Here is an example of the contents of such a word list that should be adjusted each organization, language and so on.

Wordlist

Word list with weak passwords

The script is executed with “-Verbose” prints the current status to the console.

Get-bADpasswords -Verbose

The script can write user names for users who have weak passwords to a CSV file.

Get-bADpasswords CSV output

The script can write a log of current status, including detailed (verbose) information.

Get-bADpasswords log file

Note mentioned that my script assumes that DSInternals module is properly installed on the executing machine.

DSInternals module folder

A few things to consider.

  1. Michael Grafnetter, who developed the DSInternals module, hasn’t released the source code yet. Therefore, you will have to trust his code (blindly) at the moment. However, Michael has told me that he will release the code later this year when he has had time to clean it up a bit. Thanks to Michael for his hard work and help.
  2. It is probably a good idea to get an approval of HR and/or the legal department when running this regularly. There might be objections to administrators or security officers potentially gaining insight into user passwords (although we will only detect the weak ones).
  3. This script works “after the fact”, after users have actually created a weak password for their AD account. In Windows you can create custom Password Filters, which could prevent users from setting weak passwords in the first place, but that is quite another matter.

My PowerShell script can be downloaded here: Get-bADpasswords.

In the hope of more password-guessing-robust Active Directory environments out there!

/Jakob H. Heidelberg
@JakobHeidelberg

 

 

 

The Handle is Invalid , Live Migration 21052

Categories: Active Directory, Hyper-V
Comments Off on The Handle is Invalid , Live Migration 21052

 

I ran into a issue where live migration failed on all host and VM in a Hyper-V Cluster

 

image

 

The operation did not complete on resource Virtual Machine was the error code from failover cluster manager

No other visible errors in the eventlog related to Clustering

 

image

 

Taking the cluster resource offline and doing a repair didn’t help

 

image

 

However trying to ping the cluster name it responded pointing to broken name resolution as it replied back with a different ip address than excepted

 

image

Looking at the permissions the cluster object had full control

image

Deleting the dns registration and running the repair once again fixed the problem.

From the looks of it someone changed the ip addresse of the cluster object and that’s when the problem started

image

And after completed repairs the DNS status goes from The Handle is Invalid to OK

image

dcpromo went on holliday after Windows Server 2008 R2 so to promte a server to domain controller we need to use powershell or server manager , so with 12 years with dcpromo i exept to type that a few times more until i remember its gone away

 

 

image

Head to server manager and add role on local server

 

 

image

Select Active Directory Domain Services

 

image

In task details select Action Promote this server to a domain controller

 

image

As this is the start of a new forest we need to add the forest and specifi root doman name

 

image

 

One VERY handy new feature most places in Windows Server 2012 ish the view script command

 

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “internal.systemcenterdemo.dk” `
-DomainNetbiosName “INTERNAL” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true

And we get the syntax for creating a new forest from powershell instead of using 10ish mouse clicks

 

 

image

And we know have a functional forest Smiley

Microsoft been so kind of creating AddNewClusteredVM.ps1 script for Hyper-V and Data Protection Manager , this script will enumerate all virtual machines in a cluster and add them to a protection group, as there is no “auto” protect options in Hyper-V clustering as there is on SQL protection this should save some time and errors.

 

For the script to work there needs to be a protection group ready for this

 

image

image

So we create a protection group in Data Protection Manager console

running the AddNewClusteredVM.ps1 with cluster fqdn and protection group

Enter the cluster FQDN : hvc01.internal.systemcenterdemo.dk
Enter the name of your existing Hyper-V protection group : Hyper-V

dpm10.internal.systemcenterdemo.dk                                                              
Running Inquiry on HVC01.internal.systemcenterdemo.dk
Running Inquiry on Available Storage
Running Inquiry on Cluster Group
Running Inquiry on SCVMM DHCP01 Resources
Running Inquiry on SCVMM IPAM01 Resources
Running Inquiry on VMM01
Running Inquiry on VMMDB01
Waiting for inquiry to complete 0 item(s) obtained.


Inquiry listed 6 item(s)…
Adding data source Backup Using Child Partition Snapshot\DHCP01 to Hyper-V
Adding data source Backup Using Child Partition Snapshot\IPAM01 to Hyper-V
Adding data source Backup Using Child Partition Snapshot\VMMDB01 to Hyper-V
Adding new Hyper-V data sources to Hyper-V

 

image

The powershell script adds the unprotected servers to the dpm server’s protection group

 

Backup is one thing , Restore is another especially disaster recovery , in this blog post we will cover the scenario where everything is gone except the backup tapes , first blog post will cover getting the domain up and running again where following posts will cover fileservers , sql and exchange.

Data Protection Manager requires a functional domain to be able to recover any data from tape , so first step will always be to get the domain up and running again.

In this post we a production domain test.local with dc10.test.local as the sole domain controller and dpm10.test.local as the Data Protection Manager server.

For restore purpose we setup dctemp10.temptest.local and dpmtemp10.temptest.local to restore the data , so  a disaster recovery will always require staging of the restore data if the domain is lost.

Its always recommended to keep additional backup of the domain controllers outside of Data Protection Manager to ensure that we always no matter what happens can recover the domain and then start recovery

But always keep separate backup of domain controllers , there cant be to many backups if the media is located in a big safe somewhere Smiley

 

image

On the test.local domain we need a complete backup of the Domain Controller

image

And we will need the configuration database for Data Protection Manager

imageimage

After creating the Protection Groups create a manual recovery point to tape , both for the domain controller and the Data Protection Manager configuration database

image

For testing I am using Cristalink brilliant Virtual Tape Library for Data Protection Manager http://www.cristalink.com/fs/ , so here the backup is located on 3 virtual tapes.

image

We need a new domain to restore to until we can get the original production environment up and running so here we created a new domain and is adding a Data Protection Manager Server to the same domain.

 

image

To simulate adding tapes from the library we use FileStreams Import feature Load From File

image

And then we can see the same tapes as we had before the wipe of the Domain Controller and Data Protection Manager Server

image

image

We then need to start a detailed inventory so we can see what’s on the tapes

 

image

After the detailed inventory have completed we need to Recatalog Imported Tape to add the content of the tapes to the Data Protection Managers configuration database

image

We then need to recover the System Protection from the tapes we did a recatalog on

image

Only restore option for systemprotection is a network folder

 

image

And its time to start the restore

image

Data Protection Manager == Success

image

We then need to share the folder out so we can access it from the Windows 2008 R2 installation media

image

to Restore from the recovered data we need to start the Windows 2008 R2 installer , DHCP needs to be enabled for networking support

image

Select a repair

image

As there are no local images to restore from select next

image

And start networking

image

Connect to the DPM Server

image

With Credentials from the new temporary domain

image

Select the Image to restore

 

image

Start the ReImage

image

And Wait Smiley

image

For about 12 minutes on my test setup

image

And after a reboot and setting fixed ip address the domain is up and running , and we now have a working domain so we can start to restore the Data Protection Manager server and then start restore all remaining workloads.