A serious problem with Active Directory (AD) and built-in password policies is, that although password complexity is required, attackers (including penetration testers) can easily find weak user passwords during an engagement, that IT administrators or security officers do not have the means to discover “out -of-the-box”. There’s no visibility into how strong or weak user passwords really are.
Simple and very common passwords, such as “Summer2015”, “October2015”, “Password123”, “[company name] + [year]”,”[Well-known-shared-password-in-the-company]”, etc., all meet the regular requirements for password length and complexity, but in practice they are extremely weak passwords and probably among the first guesses an attacker will try out.
Brute-force and NTDS.DIT attacks
A so-called “brute-force” attack can be performed in two different ways. The most well-known method is the attack of one given user account, where the attacker tries out a whole lot different password combinations. In most environments this will lead to the user account being locked after a few guesses and the attack ends.
A better version of the “brute-force” attack is to try out one weak and widely used password, for example “Summer2015” against all user accounts in the environment (also called “password spraying”). This method will most often lead to a successful login without any account being locked – especially in environments where users are not properly trained in generating strong passwords.
Previously, obtaining insight into the password usage and strength in an AD environment, has been done by extracting data from the NTDS.DIT file of a Domain Controller, which is a rather tedious and manual process.
With a new PowerShell module, DSInternals, it is now possible to analyze passwords “on-the-fly”, in a live environment, assuming that you have (acquired) the proper rights (equivalent of ‘Domain Admin’ or ‘Domain Controller’). If you’ve ever looked at the DCSync tool, recently built into Mimikatz, this PS module offers the same functionality.
Get-bADpasswords to the rescue
I have developed a simple PowerShell script, Get-bADpasswords, which utilizes some of the functionality in the new PS module. My intention is to enable IT administrators and security officers to discover weak (or bad) user passwords active in AD – hopefully before attackers do it.
The drawing below illustrates the concept of the script.
A Domain Controller contacted and asked to hand over user names and password hash values (NT hash) of all active users (under a given naming context).
The script retrieves, from one or more text files (word lists), poor or unacceptable (non-compliant) passwords in the environment and then hashes (NT hash) so that they can be compared with the output from the AD.
Here is an example of the contents of such a word list that should be adjusted each organization, language and so on.
The script is executed with “-Verbose” prints the current status to the console.
The script can write user names for users who have weak passwords to a CSV file.
The script can write a log of current status, including detailed (verbose) information.
Note mentioned that my script assumes that DSInternals module is properly installed on the executing machine.
A few things to consider.
- Michael Grafnetter, who developed the DSInternals module, hasn’t released the source code yet. Therefore, you will have to trust his code (blindly) at the moment. However, Michael has told me that he will release the code later this year when he has had time to clean it up a bit. Thanks to Michael for his hard work and help.
- It is probably a good idea to get an approval of HR and/or the legal department when running this regularly. There might be objections to administrators or security officers potentially gaining insight into user passwords (although we will only detect the weak ones).
- This script works “after the fact”, after users have actually created a weak password for their AD account. In Windows you can create custom Password Filters, which could prevent users from setting weak passwords in the first place, but that is quite another matter.
My PowerShell script can be downloaded here: Get-bADpasswords.
In the hope of more password-guessing-robust Active Directory environments out there!
/Jakob H. Heidelberg