Active Directory Password Audit – Using Pwned Passwords

Active directory in Windows have some built in features to set restriction for passwords created in your environment. How cool would it be if we can compare the passwords used in your AD environment with the passwords disclosed in breach database? By doing this you can ensure that none of your users are using weak or passwords exposed in data breaches. If you are in IT security operations, this is something you really have to do and your CISO will definitely love it. To get this done we can make use of some cool OSINT tools. Password hashes from breaches and tools or scripts to query in Active Directory are required to perform this audit. Integrating them would give you an fantastic solution to audit your Active Directory.

Data breach database

HaveIBeenPwned (HIBP) contains passwords from many major data breaches, including Adobe, LinkedIn and many more. HIBP offers these password in SHA-1 and NTLM formats to download. There is even a API available which can integrated into any application. When I was drafting this post, HIBP contains 551 Million pwned passwords. If you check that link, you can find the download link available in NTLM format. You can either download the file directly or use torrent and download at your desired speed/time.

OSINT Tools which supports HIBP

  1. DSInternals

DSInternals is a fantastic powershell module developed by Michael Graffnetter. It has multiple functionalities like hash dumping, password reset, LSA policy modification.

  • Install DSInternals using the instructions here.
  • Download the NTLM hash(ordered by hash) from HIBP
  • Now you can query your AD using the cmdlets described here.

You will get results similar to the sample below.

Active Directory Password Quality Report

Passwords of these accounts are stored using reversible encryption:

LM hashes of passwords of these accounts are present:

These accounts have no password set:

Passwords of these accounts have been found in the dictionary:

These groups of accounts have the same passwords:
  Group 1:
  Group 1:

These computer accounts have default passwords:

Kerberos AES keys are missing from these accounts:

Kerberos pre-authentication is not required for these accounts:

Only DES encryption is allowed to be used with these accounts:

These administrative accounts are allowed to be delegated to a service:

Passwords of these accounts will never expire:

These accounts are not required to have a password:

You can automate this by creating a scheduled task and save the results in a file.

To store results in a .csv, try the below commands in your ps script.

$accounts = Get-ADReplAccount -All -NamingContext 'DC=contoso,DC=com' -Server
$results = $accounts | Test-PasswordQuality -WeakPasswordsFile BadPasswords.txt
$riskyAccounts = $accounts | where SamAccountName -in $results.WeakPassword
$riskyAccounts | select SamAccountName,DisplayName,DistinguishedName | Export-Csv output.csv

2. Lithnet Password Protection for Active Directory

Lithnet provides deep integration between HIBP Password DB and Active directory. Lithnet not only checks for pwned passwords, but blocks when a user is trying to set a new password which is part of pwned passwords or a dictionary.

These are some of the features of Lithnet

  • Block compromised passwords from being used.
  • Block passwords based on certain words.
  • Define complexity policies based on length.
  • Regular expression-based policies.
  • Points-based complexity.

Lithnet supports writing logs in Windows event viewer, this will help administrators to create alerts whenever someone tries to create a pwned password.

3. Compromise Checker

Compromise is simple GUI based tool which supports HIBP database to check pwned passwords. It lets you check users from a specific OU.

4. Identifying Pwned Passwords using Microsoft/Forefront Identity Manager v2, k-Anonymity

HIBP Pwned password has a API support as well. This tool from Kloud supports checking pwned passwords in active directory by leveraging HIBP API.

This is how this tools works.

  • taking the new password received from PCNS
  • hashes the password to SHA-1 format
  • looks up the v2 HIBP API using part of the SHA-1 hash
  • updates the MIM Service with Pwned Password status

In this way you don’t have to download the pwned passwords every time it is updated in HIBP. You need a API key which was once free and now costs US$3.50 per month. After this announcement, this tool supports using downloaded database of pwned passwords. So an updated version is listed here.

Dictionaries to use in addition to HIBP

Some of the tools listed above supports checking password against any dictionary passwords list. If you are looking for such list, Seclist is a great resource I would recommend. It contains various password dictionaries used by white/black hat hackers.

Troy Hunt has done a incredible work by creating HIBP and there are so many organizations including Governments are using it. Take a look at here to find the different tools using HIBP API. There is even a domain search which allows companies to find if any of the accounts in their domain is part of a data breach.

Use these tools and identify weak or pwned passwords in your enterprise. Let me know if you are using any other tools to defend weak and pwned passwords in your environment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s