Audit and Password Cracking in Active Directory: Steps and Tools

Hello! Today, we will discuss an important topic - password security checking in Active Directory. Why is this necessary? Because secure passwords are the key to your organization's security. In this article, you will learn how administrators and information security specialists can ensure the effectiveness of password policies and detect weak passwords.

Step 1: Prerequisites:

The first step in auditing passwords is to extract password hashes from the Active Directory database. For this task, we will use the PowerShell module - DSInternals, which you can download ]]>here]]>. Copy it, for example, to the C:\New Folder directory on the domain controller.

Step 2: Copying the NTDS database from the shadow copy:

Now, since direct copying of the NTDS database is not possible, we need to use a shadow copy. Launch PowerShell with administrator privileges and execute the following commands:

$path="C:\New folder\"
cd $path
$vss=$null
$vss=Get-CimInstance -ClassName Win32_ShadowCopy -Property * | Select-Object DeviceObject,ID
vssadmin create shadow /for=C:
$vss=Get-CimInstance -ClassName Win32_ShadowCopy -Property * | Select-Object DeviceObject,ID
$vss[0]

Unfortunately, I encountered errors when copying data directly from PowerShell, so perform the copy from cmd, run as an administrator:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy317\Windows\NTDS "C:\new folder"

Replace "HarddiskVolumeShadowCopy317" with the actual number shown earlier in $vss[0].

Step 3: Extracting password hashes and analysis:

After creating the shadow copy, return to PowerShell, delete the shadow copy, and execute the following commands to extract password hashes of all active users:

vssadmin.exe delete shadows /shadow="$($vss[0].ID)" /quiet
esentutl /r edb /d
import-module -name .\dsinternals
$key=Get-BootKey -Online
$dump=Get-ADDBAccount -all -DBPath '.\ntds.dit' -BootKey $key | Where-Object {$_.enabled -eq "True"}
$dump | where-object {$_.samaccounttype -eq "user"} | Format-Custom -View PwDump | out-file -FilePath users.pwdump -Encoding utf8
remove-item *edb*
remove-item *ntds*

Important!!! The file obtained as a result is extremely critical. Keep it secure and prevent it from leaking! I would recommend deleting it irreversibly immediately after analysis. Do not leave it on the server after generation.

Simplified version of the previous steps:

I have created a program that performs the previous steps automatically in a matter of seconds.

You can download it ]]>here]]>.

The program's GitHub project, if someone needs the source code, can be found ]]>here]]>.

If you find the program useful, donations are welcome.

Step 4: Password Hash Analysis and Cracking:

The obtained password hashes can be analyzed for duplicate values and weak passwords (hashes). If the same password repeats among multiple users, it's a reason to be concerned and take some organizational measures.

For additional checks on how weak the passwords are, you can use the Hashcat program, which you can download ]]>here]]>, and various password dictionaries available on the ]]>weakpass.com]]> website.

In the program's folder, you can create a subfolder called Dictionaries and copy the required dictionaries into it.

Also, in the program's folder, you need to create a list of unique hashes with the name hacklist.txt. To keep only unique hashes, you can import the previously obtained data into Excel and remove duplicates.

Run the password cracking with the following command:

hashcat.exe hacklist.txt Dictionaries\* -m 1000

After the cracking is complete, you can view the list of passwords in the hashcat.potfile. By matching unreliable password hashes with users, you can prompt them to change such passwords.

Ending our discussion on password checking in Active Directory, remember that ensuring data security is a key task. Analyzing and improving password policies will help make your organization more secure from potential threats.

Do not forget about legal and ethical standards in this process.