Active directory password audit best practices

Passwords are the bane of any IT Security Officers life, but as they are still the primary way of authenticating users in Active Directory, it’s a good idea to check that your users are making good password choices. Unfortunately, the built-in Active Directory policies does not do much to stop users from making poor password choices.

This blog describes how you might audit existing passwords to check that no weak, easy-to-guess, or known leaked passwords are being used in your organization.

The manual way: Step-by-step guide 

The process discussed here will generate files with extremely sensitive data that could itself lead to a compromise of your passwords and network. If this kind of thing is new to you, I’d suggest practicing on a test domain first, rather than your live Active Directory. Warnings out the way – let’s get started.  

First, you’ll need to get a copy of your password hashes from AD. This is pretty simple as long as you’re logged into a Domain Controller (DC) with a Domain Admin level account. You’ll need to run ntdsutil from an elevated command prompt, then set the active instance to ntds by typing: 

Act ins ntds 

Then use the Install From Media command: 

Ifm 

Which lets you dump the AD database and the SYSTEM file: 

Create full c:\audit 

You should see a similar screenshot to the one below: 

Following these steps will dump the NTDS.dit and SYSTEM file into the c:\audit folder

However, for security reasons you don’t want to store a copy of your password hashes on a network connected device. So once you’ve got the files, copy them from your DC to a PC (preferably a fast one with a decent graphics card) that’s disconnected from the network. You can then delete the files from your DC.

Next step is to dump the password hashes from the database. I’d recommend a free tool you can get from GitHub that I’ve found reliable – NTDSAudit from Dionach.

Simply place NTDSAudit.exe in the same folder as your NTDS.DIT and SYSTEM files, then run the following command:

Ntdsaudit.exe “ntds.dit” -s “SYSTEM” -p pwdump.txt –users-csv users.csv

You should end up with a similar screen to the below. This will give you some helpful stats as well as the two files: pwdump.txt and users.csv.

We’ve now got the password hashes and can attempt to crack them. Note there are lots of tools to choose from, but most will be flagged by antivirus software so you might need to disable it. Feel free to choose what works best for you. For the ease of this blog, I’ll use hashcat.

Download Hashcat or build it from source and place it somewhere on your computer of choice. It’s preferable to have a discrete graphics card for this exercise, as you’ll be able to calculate hash candidates quicker on a faster machine. Cracking NTLM hashes can be slow without the presence of a fast GPU. You’ll also need to ensure the correct GPGPU computer framework is present on your computer, whether that’s CUDA, HIP, or OpenCL depending on your platform of choice (this configuration is outside of the scope of this guide).

You’ll also need a wordlist to attack the hashes with, as a brute-force or mask attack can be very slow. We will be using rockyou.txt, a common starting point for brute-force, and password cracking attacks. This is distributed out of the box on linux distributions such as Kali Linux, however you’ll need to download it yourself on a Windows host. Windows Defender will flag hashcat as malware, so you’ll need to whitelist the directory you’re working from, if you’re using Windows.

Navigate to the folder you’ve downloaded hashcat to, or if you’ve installed it from your package manager, navigate to some working directory. You can then run hashcat from the commandline with the following command, modify as required for your operating system:

./hashcat -m 1000 -O -w3 pwdump.txt rockyou.txt

This command will run an attack of mode 1000 (as we are using NTLM hashes), using an optimized kernel (which has some limitations on the length of candidates it will generate, but it will perform better for this exercise) and the appropriate hardware available on the machine. If you’ve installed the required compute frameworks, this should use your discrete GPU by default.

As this attack is not specifying a rule, this would be considered a dictionary attack. This will simply use rockyou.txt as the password candidates, without modifying them in any way. A follow-up attack can be completed as a rule attack, using the rules of your choice, in this case oneruletorulethemall.rule, which you can find on github via a search engine of your choice.

./hashcat -m 1000 -O -w3 pwdump.txt rockyou.txt -r oneruletorulethemall.rule

This will manipulate the records in the wordlist creating new password candidates, based on common password patterns found in other datasets. This will take longer than the previous dictionary attack, however it will generate new candidates that were not present in the original attack.

You can then use various other attack types, with different dictionaries and rules, as well as run a brute-force attack should you need to. Hopefully you’ve managed to crack some of the passwords present in the active directory dump you’re working from, but this may take some trial and error depending on how strong the password hygiene of your users is.

You can move onto other wordlists, such as COMB, or a current dataset from hashmob.org, and some other rules, but do note this will take some experimenting, as it’s more an art than a science.

The automated (and easier!) way to find compromised passwords

The manual process we just walked through can be a useful way of figuring out if you’ve got a problem. However, it’s not something you want to be doing all the time. Adding a third-party solution to your Active Directory such as Specops Password Policy can keep you on top of compromised passwords automatically.

Specops Password Policy uses our Breached Password Protection feature to scan your Active Directory against a list of 3 billion unique weak and compromised passwords. Our research team’s attack monitoring data collection systems update the service daily to ensure your network is protected from real-world password attacks happening right now. This can all be set up through a simple integration with your Active Directory.

All users will be prevented from using known compromised passwords and guided towards creating a different password that fits your policy. On top of that, if continuous scan is activated, users will be alerted by SMS or email as soon as their password has been discovered to be compromised. Looking for a simple but effective security tool to rid your organization of breached passwords? Try Specops Password Policy for free today.