Active directory password audit best practices

Passwords are the bane of any IT Security Officers life, but as they are still the primary way of authenticating users in Active Directory, it’s a good idea to check that your users are making good password choices. Unfortunately, the built-in Active Directory policies does not do much to stop users from making poor password choices.

This blog describes how you might audit existing passwords to check that no weak, easy-to-guess, or known leaked passwords are being used in your organization.

Any information and tools discussed here should be treated with the utmost care as the passwords revealed and files generated could lead to a compromise of your network. As such, I would recommend that you practice what is discussed here on a test domain first, not a live or a restored copy of your live AD. Once you are happy with what you are doing and the appropriate safeguards are in place, (i.e. any audit should be done on an isolated and secure PC and providing the appropriate permissions from senior management have been granted), should you then use any of these tools/procedures on your live AD database.

I’ll be dealing with AD based on 2008 R2 and above servers. First of all, we have to get a copy of the password hashes from AD. Providing you are logged in to a DC with a Domain Admin level account this is a quite simple process. Simply run ntdsutil from an elevated command prompt. Set the active instance to ntds by typing:

Act ins ntds

And use the Install From Media command:

Ifm

To dump the AD database and the SYSTEM file:

Create full c:\audit

You should see a similar screenshot to the one below:

This will dump the NTDS.dit and SYSTEM file into the c:\audit folder

For security reasons, we don’t want to keep a copy of the password hashes on any network connected machine. Now that you have these files, move them from your DC to a fast PC, ideally with a decent GPU (graphics card), and disconnect that PC from the network. Remember to delete the files from the DC.

Now that we have these files, we need to dump the password hashes from the database. There’s a really good utility from Dionach called NTDSAudit that can do this reliably, you can get it from github for free:

https://github.com/Dionach/NtdsAudit/releases

Place NTDSAudit.exe in the same folder as your NTDS.DIT and SYSTEM files and run the following command:

Ntdsaudit.exe “ntds.dit” -s “SYSTEM” -p pwdump.txt –users-csv users.csv

It should output a similar screen to the one below with some useful stats in it and also 2 files pwdump.txt and users.csv

Now that we have the password hashes we can attempt to crack them. There are many tools available. Most will be flagged and quarantined by any Anti-Virus software that you have so you may have to disable any such systems.

Some of these systems are command line based, some have GUI’s, for ease of use for this blog I’ll be using Cain & Abel http://www.oxid.it/cain.html

Open Cain as an administrator, select the Cracker tab and then right-click anywhere in the “white” area and choose Add to list from the context menu.

Select import hashes from a text file and choose your pwdump.txt file, and click Next.

We now need to load our plain text dictionary (or dictionaries). Right-click on the right hand pane again and choose Dictionary Attack > NTLM Hashes.

Right-click on the white File area, and choose Add to list.

Then browse to your plain text file. You can see in the screenshot above I have one called SpecopsMaster.txt.

Once you have your lists in place you can also add permutations to the list, such as reverse, case, l337 speak, character substitutions, and such. Alternatively, you can run As Is (Password) for the fastest scan which will only look for exact matches.

Hit Start and see what you get!

In my example above we can see that it found 4 passwords. If you click the Exit button you will be able to see what users have used those compromised words. As you can see they have been used by multiple users.

Now we know the we have a weak password problem in our organisation. How can we fix it, or enforce and promote better passwords (or maybe passphrases)? Well for that you need to look at 3^rd party tools such as Specops Password Policy.

In summary, it’s good to audit Active Directory passwords. Just make sure that you have the right tools and anything that you do discover is secured, and remedied as soon as possible. Any sensitive data such username and password pairs, your extracted NTDS.DIT and SYSTEM files, and the pwdump.txt files, should also be properly deleted.