Craig Hays

You are here: Home / Archives for Password Quality Auditing

Password Quality Auditing

Enforcing better Active Directory passwords (Password audit part 3)

By Leave a Comment

Reading Time: 3 minutes

(This is the third and final post of a three part series on Microsoft Active Directory password quality auditing)

Following on from part 2 where we used DS-Internals to extract NT hashes and John the Ripper to crack them, in this post we cover what to actually do with all of this (usually worrying) information.

What to do with a list of cracked passwords

Now that John has done his good work, you will likely have a list of passwords and their associated user accounts from some of your users. Once you’ve gotten off the floor and climbed back into your chair, you may start to think: “This is great! We can see exactly who has bad passwords. If they were good we wouldn’t have cracked them so easily.” So now what…

[Read more…] about Enforcing better Active Directory passwords (Password audit part 3)

Cracking Active Directory passwords (Password audit part 2)

By Leave a Comment

Reading Time: 4 minutes

John the Ripper loves cracking Active Directory password hashes and your users love ‘Password1!’

(This is the second of a three-part series on Microsoft Active Directory password quality auditing and password cracking)

Following on from part 1 where we used DS-Internals to do some basic password quality auditing, in this post, we extract all of your password hashes from Active Directory and crack them with John the Ripper.

Cracking passwords with DS-Internals

In the previous post, we covered using DS-Internals to do a password quality audit. We did this by using the PowerShell module to examine account configurations for vulnerabilities and we provided a plain text password dictionary for brute forcing our users’ passwords. While the audit for configuration insecurities is excellent, the literal dictionary of passwords to use for cracking is not the most efficient way to do it. Nor is the output of sufficient quality to be as useful as it could be. This isn’t a criticism of the tool, it just isn’t what the tool specialises in.

When you provide a list of thousands of passwords, including globally well-known passwords and company-specific ones such as ‘Company1’ or ‘C0mp4ny123!’, DS-Internals will only tell you is a user password is found in that dictionary. It won’t suggest other similar formats such as ‘Company11111111’ which could also be in use. This is great for identifying users who need to change their passwords to something more secure, provided that you managed to create a comprehensive wordlist on your own. Which most of us probably can’t.

A better way to crack Active Directory passwords

DS-Internals is designed to let us overcome this challenge. Built in is an extensive hash export utility that will provide a range of hash table formats. My personal favourite cracking tool is John the Ripper and output support is built right in.

To export all user hashes from AD use the following:

[Read more…] about Cracking Active Directory passwords (Password audit part 2)

Brute force attack your own users (Password audit part 1)

By Leave a Comment

Reading Time: 6 minutes

The bad guys are already doing it. Here’s why and how you should do it too.

(This is the first of a three-part series on Microsoft Active Directory password quality auditing and password cracking)

If your company has anything exposed to the internet, attackers are already brute force attacking your user’s passwords. All day, every day. There are very few things you can do to stop them. Our best hope is to slow them down as they circumvent every countermeasure we put in place and ensure that users have passwords strong enough to withstand a low volume brute force attack.

[Read more…] about Brute force attack your own users (Password audit part 1)