A common approach to gaining access into an Active Directory environment is to crack the password of a specific target user through means of brute-force or dictionary attacks. Built-in password policies for Active Directory can reduce the success rate of brute-force or dictionary attacks and will often prohibit access to accounts with too many failed login attempts.
However, the smarter way to attack an Active Directory environment is to attempt only a few logins using statistically proven common passwords, such as the combination of year, season or month (e.g. Summer2018). Since many companies enforce seasonal password changes, the average worker may decide to use a password of this type, as it is easy to remember and adheres to most common password complexity policies. Furthermore, an attacker may perform a “password spraying”-attack, in which the attacker attempts a single login using the same (common) password for all enabled users in the environment, granting a higher chance of success despite no users being prohibited access. This is especially effective in environments where the average personnel is not properly trained in generating strong passwords.
Offline attacks against passwords might also be possible, e.g. if an attacker obtains an encrypted representation of the password, often NTLM(v1/v2) authentication over the network or inside a Kerberos ticket (Kerberoasting attack).
A great way to defend your Active Directory environment against this type of attack is to ensure that no account in the environment has a password that can be found in any major public database leaks, nor has a statistically proven common (“weak”) password.
This also aligns very well with the latest guidelines from NIST about passwords:
… verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: a) Passwords obtained from previous breach corpuses. b) Dictionary words. C) Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). D) Context-specific words, such as the name of the service, the username, and derivatives thereof.
Get-bADpasswords
Here at Improsec we strive to improve security (as our company name suggests), and to this end, we have developed a lightweight open-source module that can scan your Active Directory environment for insecure (weak or leaked) passwords.
Pwned Passwords by Troy Hunt
Troy Hunt, the owner and creator of https://haveibeenpwned.com (a website that allows you to test if your credentials have been present in any major public leaks), created a sub-service on his website called “Pwned Passwords”. The purpose of this service was to allow regular users to scan major leaks for the presence of their own personal password(s), and to this end, Troy Hunt has generated and released to the public, a large combined list of 517 million password hashes from various public leaks.
Our module will compare all passwords in the Active Directory replica objects against this list and report all matches. Originally, we wanted to write this part of the module in PowerShell, but since the amount of data is overwhelming, we wrote this part of the module in a native language (in this case C++) to achieve acceptable performance.
How Get-bADpasswords work
In short terms, the module will query the Active Directory environment for all enabled user objects (using the DCSync protocol as implemented in Michael Grafnetters DSInternals module) and compare the password hashes of each distinct user against a predefined list of weak passwords, as well as a dynamic list of custom weak passwords (that may be customized). More lists can be added if required. Afterwards, it will compare the remaining passwords (the ones that are not considered “weak”) against the Troy Hunt list. All findings will be reported in a log-file, as well as an additional CSV-file, and an e-mail for your IT-security-management.
The overall workings of the module is depicted in the illustration below:
Acquiring the module
Our module is freely available, and can be found at:
https://github.com/improsec/Get-bADpasswords