AD password auditing Part-1

Get rid of those bad passwords in your organisation, if you can crack them so as an attacker. There is a lot of debate on how much this feature can really help. To see its benefits give it a go and see how many bad passwords lurking in your organisation. you are baffled to find famous holiday spots, football clubs and of course lots of P@$$w0rd123’s for sure.

Process:

we will audit active directory and collect password dump, put it through hash cat(a tool designed to crack passwords) to hack all passwords. The end result hopefully is we don’t have any cracked hashes(which means weak passwords), but it’s 99.99% unlikely.

Tools Needed:

“NtdsAudit” This is a simple tool designed to dump AD password hashes. you can download from https://github.com/Dionach/NtdsAudit/releases. You can find more info about the tool at https://github.com/Dionach/NtdsAudit/blob/master/README.md

.NET 4.6 or latest in your windows server is needed for the above tool to run successfully.

Kali Linux to crack passwords

Good Password list (use any password list, get the latest and greatest one, I have one which got around 10million breached passwords).

Collecting hashes:

Log in to windows server domain controller (most important) and open command prompt with admin privileges to run following commands.

C:\> ntdsutil

ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\passwords
ifm: quit
ntdsutil: quit

This will create and produce backup in C partition. the output looks like following

Navigate to C:\passwords\Active Directory folder and copy NtdsAudit.exe file you obtained from above URL.

Now run following command to capture all password hashes and save them to a text file called pwdump.txt and all users list will be exported to users.csv

ntdsaudit ntds.dit -s SYSTEM -p pwdump.txt -u users.csv

Output of above command

Users file preview

Output of hashes in pwdump.txt file preview

This is the file we will use to pass it to hashcat for password cracking.

0 Comments

Leave a Reply

Your email address will not be published.