A tool to evaluate the password health of Active Directory accounts. This script will take a list of accounts, a list of cracked passwords, and a list of password rules to determine the health of Active Directory accounts. It will identify weak passwords leveraging user defined rules such as common words and or password length.
Running the script will produce two output files
Use Impacket's secretdsdump.py to extract hashes from Active Directory using either the online or offline method.
Example online extraction command:
python secretsdump.py -output secretsdump_example -pwd-last-set -user-status acme.com\Administrator:[email protected]
The
-user-statusand-pwd-last-setflags are optional, but increase the effectiveness of data manipulation
The resulting output file will be provided to this script using the
-S flag. There is an example file here:
Examples/secretsdump_example.ntds
Crack by running:
john --format=nt --wordlist=rockyou.txt secretsdump_example.ntds
Create an output file of all the cracked NTLM hashes with:
john --format=nt --show secretsdump_example.ntds > cracked_ntlm
The resulting output file will be provided to this script using the -J
flag. There is an example file here: Examples/cracked_ntlm.txt
Additional Active Directory account information can be passed in to
enrich the output file form this script. The input file must be in CSV
format and must contain a column named SamAccountName, used to match
the user accounts. There is an example file in Examples/Get-ADUser.csv
directory.
One way to get this type of additional data is to use the PowerShell Get-ADUser cmdlet and export the results to a CSV. You can install the Active Directory PowerShell module on your workstation using this blog post: https://4sysops.com/archives/how-to-install-the-powershell-active-directory-module/.
An example command to generate the CSV file:
Get-ADUser -Filter * -Server acme.com -Properties SamAccountName,City, Department|Select-Object -Property SamAccountName,City,Department| Export-Csv -NoTypeInformation -Path C:\Get-ADUser.csv
This script leverages a list of common words to determine if a cracked
password is weak. The file is found at Examples/password_rules.txt.
This list of rules can be changed by the user by
running the script with the -R flag. The provided list contains simple
words such as password or summer. If the word is found in ANY
part of the recovered password, it will be marked as weak. This isn't
always ideal as a password of 3f8!$%Winter33432* would be flagged.
However, experience has shown that this is typically an edge case.
Pro Tip: Add the company name to the password rules files to identify common passwords such as
Acme1234
This script will evaluate recovered passwords to determine if the length
of the cracked password is considered to be weak. The default is
passwords that are less than eight characters (i.e. passwords that are
only seven characters long). This can be changed with the -N flag.
Experience has shown that the password for old accounts and/or administrative accounts don't always follow the domain's password policy.
The script can be run with the --pwned flag to test the recovered passwords
against the Have I Been Pwned API.
Recovered passwords will be labeled compromised if they are discovered in the HiBP
password dump.
The script can be run with the -E flag to exclude the password hashes
and cracked passwords from being included in the output files. This is
useful when the files are delivered to departments as part of reporting.
Active Directory stores information for both user and machine accounts.
On average, the machine account information isn't valuable. By default,
the script does not include information about machine accounts. The
--machine flag can be provided to include information on machine
accounts.
Experience has shown that sometimes machine accounts have weak passwords. This could be fruitful for a penetration tester.
The output files will always start with ADPassHealth_ followed by a
time stamp and end with either Data.csv or Metrics.csv (i.e.
ADPassHealth_20170907-223411-Data.csv). There is an example of each in
the Examples directory.
- If the LM hash is blank (i.e.
AAD3B435B51404EEAAD3B435B51404EE), it is not counted. This is to say that the account is currently configured with a LM password hash and we want to know that. - 'local' accounts are any accounts that were not prepended with a
domain name (i.e.
acme.com\Bellawould not be local) - Machine accounts are any account names that end with
$
Image was edited
The Examples directory contains example files that can be used to test
the script.
ADPassHealth_20170910-135811-Data.csv- An example of the output data file.ADPassHealth_20170910-135811-Metrics.csv- An example of the output metrics file.cracked_ntlm.txt- An example of the output from John using the--showcommand to show cracked hashes fromsecretsdump_example.ntds.Get-ADUser.csv- An example of the output from the PowerShell Get-ADUser cmdlet.password_rules.txt- An example list of password rules used to determine if a password is weak. This is the default file if one isn't provided.secretsdump_example.ntds- An example file of the output from Impacket's secretsdump.py.source_data.xlsx- An Excel file used to generate usernames, passwords, hashes, domains, machine accounts, city, and department information.
Example command:
python ADPasswordHealth.py -J Examples/cracked_ntlm.txt -S Examples/secretsdump_example.ntds -A Examples/Get-ADUser.csv -O ./Examples/ --machine
usage: ADPasswordHealth.py [-h] -J JOHN -S SECRETS [-R RULES] [-A ADUSERINFO]
[-N NUMBER] [-M] [-E] [--machine] -O OUTPUT
[--verbose] [--debug] [--pwned]
optional arguments:
-h, --help show this help message and exit
-J JOHN, --john JOHN A file with the output from John using the --show flag
or hashes in this format ACME.COM\john:cracke
dPassword:RID:LMHash:NTLMHash::: (pwdLastSet)
(status). The pwdLastSet and status parts are
optional.
-S SECRETS, --secrets SECRETS
The output from extracting a NTDS.dit file using
secretsdump.py. Example command is:
secretsdump.py -outputfile secretsdump_acme
-pwd-last-set -user-status
acme.com\[email protected]
-R RULES, --rules RULES
A file containing a list of words, each on a new line,
that are used as rules to determine if a password is
weak. NOTE: if the cracked password contains the word,
is deemed weak.
-A ADUSERINFO, --aduserinfo ADUSERINFO
An optional data set in the form of CSV output from
PowerShell Get-ADUser user command. Example
command: Get-ADUser -Filter * -Server acme.com
-Properties SamAccountName,City,Department|Select-
Object -Property SamAccountName,City,Department
|Export-Csv -NoTypeInformation -Path C:\Get-
ADUser.csv
-N NUMBER, --number NUMBER
Find all instances where the cracked password is less
than the passed in number. Default is 8
-M, --metrics Disable the calculation of metrics of AD password
health data.
-E, --exclude Exclude cracked password from output
--pwned Check cracked passwords against Have I Been Pwned API
--machine Include machine accounts in results
-O OUTPUT, --output OUTPUT
Output directory
--verbose Enable verbose Output
--debug Enable debug output