Audit_ADPasswordHashes

Audit AD password hashes against HaveiBeenPwned

Audit_ADPasswordHashes

This component extracts password hashes using NTDSUTIL (Built in Microsoft tool) and NtdsAudit.exe and checks them against HaveIBeenPwned. The tool uses the K-anonymity model to ensure that no useable information is leaked from your AD. When ran, the component will present a report in STDOUT with some actionable security information such as accounts that haven’t been used in 90 days or a year, It will be followed by a list of all accounts that are using a password that is found in HaveIBeenPwned database. Each account in this list should be corrected by having the user change their password to a unique password.

This component first uses ntdsutil.exe to dump the contents of AD to a folder named c:\m8uOv4sX9HP3Jc00nx (which is a random string created at the time of writing the component). It then downloads NTDSAudit.exe from the projects GitHub repository and saves it to the above directory. NTDSAudit is then ran against the AD info pulled out in the first step which creates an csv output file named dump.txt. The component then loops through each row in the CSV file pulling the password hash. The first 5 characters of the hash to the nthashes api. Which responds with the remaining characters of all hashes that match the first 5 characters. The component compares the results to see if there is an exact match in the returned data. If there is an exact match, then the account info is added to the list of accounts using known breached passwords.

The output will include the following table, followed by the list of accounts with known breached passwords.

The base date used for statistics is 5/29/2023 7:41:27 PM
Account stats for: corp.domainname.com
Disabled users _____________________________________________________ 2 of 9 (22.2%)
Expired users ______________________________________________________ 0 of 9 (0%)
Active users unused in 1 year ______________________________________ 2 of 7 (28.6%)
Active users unused in 90 days _____________________________________ 3 of 7 (42.9%)
Active users which do not require a password _______________________ 0 of 7 (0%)
Active users with non-expiring passwords ___________________________ 4 of 7 (57.1%)
Active users with password unchanged in 1 year _____________________ 5 of 7 (71.4%)
Active users with password unchanged in 90 days ____________________ 5 of 7 (71.4%)
Active users with Administrator rights _____________________________ 3 of 7 (42.9%)
Active users with Domain Admin rights ______________________________ 2 of 7 (28.6%)
Active users with Enterprise Admin rights __________________________ 2 of 7 (28.6%)
Disabled computers _________________________________________________ 0 of 8 (0%)
Active computers unused in 1 year __________________________________ 2 of 8 (25%)
Active computers unused in 90 days _________________________________ 3 of 8 (37.5%)
Password stats for: corp.dejeancpa.com
Active users using LM hashing ______________________________________ 0 of 7 (0%)
Active users with duplicate passwords ______________________________ 2 of 7 (28.6%)
Active users with password stored using reversible encryption ______ 0 of 7 (0%)

If this component downloads any external files other then grabbing the script from our repository, they will be listed here so you can do your own due diligence if needed.

Filename
URL
Path
Notes
NtdsAudit.exe
https://github.com/Dionach/NtdsAudit/releases/download/v2.0.7/NtdsAudit.exe
.\
NTDSAudit.exe is a tool that dumps hashes from an offline AD.

5/29/2023 – Initial Release

11/24/2023 – Upgraded to v4 launcher

GET IN TOUCH