Password Audit

On a semi regular basis I like to perform password audits of my user base to verify they are using complicated, not easily guessed passwords. This will help you look for the weak links and users you might need to watch more. 

As we being here are a few items you will be needing.

• A “Domain Admin” or equivalent account for the systems you will be auditing.• A designated auditing workstation – this should NOT be a domain controller or production server.• The security testing tool Oxid Cain,(downloadable from https://www.oxid.it/cain.html) ,or Hashcat if you prefer i just love the simplicity of Cain• A password dictionary.

Dictionary-
There are a number of these available online, or you can create your own wordlist based on your organisation.The dictionary should be all lowercase, and avoid number substitution, as Cain will modify the dictionary entries automatically.Symbols (such as !@#?<> etc.) are ok, but ensure that you also have the non-symbol equivalents listed in the dictionary.
Optionally, you can also utilise rainbow tables, we will discuss in a latter segment. Both rainbow tables and Window password hash mechanisms are discussed in the articles below:
https://en.wikipedia.org/wiki/Rainbow_tableshttps://en.wikipedia.org/wiki/LM_hashhttps://en.wikipedia.org/wiki/NTLM

First lets prep our DC.
make a new directory in the root of c: and call it ntdsutil.
Next go here and download ntdsaudit.exe
copy the ntdsaudit.exe file to the root of ntdsutil directory you just made.

Now, we have to get a copy of the password hashes from AD. Providing you are logged in to a DC with a Domain Admin level account this is a quite simple process. 

Simply run ntdsutil from an elevated command prompt. Set the active instance to ntds by typing:
Ntdsutil
activate instance ntds
ifm - (To dump the AD database and the SYSTEM file)
create full c:\ntdsutil
quit

You should see the image below
 

This will dump the NTDS.dit and SYSTEM file into the c:\ntdsutil folder
For security reasons, we don’t want to keep a copy of the password hashes on any network connected machine. Now that you have these files, move them from your DC to a fast PC, ideally with a decent GPU (graphics card), and disconnect that PC from the network. Remember to delete the files from the DC.

Open a elevated command prompt and goto the c:\ntdsutil directory.
type:
Ntdsaudit.exe "ntds.dit"  -s "System" -p pwdump.txt --users-csv users.csv

Your newly created pwdump.txt will have all the hashes of the current user passwords.

Open Cain as an administrator, select the Cracker tab and then right-click anywhere in the “white” area and choose Add to list from the context menu.

Select import hashes from a text file and choose your pwdump.txt file, and click Next.

We now need to load our plain text dictionary (or dictionaries). Right-click on the right hand pane again and choose Dictionary Attack > NTLM Hashes.

Right-click on the white File area, and choose Add to list.

Once you have your lists in place you can also add permutations to the list,:
 reverse case,Number Subtitution, character substitutions, ect. 
You can run also run "As Is (Password)" for the fastest scan which will only look for exact matches.

Depending on the complexity/length of the passwords this approach can take anywhere from a few hours to a few days/weeks. For a good successful audit you are mainly forcusing on the weak easy to get passwords. With enough brute-force any password can be cracked. thought the thought of 16.5 trillion years to crack that 16 character is pretty far fetched.

Have fun and always remember to be safe. Remember to delete or at least encrypt all your password dumps. Definatley not something you would want to have lying around!!

PAssword Audit