Check if your AD passwords are compromised in a data breach

To compare Active Directory accounts against breached passwords you need access to your Active Directory with a specific privileged account, a password list with NTLM hashes and some PowerShell commands.

But why should you do this?

  • Password hashes of Domain accounts can be dumped locally from SAM, memory, remotely and as well just with Windows built-in features (memory dump).
  • Users with well known passwords (compromised passwords) are extremely easy to “recover” by using password lists
  • Therefore the passwords of these accounts must be changed to reduce the risk of getting easily “hacked”.

Password list

As the download of the password list could take a while, start downloading the latest version from:

Make sure to download the NTLM password list (version 4 or newer).

When finished, extract the file: I’m using C:\temp\pwned-passwords.txt as target.

Export password hashes from AD

You do not have to be a member of the Domain Admins, Enterprise Admins or the Administrators group, but you need the “Replicating Directory Changes All” permission on Domain level.

Install PS Module

Now launch PowerShell and run:

Install-Module -Name DSInternals

More info about module:

Set credentials

Now you have to run another command in PowerShell, then enter the credentials which are delegated on Domain level with ReplDir permissions:

$mycredentials = Get-Credential

Enter credentials

Export users and password hashes of all users to file

Run the following command within PowerShell to “pull” all account information from the Domain Controller of your choice. When finished, the hashes are saved in the file c:\temp\hashes.txt

Get-ADReplAccount -all -NamingContext “DC=Domain,DC=local” -Server Domaincontroller.domain.local -Credential $mycredentials | Format-Custom -View HashcatNT | Out-File c:\temp\hashes.txt -Encoding ASCII

Make sure to change Domain name and Domain Controller!

Compare it…

Download PowerShell script from and save the file to c:\temp\

Load function and compare hashes

Run the following command to load the function:


Make sure you run it from c:\temp

Start comparison:

$list = Match-ADHashes -ADNTHashes C:\temp\hashes.txt -HashDictionary C:\temp\pwned-passwords.txt

save result to a list

Export into CSV

Write output to a CSV file:

$list | select Hash,Frequency,@{Name=’user’;Expression={[string]::join(“;”, ($_.user))}} | Export-Csv -Path c:\temp\report.csv -Delimiter ‘;’ -NoTypeInformation


Open the CSV and make sure to remediate all accounts. Set priority on privileged accounts. These must be changed immediately!

Leave a Reply

1 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
2 Comment authors
Andi WirzAndre Recent comment authors
newest oldest most voted
Notify of

Great article! But may I give a small recommendation, please stress that there is a space between “. .” in . .\Match-ADHashes.ps1. It took me hours to discover 😉

We use cookies to improve the user-friendliness and stats of the website. Through your visit, you agree with that.