Tag: pwned

Active Directory password filter

Posted on by Andi Wirz

I want to share my experience about a product called safepass.me

Some months ago I was searching a product which prohibits users to use “unsafe” passwords when changing their password. In simple words: “a password filter”

I found some self-made solutions which could be adopted, but they rely on a huge database, additional infrastructure or others require a direct connection to the internet (see Links).
As the solution must run on every Domain Controller the non-commercial solutions, the ones using additional infrastructure and the products require an internet connection did not made the race.

Finally, I found safepass.me, which uses a special technology to keep the amount of data (denied passwords list) small and no data is sent to the Internet. The “denied password list” is stored locally on every “Domain Controller”.

Insecure password

Unsafe passwords are passwords which can be cracked easily because of its lenghts and complexity or they are just known passwords.

At first glance, the following passwords look quite safe. They are complex, have at least 8 characters, so they should be safe. But… no, they aren’t!

  • Passwort2
  • Herbst18
  • Abc@12345
  • Winter17
  • Albert123
  • P@ssw0rd!
  • Winter18
  • 123qweASD
  • Aaa123456
  • July2018
  • Monkey123
  • Welcome11

Check passwords above or your own password on Have I been Pwed to see how safe it is:

https://haveibeenpwned.com/Passwords

How safepass.me works

When a user changes his password, the safepass.me application on each Domain Controller checks the new password against known passwords in the local database and blocks all compromised passwords. The local database is an improved (reduced size) version of HaveIBeenPwned.

Installation

  • Download the current version from http://safepass.me/download
  • Install the application on every Domain Controller.
  • Save license file on each Domain Controller under C:\Windows\System32\safepassme\safepassme.lic
  • Done

Links

Check if your AD passwords are compromised in a data breach

Posted on by Andi Wirz

To compare Active Directory accounts against breached passwords you need access to your Active Directory with a specific privileged account, a password list with NTLM hashes and some PowerShell commands.

But why should you do this?

  • Password hashes of Domain accounts can be dumped locally from SAM, memory, remotely and as well just with Windows built-in features (memory dump).
  • Users with well known passwords (compromised passwords) are extremely easy to “recover” by using password lists
  • Therefore the passwords of these accounts must be changed to reduce the risk of getting easily “hacked”.

Password list

As the download of the password list could take a while, start downloading the latest version from: https://haveibeenpwned.com/Passwords

Make sure to download the NTLM password list (version 4 or newer).

When finished, extract the file: I’m using C:\temp\pwned-passwords.txt as target.

Export password hashes from AD

You do not have to be a member of the Domain Admins, Enterprise Admins or the Administrators group, but you need the “Replicating Directory Changes All” permission on Domain level.

Install PS Module

Now launch PowerShell and run:

Install-Module -Name DSInternals

More info about module: https://www.powershellgallery.com/packages/DSInternals/

Set credentials

Now you have to run another command in PowerShell, then enter the credentials which are delegated on Domain level with ReplDir permissions:

$mycredentials = Get-Credential

Enter credentials

Export users and password hashes of all users to file

Run the following command within PowerShell to “pull” all account information from the Domain Controller of your choice. When finished, the hashes are saved in the file c:\temp\hashes.txt

Get-ADReplAccount -all -NamingContext “DC=Domain,DC=local” -Server Domaincontroller.domain.local -Credential $mycredentials | Format-Custom -View HashcatNT | Out-File c:\temp\hashes.txt -Encoding ASCII

Make sure to change Domain name and Domain Controller!

Compare it…

Download PowerShell script from https://github.com/DGG-IT/Match-ADHashes/ and save the file to c:\temp\

Load function and compare hashes

Run the following command to load the function:

.\Match-ADHashes.ps1

Make sure you run it from c:\temp

Start comparison:

$list = Match-ADHashes -ADNTHashes C:\temp\hashes.txt -HashDictionary C:\temp\pwned-passwords.txt

save result to a list

Export into CSV

Write output to a CSV file:

$list | select Hash,Frequency,@{Name=’user’;Expression={[string]::join(“;”, ($_.user))}} | Export-Csv -Path c:\temp\report.csv -Delimiter ‘;’ -NoTypeInformation

Result

Open the CSV and make sure to remediate all accounts. Set priority on privileged accounts. These must be changed immediately!