Online Password Auditing of a Domain Controller

Password auditing of a domain traditionally involves obtaining copy of the ntds.dit and performing some offline analysis which can be time consuming. The DSInternals PowerShell Module has an Active Directory password auditing cmdlet which performs checks for default, duplicate, empty and weak passwords.  The audit can be performed against a domain online via DCSync, saving the need to obtain a copy of the ntds.dit.  This can be of benefit if regular password audits are being performed.

Install DSInternals as an administrator by using:

Install-Module DSInternals -Force

To run an online audit, use the following below.  Substitute the -NamingContext, -Server and -WeakPasswordsFile as appropriate parameters.  In our lab we have used the rockyou wordlist, but one more appropriate to the target domain can be used or a list of hashes can be provided by using the -WeakPasswordHashesSortedFile parameter.

Import-Module DSInternals

Get-ADReplAccount -All -NamingContext 'DC=cyberis-test-lab,DC=internal' -Server TEST-DC-1 | Test-PasswordQuality -WeakPasswordsFile rockyou.txt

Once finished, a password quality report will be generated:

Active Directory Password Quality Report
----------------------------------------

Passwords of these accounts are stored using reversible encryption:

LM hashes of passwords of these accounts are present:

These accounts have no password set:

Passwords of these accounts have been found in the dictionary:
  Administrator
  cyberis-user

These groups of accounts have the same passwords:

These computer accounts have default passwords:

Kerberos AES keys are missing from these accounts:

Kerberos pre-authentication is not required for these accounts:

Only DES encryption is allowed to be used with these accounts:

These administrative accounts are allowed to be delegated to a service:
  Administrator
  cyberis-user
  ServiceAccount2

Passwords of these accounts will never expire:
  cyberis-user
  ServiceAccount1
  ServiceAccount2

These accounts are not required to have a password:

A link to the DSInternals GitHub repo and an offline copy of the module is available here - https://github.com/MichaelGrafnetter/DSInternals

Tags